当我只有原始签名（R，S）和原始公钥点（Qx，Qy）时，ECDSA如何验证Java中的数据块

Posted 2023-03-09

【中文标题】当我只有原始签名（R，S）和原始公钥点（Qx，Qy）时，ECDSA如何验证Java中的数据块

【英文标题】：How do I ECDSA verify a block of data in Java when I only have the raw signature (R, S) and raw public key point (Qx, Qy)

【发布时间】：2021-03-31 22:08:23

【问题描述】：

我有一个字节数组消息以及签名的四个 32 字节原始组件：Qx、Qy、R 和 S。如何将这些格式化/编码为 ECPublicKey 和签名 byte[] Signature::verify 函数期望的？签名是使用 SHA-256 ECDSA 创建的。

【参考方案1】：

该解决方案需要结合其他两个答案（并在 Java 中实现）：

How does one convert a public EC code point and curve name into a PublicKey ECDSA Signature R|S to ASN1 DER Encoding question

创建公钥涉及生成一个虚拟密钥对并使用其ECParameterSpec，然后替换您的原始公钥点 [Qx, Qy]。还必须从原始字节创建 BigInteger。这可以在下面的createPublicKey 函数中看到。

签名（由 R 和 S 组成）必须以 DER 格式编码 - 我找不到现有的 Java 实用程序函数来执行此操作，所以它是手动完成的，如createDERSigniture 下方。

/**
 * Check to see if `message` matches signature [R, S] and public key point [qx, qy]
 *
 * @param message device ID
 * @param r       first part of the ECDSA signature
 * @param s       second part of the ECDSA signature
 * @param qx      x part of the public key point
 * @param qy      y part of the public key point
 * @return true iff the signature signed the message
 * @note ECDSA SHA-256 is used - r, s, qx and qy must be 32 bytes long
 */
private static boolean ecdsaVerify(@NotNull final byte[] message, @NotNull final byte[] r, @NotNull final byte[] s,
                                   @NotNull final byte[] qx, @NotNull final byte[] qy)

   try
   
      // convert from raw bytes to something `Signature` can understand
      ECPublicKey publicKey = createPublicKey(qx, qy);
      byte[] derSignature = createDERSigniture(r, s);

      // do the actual verification
      Signature sig = Signature.getInstance("SHA256withECDSA");
      sig.initVerify(publicKey);
      sig.update(message);
      return sig.verify(derSignature);
   
   catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidKeyException | SignatureException | InvalidAlgorithmParameterException e)
   
      return false;
   


/**
 * Format the raw elliptic curve point [qx, qy] with the NIST P-256
 *
 * @param qx the x coordinate - should be 32 bytes
 * @param qy the y coordinate - should be 32 bytes
 * @return the public key from the raw coordinates
 * @see https://***.com/a/22652372/1229250
 */
private static ECPublicKey createPublicKey(byte[] qx, byte[] qy)
        throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeySpecException

   // generate bogus keypair so we can get its spec
   KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
   kpg.initialize(new ECGenParameterSpec("secp256r1"));// NIST P-256
   ECPublicKey apub = (ECPublicKey)kpg.generateKeyPair().getPublic();
   ECParameterSpec aspec = apub.getParams();

   ECPoint point = new ECPoint(new BigInteger(1, qx), new BigInteger(1, qy));
   ECPublicKeySpec pks = new ECPublicKeySpec(point, aspec);
   return (ECPublicKey)KeyFactory.getInstance("EC").generatePublic(pks);


/**
 * Encode a raw signature in the DER format
 *
 * @param r first part of the raw signature - should be 32 bytes
 * @param s second part of the raw signature - should be 32 bytes
 * @return a DER formatted signature
 * @see https://crypto.stackexchange.com/a/57734/89173
 */
private static byte[] createDERSigniture(byte[] r, byte[] s)

   // build backwards
   byte[] der = ;
   der = prependPoint(der, s);
   der = prependPoint(der, r);
   return prependHeader(der);


/**
 * Take in a raw coordinate value, `p` and then wrap and prepend it to `derSig`
 *
 * Wrapping includes adding the header by (0x02), the length as well as a leading zero if needed.
 *
 * @param derSig the end of the DER formatted signature, so far (may be empty)
 * @param p      a part of the coordinate to prepend
 * @return the signature so far with an addition component
 */
private static byte[] prependPoint(byte[] derSig, byte[] p)

   // append a zero byte if the leading *bit* is one (so as a whole, it is a positive number)
   final boolean prependZero = (p[0] & 0x80) == 0x80;
   final int pointLength = p.length + (prependZero ? 1 : 0);
   final int prependSize = 2 + pointLength;
   final int totalNewSize = prependSize + derSig.length;

   byte[] result = new byte[totalNewSize];
   result[0] = 2;
   result[1] = (byte) pointLength;
   if (prependZero)
   
      result[2] = 0;
   
   System.arraycopy(p, 0, result, prependZero ? 3 : 2, p.length);
   System.arraycopy(derSig, 0, result, prependSize, derSig.length);

   return result;


/**
 * Add the DER header - the 0x30 magic number and the length of the point
 *
 * @param derSig the DER signature so far - must have the two points
 * @return the signature with the proper header
 */
private static byte[] prependHeader(byte[] derSig)

   byte[] result = new byte[derSig.length + 2];
   result[0] = 0x30;
   result[1] = (byte) derSig.length;
   System.arraycopy(derSig, 0, result, 2, derSig.length);
   return result;