在開放平臺領域,須要給isv提供sdk,簽名是Sdk中須要提供的功能之一。因爲isv使用的開發語言不是單一的,所以sdk須要提供多種語言的版本。譬如java、php、c#。另外,在電子商務尤爲是支付領域,對安全性的要求比較高,因此會採用非對稱密鑰RSAphp
本文主要介紹如何基於java、php、c#在客戶端使用rsa簽名,而後在服務端使用Java驗籤。html
- 基於openssl生成RSA公私鑰對
java/php/c#版rsa簽名以及java驗籤實現--轉
b)生成私鑰java
進入到openssl的bin目錄下,執行如下命令:web
openssl genrsa -out rsa_private_key.pem 1024c#
會在bin目錄下看到新生成的私鑰文件rsa_private_key.pem,文件內容以下:安全
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDtd1lKsX6ylsAEWFi7E/ut8krJy9PQ7sGYKhIm9TvIdZiq5xzy
aw8NOLzKZ1k486MePYG4tSuoaxSbwuPLwVUzYFvnUZo7aWCIGKn16UWTM4nxc/+d
wce+bhcKrlLbTWi8l580LTE7GxclTh8z7gHq59ivhaoGbK7FNxlUfB4TSQIDAQAB
AoGBAIgTk0x1J+hI8KHMypPxoJCOPoMi1S9uEewTd7FxaB+4G5Mbuv/Dj62A7NaD
oKI9IyUqE9L3ppvtOLMFXCofkKU0p4j7MEJdZ+CjVvgextkWa80nj/UZiM1oOL6Y
HwH4ZtPtY+pFCTK1rdn3+070qBB9tnVntbN/jq0Ld7f0t7UNAkEA9ryI0kxJL9Pu
pO9NEeWuCUo4xcl9x/M9+mtkfY3VoDDDV1E/eUjmoTfANYwrjcddiQrO0MLyEdoo
tiLpN77qOwJBAPZhtv/+pqMVTrLxWnVKLZ4ZVTPPgJQQkFdhWwYlz7oKzB3VbQRt
/jLFXUyCN2eCP7rglrXnaz7AYBftF0ajHEsCQQDDNfkeQULqN0gpcDdOwKRIL1Pp
kHgWmWlg1lTETVJGEi6Kx/prL/VgeiZ1dzgCTUjAoy9r1cEFxM/PAqH3+/F/AkEA
zsTCp6Q2hLblDRewKq7OCdiIwKpr5dbgy/RQR6CD7EYTdxYeH5GPu1wXKJY/mQae
JV9GG/LS9h7MhkfbONS6cQJAdBEb5vloBDLcSQFDQO/VZ9SKFHCmHLXluhhIizYK
Gzgf3OXEGNDSAC3qy+ZTnLd3N5iYrVbK52UoiLOLhhNMqA==
-----END RSA PRIVATE KEY-----
c)生成公鑰ide
在bin目錄下,執行如下命令:工具
openssl rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem編碼
會在bin目錄下看到新生成的公鑰文件rsa_public_key.pem,文件內容以下:spa
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDtd1lKsX6ylsAEWFi7E/ut8krJ
y9PQ7sGYKhIm9TvIdZiq5xzyaw8NOLzKZ1k486MePYG4tSuoaxSbwuPLwVUzYFvn
UZo7aWCIGKn16UWTM4nxc/+dwce+bhcKrlLbTWi8l580LTE7GxclTh8z7gHq59iv
haoGbK7FNxlUfB4TSQIDAQAB
-----END PUBLIC KEY-----
2. 客戶端簽名
2.1 java版簽名實現
/** * rsa簽名 * * @param content * 待簽名的字符串 * @param privateKey * rsa私鑰字符串 * @param charset * 字符編碼 * @return 簽名結果 * @throws Exception * 簽名失敗則拋出異常 */ public String rsaSign(String content, String privateKey, String charset) throws SignatureException { try { PrivateKey priKey = getPrivateKeyFromPKCS8("RSA", new ByteArrayInputStream(privateKey.getBytes())); Signature signature = Signature.getInstance("SHA1WithRSA"); signature.initSign(priKey); if (StringUtils.isEmpty(charset)) { signature.update(content.getBytes()); } else { signature.update(content.getBytes(charset)); } byte[] signed = signature.sign(); return new String(Base64.encodeBase64(signed)); } catch (Exception e) { throw new SignatureException("RSAcontent = " + content + "; charset = " + charset, e); } } public PrivateKey getPrivateKeyFromPKCS8(String algorithm, InputStream ins) throws Exception { if (ins == null || StringUtils.isEmpty(algorithm)) { return null; } KeyFactory keyFactory = KeyFactory.getInstance(algorithm); byte[] encodedKey = StreamUtil.readText(ins).getBytes(); encodedKey = Base64.decodeBase64(encodedKey); return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(encodedKey)); }
注意:參數privateKey是Pem私鑰文件中去除頭(-----BEGIN RSA PRIVATE KEY-----)和尾(-----END RSA PRIVATE KEY-----)以及換行符後的字符串。
若是簽名報如下錯誤:
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : algid parse error, not a sequence
則說明rsa私鑰的格式不是pksc8格式,須要使用如下命令轉換一下:
openssl pkcs8 -topk8 -inform PEM -in rsa_private_key.pem -outform PEM -nocrypt
