使用 mbedtls 生成的 RSA 签名,无法使用 C# (bouncycastle) 应用程序进行验证
Posted
技术标签:
【中文标题】使用 mbedtls 生成的 RSA 签名,无法使用 C# (bouncycastle) 应用程序进行验证【英文标题】:RSA signature generated with mbedtls, can't verify with C# (bouncycastle) application 【发布时间】:2021-05-14 23:26:13 【问题描述】:我正在使用 mbedtls 使用 RSA 签署一个 32 字节的质询。
C 代码的相关行如下所示;我正在使用私钥为 32 字节的“挑战”数组在“签名”中创建签名:
mbedtls_rsa_context rsa;
mbedtls_rsa_init(&rsa, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256);
mbedtls_rsa_rsassa_pss_sign(&rsa, f_rng, &prng, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA256, 32, challenge, signature)
这行得通,我可以用 mbedtls 验证签名。 'rsa' 是另一个实例,这个使用公钥:
mbedtls_rsa_rsassa_pss_verify(&rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, sizeof(challenge), challenge, signature);
到目前为止,一切都很好。我无法开始工作是在 C# 应用程序中验证此签名。我从 RSACryptoServiceProvider 类开始,无法让它工作。最终发现了bouncycastle的东西。看起来比 RSACryptoServiceProvider 更好,但我也无法让它工作。
我正在加载 mbedtls 内容中使用的公钥、质询和签名。
RsaKeyParameters key = new RsaKeyParameters(false, new Org.BouncyCastle.Math.BigInteger(Nstring, 16), new Org.BouncyCastle.Math.BigInteger(Estring, 16));
ISigner sig = SignerUtilities.GetSigner("SHA256WITHRSA/PSS");
sig.Init(false, key);
sig.BlockUpdate(challenge, 0, challenge.Length);
Console.WriteLine("result: " + sig.VerifySignature(signature));
验证签名失败(“结果:假”).... :(
我认为我的数据格式正确。这是C端的公钥指数和模数:
unsigned char E[] = 0x01,0x00,0x01 ;
unsigned char N[] = 0xC2,0x7E,0xC0,0xCD,0x1B,0xEA,0xE1,0x2E,0x5F,0x15,0xE3,0x9A,0xA3,0x5C,0xF2,0x0A,0xB5,0xAE,0x7F,0x22,0xE0,0x8A,0xA8,0xA7,0x44,0x8E,0xDD,0x1F,0x3C,0xDD,0xDA,0xE5,0xBB,0x23,0x8F,0xF2,0xED,0xFA,0xDF,0xC4,0x95,0x72,0x67,0x00,0x49,0xCF,0xCD,0xE7,0x35,0x56,0x49,0xE7,0x16,0xCC,0x5A,0x9A,0x37,0xFA,0x0C,0x6B,0x79,0xA5,0x5B,0x5A,0x4C,0x1F,0x48,0xE7,0x62,0x59,0xFD,0x60,0x4A,0xCC,0xFF,0xB6,0x62,0xD2,0xEB,0x41,0xF3,0xB1,0xDA,0x2F,0x61,0x55,0x68,0xD1,0x77,0x7C,0x16,0xCA,0x62,0x2F,0xF9,0x6D,0x03,0xED,0xCF,0x89,0x9D,0x1E,0x5B,0xA8,0x4D,0x90,0xDF,0x80,0x1B,0x75,0xE0,0x6D,0xAA,0x0D,0x8A,0xCC,0xA1,0x5B,0xE5,0xD8,0xA0,0x97,0xFF,0x75,0x4B,0xDA,0x39,0x7D ;
这就是我在 C# 端使用它们的方式:
Estring = "010001";
