使用secp256r1曲线和SHA256算法生成ECDSA签名-BouncyCastle [英] ECDSA signature generation using secp256r1 curve and SHA256 algorithm - BouncyCastle

问题描述

我正在尝试使用带有secp256r1曲线(P256)和SHA256算法的ECDSA生成签名以进行消息哈希处理.我也正在使用Bouncy Castle库.下面的代码，

I am trying to generate signature using ECDSA with secp256r1 curve (P256) and SHA256 algorithm for message hash. Also i am using Bouncy Castle libraries. Code below,

public class MyTest {

    /**
     * @param args
     */
    public static void main(String[] args) {
        new MyTest().getSign();
    }

    void getSign() {
        // Get the instance of the Key Generator with "EC" algorithm

        try {
            KeyPairGenerator g = KeyPairGenerator.getInstance("EC");
            ECGenParameterSpec kpgparams = new ECGenParameterSpec("secp256r1");
            g.initialize(kpgparams);

            KeyPair pair = g.generateKeyPair();
            // Instance of signature class with SHA256withECDSA algorithm
            Signature ecdsaSign = Signature.getInstance("SHA256withECDSA");
            ecdsaSign.initSign(pair.getPrivate());

            System.out.println("Private Keys is::" + pair.getPrivate());
            System.out.println("Public Keys is::" + pair.getPublic());

            String msg = "text ecdsa with sha256";//getSHA256(msg)
            ecdsaSign.update((msg + pair.getPrivate().toString())
                    .getBytes("UTF-8"));

            byte[] signature = ecdsaSign.sign();
            System.out.println("Signature is::"
                    + new BigInteger(1, signature).toString(16));

            // Validation
            ecdsaSign.initVerify(pair.getPublic());
            ecdsaSign.update(signature);
            if (ecdsaSign.verify(signature))
                System.out.println("valid");
            else
                System.out.println("invalid!!!!");

        } catch (Exception e) {
            // TODO: handle exception
            e.printStackTrace();
        }

    }

}

这里，密钥对是使用KeyPair生成的，但根据我的要求，我将拥有一个静态的privateKey和公共密钥.另外，签名验证始终返回false.

Here key pairs are generated using KeyPair , but for my requirement I will be having a static privateKey and public key. Also, validation of signature is always returning false.

需要帮助，我该如何获得静态私钥和验证部分.

Need help, how can I have static private key and on validation part.

推荐答案

头奖-标题中没有问题！

Jackpot - nothing in your title is a problem!

首先，您可能实际上并未使用BouncyCastle.Sun/Oracle Java 7和8现在包括EC提供程序(早期版本没有)，并且 getInstance 的单参数形式使用第一个可用的提供程序，通常是SunEC，除非您或某人更改了提供者列表.

First, you probably aren't actually using BouncyCastle. Sun/Oracle Java 7 and 8 now includes an EC provider (earlier versions did not) and the one-arg form of getInstance uses the first available provider, which is normally SunEC unless you or someone has altered the provider list.

验证签名:在传递给签名时，将相同数据传递给验证的 Signature.update()Signature.update().完全相同，一个字节一个字节.仅将签名值 传递给 Signature.verify().将 PrivateKey.toString()放入数据中很愚蠢；该值是特定于正在运行的Java进程的，因此您必须将其发送到接收过程(如果不同，通常应该如此)，在该过程中它将毫无用处并浪费空间.

TO VERIFY A SIGNATURE: pass the same data to the verifying Signature.update() as you passed to the signing Signature.update(). Exactly the same, byte for byte. Pass the signature value only to Signature.verify(). Putting PrivateKey.toString() in the data is silly; this value is specific to the running Java process, so you'll have to send it to the receiving process (if different, as it normally should be) where it is useless and a waste of space.

使用静态密钥:.创建一个密钥对并将其存储在某个地方，然后将其读入并使用.最简单的安全(受密码保护)存储是Java KeyStore(JKS)文件，但是它需要证书链(可能是虚拟证书链)，这对自己进行编码很麻烦.幸运的是，带有 -genkeypair 的 keytool 实用程序会生成带有虚拟自签名证书的密钥对，并且对于 -keyalg ec -keysize 256 ，它使用(非常流行)secp256r1曲线.还要指定您选择的 -alias name ， -keystore filename ，您想要的虚拟证书名称和密码.要使用JKS文件中的密钥对，请执行以下操作:

TO USE A STATIC KEY: do just that. Create a keypair and store it someplace, then read it in and use it. The easiest secure (password protected) store is a Java KeyStore (JKS) file, but that requires a certificate chain (perhaps a dummy one) which is a nuisance to code yourself; fortunately the keytool utility with -genkeypair generates a keypair with a dummy selfsigned certificate, and for -keyalg ec -keysize 256 it uses the (very popular) secp256r1 curve. Also specify -alias name of your choice, -keystore filename, any names you like for the dummy cert, and passwords. To use a keypair from a JKS file:

• 使用 java.security.KeyStore.getInstance("JKS")创建存储对象并传递 .load(InputStream，char [])文件上的 FileInputStream 和密码.

• use java.security.KeyStore.getInstance("JKS") to create a store object and pass .load(InputStream,char[]) a FileInputStream on the file, and the password.

使用 .getKey(String alias，char [] password)并进行强制转换以获取PrivateKey.用于签名.

use .getKey(String alias,char[] password) and cast to get the PrivateKey. Use for signing.

使用 .getCertificateChain(字符串别名)[0] .getPublicKey()从第一个(唯一的)证书获取PublicKey.用于验证.

use .getCertificateChain(String alias)[0].getPublicKey() to get the PublicKey from the first (only) cert. Use for verifying.

这篇关于使用secp256r1曲线和SHA256算法生成ECDSA签名-BouncyCastle的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！