而後再提取去除頭和尾以及換行符後字符串做爲java版用的rsa私鑰。
2.2 php簽名實現
function sign($content, $rsaPrivateKeyPem) { $priKey = file_get_contents($rsaPrivateKeyPem); $res = openssl_get_privatekey($priKey); openssl_sign($content, $sign, $res); openssl_free_key($res); $sign = base64_encode($sign); return $sign; }
注意:$rsaPrivateKeyPem爲pem私鑰文件路徑
2.3 c#簽名實現(引用了國外某位仁兄的方案)
using System; using System.Text; using System.Security.Cryptography; using System.Web; using System.IO; namespace Aop.Api.Util { /// <summary> /// RSA簽名工具類。 /// </summary> public class RSAUtil { public static string RSASign(string data, string privateKeyPem) { RSACryptoServiceProvider rsaCsp = LoadCertificateFile(privateKeyPem); byte[] dataBytes = Encoding.UTF8.GetBytes(data); byte[] signatureBytes = rsaCsp.SignData(dataBytes, "SHA1"); return Convert.ToBase64String(signatureBytes); } private static byte[] GetPem(string type, byte[] data) { string pem = Encoding.UTF8.GetString(data); string header = String.Format("-----BEGIN {0}-----\\n", type); string footer = String.Format("-----END {0}-----", type); int start = pem.IndexOf(header) + header.Length; int end = pem.IndexOf(footer, start); string base64 = pem.Substring(start, (end - start)); return Convert.FromBase64String(base64); } private static RSACryptoServiceProvider LoadCertificateFile(string filename) { using (System.IO.FileStream fs = System.IO.File.OpenRead(filename)) { byte[] data = new byte[fs.Length]; byte[] res = null; fs.Read(data, 0, data.Length); if (data[0] != 0x30) { res = GetPem("RSA PRIVATE KEY", data); } try { RSACryptoServiceProvider rsa = DecodeRSAPrivateKey(res); return rsa; } catch (Exception ex) { } return null; } } private static RSACryptoServiceProvider DecodeRSAPrivateKey(byte[] privkey) { byte[] MODULUS, E, D, P, Q, DP, DQ, IQ; // --------- Set up stream to decode the asn.1 encoded RSA private key ------ MemoryStream mem = new MemoryStream(privkey); BinaryReader binr = new BinaryReader(mem); //wrap Memory Stream with BinaryReader for easy reading byte bt = 0; ushort twobytes = 0; int elems = 0; try { twobytes = binr.ReadUInt16(); if (twobytes == 0x8130) //data read as little endian order (actual data order for Sequence is 30 81) binr.ReadByte(); //advance 1 byte else if (twobytes == 0x8230) binr.ReadInt16(); //advance 2 bytes else return null; twobytes = binr.ReadUInt16(); if (twobytes != 0x0102) //version number return null; bt = binr.ReadByte(); if (bt != 0x00) return null; //------ all private key components are Integer sequences ---- elems = GetIntegerSize(binr); MODULUS = binr.ReadBytes(elems); elems = GetIntegerSize(binr); E = binr.ReadBytes(elems); elems = GetIntegerSize(binr); D = binr.ReadBytes(elems); elems = GetIntegerSize(binr); P = binr.ReadBytes(elems); elems = GetIntegerSize(binr); Q = binr.ReadBytes(elems); elems = GetIntegerSize(binr); DP = binr.ReadBytes(elems); elems = GetIntegerSize(binr); DQ = binr.ReadBytes(elems); elems = GetIntegerSize(binr); IQ = binr.ReadBytes(elems); // ------- create RSACryptoServiceProvider instance and initialize with public key ----- CspParameters CspParameters = new CspParameters(); CspParameters.Flags = CspProviderFlags.UseMachineKeyStore; RSACryptoServiceProvider