1
我想弄清楚如何使用ANSI X9.31版本的RSA數字簽名算法創建數字簽名。這與PKCS#1實現不同,主要是由於填充方案。如何在C#中使用ANSI X9.31 RSA創建數字簽名?
我以爲我可以使用RSACryptoServiceProvider SignHash;但是,這使用PKCS#1或OAEP。我無法弄清楚如何使用ANS X9.31填充。幫幫我?
編輯:如果我使用BouncyCastle,是否需要使用「RSABlindingEngine」或者我可以只使用「RSAEngine」?看下面的例子:
using System.Security.Cryptography;
public byte[] SignSha256AnsiX931Rsa(
byte[] data,
System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
{
// Do a SHA-256 hash of the data, using CNG
SHA256Cng sha = new SHA256Cng();
byte[] digest = sha.ComputeHash(data);
// Pad the hash using ANSI X9.31 padding scheme
byte[] paddedHash = AnsiX931PadData(digest);
// Encrypt the data using RSA encryption
return RsaEncryptData(paddedHash, certificate);
}
/// <summary>
/// Pads the passed in SHA-256 hash (32-bytes) using the padding scheme
/// specified for ANS X9.31 RSA digital signatures.
/// </summary>
/// <param name="sha256HashedData">The 32-byte hash</param>
public byte[] AnsiX931PadData(byte[] sha256HashedData)
{
// N = Modulus Length (in bytes) = 256, where modulus is 2048-bits (length of private key)
// M = Message
// k = Hash Output = Digest = Hash(M)
// z = Len(k) (in bytes) = 32, where using Hash = SHA-256
// p = number of fixed padding bytes, in this case 4 (6b, ba, 34, and cc)
//
// Padded Hash = 6b [bb]*x ba [k] 34 cc, where x = 220 (N - z - 4 = 256 - 32 - 4 = 220)
// [6b bb bb ... bb ba] [Hash(M)] [hashID=34] [cc]
//
// See:
// http://www.drdobbs.com/rsa-digital-signatures/184404605?pgno=6
// http://books.google.com/books?id=7gBn_gEBQesC&lpg=PA388&dq=x9.31%20padding&pg=PA386#v=onepage&q=x9.31%20padding&f=false
const int MOD_LENGTH = 256; // 2048-bit private key length
const int PAD_LENGTH = 4; // number of fixed padding bytes, in this case 4 (6b, ba, 34, and cc)
const int HASH_LENGTH = 32; // where using Hash = SHA-256
if (sha256HashedData.Length != HASH_LENGTH) throw new ArgumentException("The hash provided is the incorrect length");
List<byte> paddedHash = new List<byte>(MOD_LENGTH);
paddedHash.Add(0x6b);
int bbRepeats = MOD_LENGTH - HASH_LENGTH - PAD_LENGTH;
for (int ii = 0; ii < bbRepeats; ii++)
{
paddedHash.Add(0xbb);
}
paddedHash.Add(0xba);
paddedHash.AddRange(sha256HashedData);
paddedHash.Add(0x34); // SHA-256 Hash ID; 0x33 = SHA-1
paddedHash.Add(0xcc);
return paddedHash.ToArray();
}
/// <summary>
/// Encrypts the data using an X509 certificate and the RSA encryption scheme
/// </summary>
public byte[] RsaEncryptData(
byte[] data,
System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
{
Org.BouncyCastle.Crypto.Engines.RsaBlindedEngine engine = new Org.BouncyCastle.Crypto.Engines.RsaBlindedEngine();
engine.Init(true, getBouncyPrivateKey(certificate));
return engine.ProcessBlock(data, 0, data.Length);
}
/// <summary>
/// Gets the private key from an X509Certificate
/// </summary>
private Org.BouncyCastle.Crypto.AsymmetricKeyParameter getBouncyPrivateKey(
System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
{
// Need to transform the key from X509 to RSACrypto so we can do SHA-256 since
// X509 only supports SHA-1:
System.Security.Cryptography.RSACryptoServiceProvider key = new System.Security.Cryptography.RSACryptoServiceProvider(2048);
// Round-trip the key to XML and back, there might be a better way but this works
key.FromXmlString(certificate.PrivateKey.ToXmlString(true));
return Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair(key).Private;
}
謝謝,我會看看如果我能弄清楚如何做到這一點。 –
如果我使用BouncyCastle,我需要使用「RSABlindingEngine」還是隻使用「RSAEngine」?見上面的例子。 –
任何一個。盲目性是一種避免旁道攻擊的方法,它不會影響結果。通常情況下,您確實想要防範此類攻擊,除非不能進行旁路通道攻擊*和*您的CPU時間不足:) –