Nstring = "C27EC0CD1BEAE12E5F15E39AA35CF20AB5AE7F22E08AA8A7448EDD1F3CDDDAE5BB238FF2EDFADFC49572670049CFCDE7355649E716CC5A9A37FA0C6B79A55B5A4C1F48E76259FD604ACCFFB662D2EB41F3B1DA2F615568D1777C16CA622FF96D03EDCF899D1E5BA84D90DF801B75E06DAA0D8ACCA15BE5D8A097FF754BDA397D";
'challenge' 和 'signature' 两边都是 8 位(无符号字符/字节)数组,包含相同的数据。
--编辑(添加一些实际的挑战/签名值)--
unsigned char challenge[32] =
0x1E,0x36,0x44,0x82,0x2A,0x60,0x79,0xDE,0x7D,0x49,0x92,0xAA,0x5E,0x25,0xB5,0x80,0x6D,0x95,0x7E,0xE9,0x3A,0x30,0x9B,0x7F,0x82,0x4B,0xB0,0x26,0x3D,0x00,0x0C,0x2E
;
unsigned char signature[128] =
0xA7,0x64,0x07,0xD0,0x06,0x35,0x0E,0x3F,0x6C,0xFB,0xA1,0xB8,0xDC,0xC5,0x68,0x97,0x65,0xD5,0x7A,0x74,0xFC,0x96,0x01,0x53,0xE0,0x16,0xBC,0xCA,0x59,0x40,0x37,0xC8,0xC9,0x89,0xC2,0x84,0x2A,0xC6,0x51,0xCD,0xDA,0x29,0x65,0xBF,0x39,0x68,0x1E,0x3A,0x0E,0x4E,0x81,0x2E,0xBC,0x08,0x41,0x6A,0xC8,0x95,0xD1,0x43,0x35,0x7C,0x14,0xF6,0x2D,0xE8,0xDA,0x94,0x6C,0x80,0x9D,0x86,0x19,0x4B,0x16,0xD3,0x17,0xAB,0x0E,0x7F,0xE8,0x5F,0xC9,0xB5,0xCC,0x9B,0x96,0xE6,0xAB,0xB6,0x7B,0x11,0x5B,0xC8,0x01,0xD7,0x16,0x50,0xD3,0xF8,0xB4,0xF5,0xCB,0xC2,0xC4,0x70,0xCD,0x84,0x50,0xD0,0x7F,0xA9,0xC3,0x8F,0xE1,0x6B,0x54,0xF4,0x32,0xB8,0x6E,0xCD,0xD2,0xCF,0x78,0x98,0x69,0x7F
;
我在这里错过了什么?
--edit(添加一些可复制/粘贴的代码)--
mbedtls/c++ 项目,工作(输出“验证成功”)
#include <stdio.h>
#include "mbedtls/config.h"
#include "mbedtls/platform.h"
#include "mbedtls/error.h"
#include "mbedtls/rsa.h"
#include "mbedtls/error.h"
#include "mbedtls/bignum.h"
int main(int argc, char* argv[])
int ret;
char errbuf[100];
mbedtls_rsa_context ctx;
/* Key */
unsigned char E[] = 0x01,0x00,0x01 ;
unsigned char N[] = 0xC2,0x7E,0xC0,0xCD,0x1B,0xEA,0xE1,0x2E,0x5F,0x15,0xE3,0x9A,0xA3,0x5C,0xF2,0x0A,0xB5,0xAE,0x7F,0x22,0xE0,0x8A,0xA8,0xA7,0x44,0x8E,0xDD,0x1F,0x3C,0xDD,0xDA,0xE5,0xBB,0x23,0x8F,0xF2,0xED,0xFA,0xDF,0xC4,0x95,0x72,0x67,0x00,0x49,0xCF,0xCD,0xE7,0x35,0x56,0x49,0xE7,0x16,0xCC,0x5A,0x9A,0x37,0xFA,0x0C,0x6B,0x79,0xA5,0x5B,0x5A,0x4C,0x1F,0x48,0xE7,0x62,0x59,0xFD,0x60,0x4A,0xCC,0xFF,0xB6,0x62,0xD2,0xEB,0x41,0xF3,0xB1,0xDA,0x2F,0x61,0x55,0x68,0xD1,0x77,0x7C,0x16,0xCA,0x62,0x2F,0xF9,0x6D,0x03,0xED,0xCF,0x89,0x9D,0x1E,0x5B,0xA8,0x4D,0x90,0xDF,0x80,0x1B,0x75,0xE0,0x6D,0xAA,0x0D,0x8A,0xCC,0xA1,0x5B,0xE5,0xD8,0xA0,0x97,0xFF,0x75,0x4B,0xDA,0x39,0x7D ;