RSA = new RSACryptoServiceProvider(1024, CspParameters); RSAParameters RSAparams = new RSAParameters(); RSAparams.Modulus = MODULUS; RSAparams.Exponent = E; RSAparams.D = D; RSAparams.P = P; RSAparams.Q = Q; RSAparams.DP = DP; RSAparams.DQ = DQ; RSAparams.InverseQ = IQ; RSA.ImportParameters(RSAparams); return RSA; } catch (Exception ex) { return null; } finally { binr.Close(); } } private static int GetIntegerSize(BinaryReader binr) { byte bt = 0; byte lowbyte = 0x00; byte highbyte = 0x00; int count = 0; bt = binr.ReadByte(); if (bt != 0x02) //expect integer return 0; bt = binr.ReadByte(); if (bt == 0x81) count = binr.ReadByte(); // data size in next byte else if (bt == 0x82) { highbyte = binr.ReadByte(); // data size in next 2 bytes lowbyte = binr.ReadByte(); byte[] modint = { lowbyte, highbyte, 0x00, 0x00 }; count = BitConverter.ToInt32(modint, 0); } else { count = bt; // we already have the data size } while (binr.ReadByte() == 0x00) { //remove high order zeros in data count -= 1; } binr.BaseStream.Seek(-1, SeekOrigin.Current); //last ReadByte wasn't a removed zero, so back up a byte return count; } } }
注:privateKeyPem爲私鑰文件路徑
3. 服務端java驗籤
/** * rsa驗籤 * * @param content 被簽名的內容 * @param sign 簽名後的結果 * @param publicKey rsa公鑰 * @param charset 字符集 * @return 驗簽結果 * @throws SignatureException 驗籤失敗,則拋異常 */ boolean doCheck(String content, String sign, String publicKey, String charset) throws SignatureException { try { PublicKey pubKey = getPublicKeyFromX509("RSA", new ByteArrayInputStream(publicKey.getBytes())); Signature signature = Signature.getInstance("SHA1WithRSA"); signature.initVerify(pubKey); signature.update(getContentBytes(content, charset)); return signature.verify(Base64.decodeBase64(sign.getBytes())); } catch (Exception e) { throw new SignatureException("RSA驗證簽名[content = " + content + "; charset = " + charset + "; signature = " + sign + "]發生異常!", e); } } private PublicKey getPublicKeyFromX509(String algorithm, InputStream ins) throws NoSuchAlgorithmException { try { KeyFactory keyFactory = KeyFactory.getInstance(algorithm); StringWriter writer = new StringWriter(); StreamUtil.io(new InputStreamReader(ins), writer); byte[] encodedKey = writer.toString().getBytes(); // 先base64解碼 encodedKey = Base64.decodeBase64(encodedKey); return keyFactory.generatePublic(new X509EncodedKeySpec(encodedKey)); } catch (IOException ex) { // 不可能發生 } catch (InvalidKeySpecException ex) { // 不可能發生 } return null; } private byte[] getContentBytes(String content, String charset) throws UnsupportedEncodingException { if (StringUtil.isEmpty(charset)) { return content.getBytes(); } return content.getBytes(charset); }
注意:參數publicKey是Pem公鑰文件中去除頭(-----BEGIN RSA PRIVATE KEY-----)和尾(-----END RSA PRIVATE KEY-----)以及換行符後的字符串。
原文地址:http://xw-z1985.iteye.com/blog/1837376
相關文章
- 1. java rsa 簽名,驗籤
- 2. JAVA RSA 私鑰簽名 公鑰驗證簽名 公鑰驗籤
- 3. Java RSA 加密 解密 簽名 驗籤
- 4. Java RSA (SHA1withRSA)簽名和驗籤
- 5. java RSA驗籤
- 6. C++代碼實現rsa簽名校驗
- 7. C/C#實現RSA簽名
- 8. 數字簽名的java實現(RSA,DSA)
- 9. RSA/RSA2 進行簽名和驗籤
- 10. php rsa 加密、解密、簽名、驗籤
- 更多相關文章...
- • MySQL的版本以及版本號 - MySQL教程
- • MyBatis if標籤 - MyBatis教程
- • ☆基於Java Instrument的Agent實現
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
