使用 CryptoAPI 的 MD5-SHA1 哈希 [英] MD5-SHA1 hash using CryptoAPI

问题描述

我需要使用 MD5-SHA1 哈希对数据进行签名(数据的 MD5 哈希和 SHA1 哈希组合然后签名).

I have requirement of signing a data using MD5-SHA1 hash (MD5 hash and SHA1 hash of the data are combined and then signed).

主要要求:

MD5-SHA1 哈希值由 OpenSSL 以某种未公开的方式提供.这个哈希是完整的.

MD5-SHA1 hash is provided by OpenSSL in some way that is not exposed. This hash is complete.

现在我的要求是使用 Crypto API 签署这个散列而不需要散列(只需要签名，不需要再次散列).为什么是 CryptoAPI，而不是 OpenSSL?因为，我正在处理带有不可导出私钥的证书.它的私钥只能被 CryptoAPI 使用，不能被 OpenSSL 使用.

Now my requirement is to sign this hash using Crypto API without hashing (only signing is required, not hashing again). Why CryptoAPI, not OpenSSL? Because, I am dealing with a certificate with non-exportable private key. Its private key can only be used by CryptoAPI, not by OpenSSL.

此场景来自 SSL 握手，其中将客户端验证部分(在不可导出私钥的情况下)发送到我的层，并尝试使用 CryptoAPI 对数据进行签名.

This scenario is from SSL handshake where send Client verify part (under the case of non-exportable private key) to my layer and is trying to sign the data using CryptoAPI.

另外，我想知道使用 OpenSSL 使用不可导出的私钥证书的其他方法.

Also, I would like to know about other ways of making the use of non-exportable private key certificates using OpenSSL.

推荐答案

通过在 CryptCreateHash 中使用 CALG_SSL3_SHAMD5，然后调用 CryptSetHashParam 然后调用 CryptSignHash 为我完成了这项工作.

By using CALG_SSL3_SHAMD5 in CryptCreateHash and after that calling CryptSetHashParam and then calling the CryptSignHash did the job for me.

让我详细说明一下要求:1. 一般情况下，我使用EVP_PKEY将私钥交给OpenSSL函数，以便它可以做签名部分.我曾经从 Windows 证书存储中提取私钥(当密钥被标记为可导出时).但在一种情况下，私钥未标记为可导出，我无法获得 EVP_PKEY 的私钥.因此，我在私钥不可用的情况下对 OpenSSL 代码进行了修改，然后使用 CryptoAPI 实现签名部分(因为 CryptoAPI 允许使用此类不可导出的密钥进行签名).

Let me detailed out the requirement: 1. Generally, I gave private key using EVP_PKEY to OpenSSL function so that it can do the signing part. I used to extract the private key from Windows Certificate store (when key is marked as exportable). But in one scenario, private key is not marked as exportable and I was not able to get private key to EVP_PKEY. So, I did modification to OpenSSL code on the case when private key is not available, then the signing part is implemented using CryptoAPI (since CryptoAPI allows the signing using such non-exportable key).

因此，就我而言，数据完全由 OpenSSL 散列(使用 md5-sha1 散列).我唯一剩下的就是签名.

So, in my case, data is completely hashed by OpenSSL (using md5-sha1 hash). Only thing left for me is to do signing.

因此，以下步骤(在签名部分)完成了工作:

So, following steps (under signing part) did the job:

1. Created hash using Certificate key handle provider and use CALG_SSL3_SHAMD5 algorithm.
2. Using CryptSetHashParam, I set the initial hash value
3. Signed the hash using CryptSignHash.
4. After that, reverse the bytes order (as OpenSSL signature is Big endian mentioned [here][1] which I found after lots of experimenting).

OpenSSL 的其余代码似乎对这个签名很满意.

Rest of code of OpenSSL seems happy with this signature.

这篇关于使用 CryptoAPI 的 MD5-SHA1 哈希的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！