AS3Crypto RSA 签名 [英] AS3Crypto RSA Signing

查看:27
本文介绍了AS3Crypto RSA 签名的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在匹配 RSA 签名返回的值时遇到了一些麻烦actionscript as3crypto 库中的 Base64 SHA1 哈希,结果在 c# 中返回.

I'm having some troubles matching the value returned from RSA signing a Base64 SHA1 hash in the actionscript as3crypto library with the result returned in c#.

我将解码为字节数组的 Base64 哈希传递给 sign()as3crypto 中提供的函数和 base64 编码结果.但是,此结果永远不会与 c# 返回的结果匹配执行相同任务的函数.有没有关系函数接受并返回十六进制,即使它在字节处工作数组级别?

I'm passing in a Base64 hash decoded as a byte array to the sign() function provided in as3crypto and base64 encoding the result. However, this result never matches the returned result from a c# function which performs the same task. Does it matter that the function takes in and returns hex even though it works at the byte array level?

请查看我下面的签名功能以检查我没有错过什么都行!

Please see my below signing function to check i haven't missed anything!

private function signHash(hashInBase64:String):String
{
       var src:ByteArray = Base64.decodeToByteArray(hashInBase64);
       var key:RSAKey = getRSAKey();
       var dst:ByteArray = new ByteArray();

       key.sign(src, dst, src.length);

       return Base64.encodeByteArray(dst);
}

有人对 AS3Crypto 库有丰富的经验吗?

Anyone had much experience with the AS3Crypto library?

任何帮助都会很棒!!!

Any help would be great!!!

谢谢,

乔恩

推荐答案

我假设您的 C# 版本使用的是 RSA PKCS #1 1.5 版.该标准通过对组成为的字节字符串执行 RSA 私钥操作来计算签名

I assume that your C# version is using RSA PKCS #1 version 1.5. The standard computes signatures by doing an RSA private key operation over a byte string composed as

0x00 0x01 || 0xff* || 0x00 || OID || hash

查看as3crypto代码可知RSAKey类在sign操作过程中没有添加任何OID.因此,如果你不这样做,你会得到错误的结果.

Looking at the as3crypto code shows that the RSAKey class does not add any OID during the sign operation. Hence if you don't do it you'll get incorrect results.

查看代码还表明 as3crypto 容易受到这种攻击,因为它没有正确验证填充.这次袭击已经3年多了.因此,使用与 as3crypto 不同的库似乎很好.

Looking at the code also shows that as3crypto is vulnerable to this attack, because it does not verify the padding properly. This attack is more than 3 years old. Hence it seems like a good to use a different library than as3crypto.

这篇关于AS3Crypto RSA 签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