Node.js 和 WebCrypto 之间的 ECDSA 签名似乎不兼容? [英] ECDSA signatures between Node.js and WebCrypto appear to be incompatible?

问题描述

我在 Node.js 中使用以下示例进行签名和验证:https://github.com/nodejs/node-v0.x-archive/issues/6904.验证在 Node.js 中成功，但在 WebCrypto 中失败.同样，使用 WebCrypto 签名的消息无法在 Node.js 中验证.

I'm using the following example for signing + verifying in Node.js: https://github.com/nodejs/node-v0.x-archive/issues/6904. The verification succeeds in Node.js but fails in WebCrypto. Similarly, a message signed using WebCrypto fails to verify in Node.js.

这是我用来验证使用 WebCrypto 从 Node.js 脚本生成的签名的代码 - https://jsfiddle.净/aj49e8sj/.在 Chrome 54.0.2840.27 和 Firefox 48.0.2 中测试

Here's the code I used to verify a signature produced from the Node.js script using WebCrypto - https://jsfiddle.net/aj49e8sj/. Tested in both Chrome 54.0.2840.27 and Firefox 48.0.2

// From https://github.com/nodejs/node-v0.x-archive/issues/6904
var keys = {
  priv: '-----BEGIN EC PRIVATE KEY-----
' +
        'MHcCAQEEIF+jnWY1D5kbVYDNvxxo/Y+ku2uJPDwS0r/VuPZQrjjVoAoGCCqGSM49
' +
        'AwEHoUQDQgAEurOxfSxmqIRYzJVagdZfMMSjRNNhB8i3mXyIMq704m2m52FdfKZ2
' +
        'pQhByd5eyj3lgZ7m7jbchtdgyOF8Io/1ng==
' +
        '-----END EC PRIVATE KEY-----
',
  pub: '-----BEGIN PUBLIC KEY-----
' +
       'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEurOxfSxmqIRYzJVagdZfMMSjRNNh
' +
       'B8i3mXyIMq704m2m52FdfKZ2pQhByd5eyj3lgZ7m7jbchtdgyOF8Io/1ng==
' +
       '-----END PUBLIC KEY-----
'
};
var message = (new TextEncoder('UTF-8')).encode('hello');

// Algorithm used in Node.js script is ecdsa-with-SHA1, key generated with prime256v1
var algorithm = {
    name: 'ECDSA',
    namedCurve: 'P-256',
    hash: {
        name: 'SHA-1'
    }
};

// Signature from obtained via above Node.js script
var sig64 = 'MEUCIQDkAtiomagyHFi7dNfxMrzx/U0Gk/ZhmwCqaL3TimvlswIgPgeDqgZNqfR5/FZZASYsczUAhGSXjuycLhWnvk20qKc=';

// Decode base64 string into ArrayBuffer
var b64Decode = (str) => Uint8Array.from(atob(str), x => x.charCodeAt(0));

// Get base64 string from public key
const key64 = keys.pub.split('
')
    .filter(x => x.length > 0 && !x.startsWith('-----'))
    .join('');

// Convert to buffers
var sig = b64Decode(sig64);
var keySpki = b64Decode(key64);

// Import and verify
// Want 'Verification result: true' but will get 'false'
var importKey = crypto.subtle.importKey('spki', keySpki, algorithm, true, ['verify'])
    .then(key => crypto.subtle.verify(algorithm, key, sig, message))
    .then(result => console.log('Verification result: ' + result));

与使用 SHA-256 而不是 SHA-1 的类似问题的相关问题:使用 Node.js/crypto 生成 ECDSA 签名

Related question with a similar issue using SHA-256 instead of SHA-1: Generating ECDSA signature with Node.js/crypto

我检查过的内容:

• 我解码了 Node.js 密钥并验证它们与通过 WebCrypto 生成的密钥具有相同的 OID.这告诉我我使用了正确的曲线.
• SHA-1 被明确标识为要在两个位置使用的哈希.
• ECDSA 在 Node.js 和 WebCrypto 中都有明确标识.