/* Challenge */
unsigned char challenge[] =
0x1E,0x36,0x44,0x82,0x2A,0x60,0x79,0xDE,0x7D,0x49,0x92,0xAA,0x5E,0x25,0xB5,0x80,0x6D,0x95,0x7E,0xE9,0x3A,0x30,0x9B,0x7F,0x82,0x4B,0xB0,0x26,0x3D,0x00,0x0C,0x2E
;
/* Response */
unsigned char responseGiven[] =
0xA7,0x64,0x07,0xD0,0x06,0x35,0x0E,0x3F,0x6C,0xFB,0xA1,0xB8,0xDC,0xC5,0x68,0x97,0x65,0xD5,0x7A,0x74,0xFC,0x96,0x01,0x53,0xE0,0x16,0xBC,0xCA,0x59,0x40,0x37,0xC8,0xC9,0x89,0xC2,0x84,0x2A,0xC6,0x51,0xCD,0xDA,0x29,0x65,0xBF,0x39,0x68,0x1E,0x3A,0x0E,0x4E,0x81,0x2E,0xBC,0x08,0x41,0x6A,0xC8,0x95,0xD1,0x43,0x35,0x7C,0x14,0xF6,0x2D,0xE8,0xDA,0x94,0x6C,0x80,0x9D,0x86,0x19,0x4B,0x16,0xD3,0x17,0xAB,0x0E,0x7F,0xE8,0x5F,0xC9,0xB5,0xCC,0x9B,0x96,0xE6,0xAB,0xB6,0x7B,0x11,0x5B,0xC8,0x01,0xD7,0x16,0x50,0xD3,0xF8,0xB4,0xF5,0xCB,0xC2,0xC4,0x70,0xCD,0x84,0x50,0xD0,0x7F,0xA9,0xC3,0x8F,0xE1,0x6B,0x54,0xF4,0x32,0xB8,0x6E,0xCD,0xD2,0xCF,0x78,0x98,0x69,0x7F
;
mbedtls_rsa_init(&ctx, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256);
/* Load public key */
if ((ret = mbedtls_rsa_import_raw(&ctx, N, sizeof(N), NULL, 0, NULL, 0, NULL, 0, E, sizeof(E))) != 0)
mbedtls_strerror(ret, errbuf, sizeof(errbuf));
mbedtls_printf("mbedtls_rsa_import_raw failed, returned %d, %s\n\n", ret, errbuf);
return 0;
if ((ret = mbedtls_rsa_complete(&ctx)) != 0)
mbedtls_strerror(ret, errbuf, sizeof(errbuf));
mbedtls_printf("mbedtls_rsa_complete failed, returned %d, %s\n\n", ret, errbuf);
return 0;
/* Verify response */
if ((ret = mbedtls_rsa_rsassa_pss_verify(&ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, 32, challenge, responseGiven)))
mbedtls_strerror(ret, errbuf, sizeof(errbuf));
mbedtls_printf("mbedtls_rsa_rsassa_pss_verify failed, returned %d - %s\n\n", ret, errbuf);
return 0;
else
mbedtls_printf("Verification success\n");
getchar();
return 1;
Bouncycastle/C# 项目,失败(输出“VerifySignature failed”)
using System;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Crypto.Signers;
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Digests;