如何成功验证从 Node.js 接收到的签名，反之亦然 - 验证从 WebCrypto 生成的 Node.js 中的签名?或者标准的实现是否存在细微差别，导致它们不兼容?

How can I successfully verify the signature received from Node.js and vice versa - verify a signature in Node.js produced from WebCrypto? Or are the implementations of the standard subtly different in such a way that makes them incompatible?

• WebCrypto 签名(64 字节):uTaUWTfF+AjN3aPj0b5Z2d1HybUEpV/phv/P9RtfKaGXtcYnbgfO43IRg46rznG3/WnWwJ2sV6mPOEnEPR0vWw==
• Node.js 签名(71 字节):MEUCIQDkAtiomagyHFi7dNfxMrzx/U0Gk/ZhmwCqaL3TimvlswIgPgeDqgZNqfR5/FZZASYSczUAhGSXjuycLhWnvk20qKc=

经过验证的 Node.js 签名是 DER 编码的，而 WebCrypto 签名不是.

Verified Node.js signature is DER encoded and WebCrypto signature is not.

推荐答案

我不能肯定地说没有使用过这两个库，但一种可能是它们没有使用相同的编码类型作为签名.对于 DSA/ECDSA，有两种主要格式，IEEE P1363(Windows 使用)和 DER(OpenSSL 使用).

Having not used either of these libraries I can't say for certain, but one possibility is that they don't use the same encoding type for the signature. For DSA/ECDSA there are two main formats, IEEE P1363 (used by Windows) and DER (used by OpenSSL).

Windows"格式具有预设大小(由 DSA 的 Q 和 ECDSA 的 P 确定(Windows 不支持 Char-2，但如果支持 Char-2 ECDSA 则可能是 M)).然后 r 和 s 都用 0 向左填充，直到它们满足该长度.

The "Windows" format is to have a preset size (determined by Q for DSA and P for ECDSA (Windows doesn't support Char-2, but if it did it'd probably be M for Char-2 ECDSA)). Then both r and s are left-padded with 0 until they meet that length.

在 r = 0x305 和 s = 0x810522 的合法示例中 sizeof(Q) 为 3 个字节:

In the too small to be legal example of r = 0x305 and s = 0x810522 with sizeof(Q) being 3 bytes:

// r
000305
// s
810522

对于OpenSSL"格式，它在 DER 规则下被编码为 SEQUENCE(INTEGER(r), INTEGER(s))，看起来像

For the "OpenSSL" format it is encoded under the rules of DER as SEQUENCE(INTEGER(r), INTEGER(s)), which looks like

// SEQUENCE
30
  // (length of payload)
  0A
  // INTEGER(r)
  02
    // (length of payload)
    02
    // note the leading 0x00 is omitted
    0305
  // INTEGER(s)
  02
    // (length of payload)
    04
    // Since INTEGER is a signed type, but this represented a positive number,
    // a 0x00 has to be inserted to keep the sign bit clear.
    00810522

或者，简洁地:

• Windows:000305810522
• OpenSSL:300A02020305020400810522

Windows"格式总是偶数，总是相同的长度.OpenSSL"格式通常大约大 6 个字节，但在中间可以增加或减少一个字节；所以有时是偶数，有时是奇数.

The "Windows" format is always even, always the same length. The "OpenSSL" format is usually about 6 bytes bigger, but can gain or lose a byte in the middle; so it's sometimes even, sometimes odd.

Base64 解码您的 sig64 值表明它正在使用 DER 编码.使用 WebCrypto 生成几个签名；如果有任何不以 0x30 开头，那么您有 IEEE/DER 问题.

Base64-decoding your sig64 value shows that it is using the DER encoding. Generate a couple signatures with WebCrypto; if any don't start with 0x30 then you have the IEEE/DER problem.

这篇关于Node.js 和 WebCrypto 之间的 ECDSA 签名似乎不兼容?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！