namespace cryptotest
class Program
static void Main(string[] args)
/* Key */
byte[] E = new byte[] 0x01, 0x00, 0x01 ;
byte[] N = new byte[] 0xC2, 0x7E, 0xC0, 0xCD, 0x1B, 0xEA, 0xE1, 0x2E, 0x5F, 0x15, 0xE3, 0x9A, 0xA3, 0x5C, 0xF2, 0x0A, 0xB5, 0xAE, 0x7F, 0x22, 0xE0, 0x8A, 0xA8, 0xA7, 0x44, 0x8E, 0xDD, 0x1F, 0x3C, 0xDD, 0xDA, 0xE5, 0xBB, 0x23, 0x8F, 0xF2, 0xED, 0xFA, 0xDF, 0xC4, 0x95, 0x72, 0x67, 0x00, 0x49, 0xCF, 0xCD, 0xE7, 0x35, 0x56, 0x49, 0xE7, 0x16, 0xCC, 0x5A, 0x9A, 0x37, 0xFA, 0x0C, 0x6B, 0x79, 0xA5, 0x5B, 0x5A, 0x4C, 0x1F, 0x48, 0xE7, 0x62, 0x59, 0xFD, 0x60, 0x4A, 0xCC, 0xFF, 0xB6, 0x62, 0xD2, 0xEB, 0x41, 0xF3, 0xB1, 0xDA, 0x2F, 0x61, 0x55, 0x68, 0xD1, 0x77, 0x7C, 0x16, 0xCA, 0x62, 0x2F, 0xF9, 0x6D, 0x03, 0xED, 0xCF, 0x89, 0x9D, 0x1E, 0x5B, 0xA8, 0x4D, 0x90, 0xDF, 0x80, 0x1B, 0x75, 0xE0, 0x6D, 0xAA, 0x0D, 0x8A, 0xCC, 0xA1, 0x5B, 0xE5, 0xD8, 0xA0, 0x97, 0xFF, 0x75, 0x4B, 0xDA, 0x39, 0x7D ;
/* Challenge */
byte[] challenge = new byte[]
0x1E,0x36,0x44,0x82,0x2A,0x60,0x79,0xDE,0x7D,0x49,0x92,0xAA,0x5E,0x25,0xB5,0x80,0x6D,0x95,0x7E,0xE9,0x3A,0x30,0x9B,0x7F,0x82,0x4B,0xB0,0x26,0x3D,0x00,0x0C,0x2E
;
/* Response */
byte[] responseGiven = new byte[]
0xA7,0x64,0x07,0xD0,0x06,0x35,0x0E,0x3F,0x6C,0xFB,0xA1,0xB8,0xDC,0xC5,0x68,0x97,0x65,0xD5,0x7A,0x74,0xFC,0x96,0x01,0x53,0xE0,0x16,0xBC,0xCA,0x59,0x40,0x37,0xC8,0xC9,0x89,0xC2,0x84,0x2A,0xC6,0x51,0xCD,0xDA,0x29,0x65,0xBF,0x39,0x68,0x1E,0x3A,0x0E,0x4E,0x81,0x2E,0xBC,0x08,0x41,0x6A,0xC8,0x95,0xD1,0x43,0x35,0x7C,0x14,0xF6,0x2D,0xE8,0xDA,0x94,0x6C,0x80,0x9D,0x86,0x19,0x4B,0x16,0xD3,0x17,0xAB,0x0E,0x7F,0xE8,0x5F,0xC9,0xB5,0xCC,0x9B,0x96,0xE6,0xAB,0xB6,0x7B,0x11,0x5B,0xC8,0x01,0xD7,0x16,0x50,0xD3,0xF8,0xB4,0xF5,0xCB,0xC2,0xC4,0x70,0xCD,0x84,0x50,0xD0,0x7F,0xA9,0xC3,0x8F,0xE1,0x6B,0x54,0xF4,0x32,0xB8,0x6E,0xCD,0xD2,0xCF,0x78,0x98,0x69,0x7F
;
/* Load public key. Modulus(N), exponent (E) */
string Nstring = "";
for (int i = 0; i < N.Length; i++)
Nstring += N[i].ToString("X2");
string Estring = "";
for (int i = 0; i < E.Length; i++)
Estring += E[i].ToString("X2");
RsaKeyParameters key = new RsaKeyParameters(false, new Org.BouncyCastle.Math.BigInteger(Nstring, 16), new Org.BouncyCastle.Math.BigInteger(Estring, 16));
PssSigner pss = new PssSigner(new RsaEngine(), new Sha256Digest(), 32, 0xBC);
pss.Init(false, key);
/* Verify response */
pss.BlockUpdate(challenge, 0, challenge.Length);
if(pss.VerifySignature(responseGiven) == false)
Console.WriteLine("VerifySignature failed");
else
Console.WriteLine("Verification success of given response");
Console.ReadKey();
【问题讨论】:
也许有人可以从发布的信息中找出问题所在。否则,您应该发布完整的 C 和 C# 代码,包括测试数据和密钥,以便可以通过复制/粘贴重现问题,请参阅 MCVE。 您似乎使用的是 1024 位 RSA 密钥,因此签名也应该是 1024 位,即 128 字节。 糟糕,我的帖子出错了;我的意思是 8 位数组,而不是 8 字节数组。更正后,我添加了一个挑战和响应数组,这些值与给定的 E 和 N 一致。签名确实是 128 字节。我正在做一个最小的例子,但这需要一些时间(改变优先级......:() 刚刚添加了一个最小的 C++/mbedtls(工作)和 C#/BouncyCastle(问题)代码列表。两者都使用相同的数据集 【参考方案1】:C/C++ 代码在验证时需要消息的散列,因此在验证之前不散列。另一方面,C# 代码在验证时需要消息本身,并在验证自身之前执行散列。
因此,如果将消息的散列而不是消息传递给 C# 代码,则使用单个散列消息的签名验证双散列消息,这将失败。
如果C#代码模拟C/C++代码验证前不进行哈希处理,问题就可以解决。为此,例如在 .NET Core 下,可以使用 RSACng#VerifyHash() 执行验证,与 RSACng#VerifyData() 相比,它需要类似于 C/C++ 代码的消息哈希。
一个可能的实现是:
using System;
using System.Security.Cryptography;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Security;
...
/* Key */
byte[] E = new byte[] 0x01, 0x00, 0x01 ;
byte[] N = new byte[] 0xC2, 0x7E, 0xC0, 0xCD, 0x1B, 0xEA, 0xE1, 0x2E, 0x5F, 0x15, 0xE3, 0x9A, 0xA3, 0x5C, 0xF2, 0x0A, 0xB5, 0xAE, 0x7F, 0x22, 0xE0, 0x8A, 0xA8, 0xA7, 0x44, 0x8E, 0xDD, 0x1F, 0x3C, 0xDD, 0xDA, 0xE5, 0xBB, 0x23, 0x8F, 0xF2, 0xED, 0xFA, 0xDF, 0xC4, 0x95, 0x72, 0x67, 0x00, 0x49, 0xCF, 0xCD, 0xE7, 0x35, 0x56, 0x49, 0xE7, 0x16, 0xCC, 0x5A, 0x9A, 0x37, 0xFA, 0x0C, 0x6B, 0x79, 0xA5, 0x5B, 0x5A, 0x4C, 0x1F, 0x48, 0xE7, 0x62, 0x59, 0xFD, 0x60, 0x4A, 0xCC, 0xFF, 0xB6, 0x62, 0xD2, 0xEB, 0x41, 0xF3, 0xB1, 0xDA, 0x2F, 0x61, 0x55, 0x68, 0xD1, 0x77, 0x7C, 0x16, 0xCA, 0x62, 0x2F, 0xF9, 0x6D, 0x03, 0xED, 0xCF, 0x89, 0x9D, 0x1E, 0x5B, 0xA8, 0x4D, 0x90, 0xDF, 0x80, 0x1B, 0x75, 0xE0, 0x6D, 0xAA, 0x0D, 0x8A, 0xCC, 0xA1, 0x5B, 0xE5, 0xD8, 0xA0, 0x97, 0xFF, 0x75, 0x4B, 0xDA, 0x39, 0x7D ;
/* Challenge */
byte[] challenge = new byte[]
0x1E,0x36,0x44,0x82,0x2A,0x60,0x79,0xDE,0x7D,0x49,0x92,0xAA,0x5E,0x25,0xB5,0x80,0x6D,0x95,0x7E,0xE9,0x3A,0x30,0x9B,0x7F,0x82,0x4B,0xB0,0x26,0x3D,0x00,0x0C,0x2E
;
/* Response */
byte[] responseGiven = new byte[]
0xA7,0x64,0x07,0xD0,0x06,0x35,0x0E,0x3F,0x6C,0xFB,0xA1,0xB8,0xDC,0xC5,0x68,0x97,0x65,0xD5,0x7A,0x74,0xFC,0x96,0x01,0x53,0xE0,0x16,0xBC,0xCA,0x59,0x40,0x37,0xC8,0xC9,0x89,0xC2,0x84,0x2A,0xC6,0x51,0xCD,0xDA,0x29,0x65,0xBF,0x39,0x68,0x1E,0x3A,0x0E,0x4E,0x81,0x2E,0xBC,0x08,0x41,0x6A,0xC8,0x95,0xD1,0x43,0x35,0x7C,0x14,0xF6,0x2D,0xE8,0xDA,0x94,0x6C,0x80,0x9D,0x86,0x19,0x4B,0x16,0xD3,0x17,0xAB,0x0E,0x7F,0xE8,0x5F,0xC9,0xB5,0xCC,0x9B,0x96,0xE6,0xAB,0xB6,0x7B,0x11,0x5B,0xC8,0x01,0xD7,0x16,0x50,0xD3,0xF8,0xB4,0xF5,0xCB,0xC2,0xC4,0x70,0xCD,0x84,0x50,0xD0,0x7F,0xA9,0xC3,0x8F,0xE1,0x6B,0x54,0xF4,0x32,0xB8,0x6E,0xCD,0xD2,0xCF,0x78,0x98,0x69,0x7F
;
/* Load public key. Modulus(N), exponent (E) */
string Nstring = "";
for (int i = 0; i < N.Length; i++)
Nstring += N[i].ToString("X2");
string Estring = "";
for (int i = 0; i < E.Length; i++)
Estring += E[i].ToString("X2");
RsaKeyParameters key = new RsaKeyParameters(false, new Org.BouncyCastle.Math.BigInteger(Nstring, 16), new Org.BouncyCastle.Math.BigInteger(Estring, 16));
/*
PssSigner pss = new PssSigner(new RsaEngine(), new Sha256Digest(), 32, 0xBC);
pss.Init(false, key);
// Verify response
pss.BlockUpdate(challenge, 0, challenge.Length);
if (pss.VerifySignature(responseGiven) == false)
Console.WriteLine("VerifySignature failed");
else
Console.WriteLine("Verification success of given response");
Console.ReadKey();
*/
RSA rsa = new RSACng();
RSAParameters rsaParams = DotNetUtilities.ToRSAParameters((RsaKeyParameters)key);
rsa.ImportParameters(rsaParams);
bool verified = rsa.VerifyHash(challenge, responseGiven, HashAlgorithmName.SHA256, RSASignaturePadding.Pss);
Console.WriteLine("Verified: " + verified); // Verified: True
Console.ReadKey();
使用此代码验证成功。
或者,在原始 C# 代码中,可以传递消息本身而不是散列。
【讨论】:
是的,这行得通!现在看起来很明显,不知道我是怎么错过这个的。我迷失在加密 api 的问题中 :) 无论如何,非常感谢!以上是关于使用 mbedtls 生成的 RSA 签名,无法使用 C# (bouncycastle) 应用程序进行验证的主要内容,如果未能解决你的问题,请参考以下文章
为啥我使用 OpenSSL 和 Java 生成的 RSA-SHA256 签名不同?