检查X509证书签名 [英] Check signature for x509 certificate
问题描述
我有:
- X509证书(Base64编码);
- 字符串数据;
- 字符串数据(Base64编码)签名。
是否可以检查签名?
我的代码:
bool valid = false;
var signature = Convert.FromBase64String(base64Signature);
var data = Encoding.UTF8.GetBytes(stringData);
var x509 = new X509Certificate2(Convert.FromBase64String(certificate));
var dsa = x509.PublicKey.Key as DSACryptoServiceProvider;
if (dsa!=null)
valid = dsa.VerifySignature(data, signature);
else {
var rsa = x509.PublicKey.Key as RSACryptoServiceProvider;
if (rsa!=null)
valid = rsa.VerifyHash(data, ???, signature);
}
我不知道我应该用什么代替?。有可能获得证书哈希算法?
I don't know what I should use instead of ???. It is possible to get hash algorithm from certificate?
推荐答案
原始邮件的发送者可以使用自己喜欢的任何算法签下他消息,使用对应于所述证书的私钥。虽然你可以用来签署的证书从它的SignatureAlgorithm属性算法的OID,没有什么能够阻止使用不同的签名或散列算法发件人。
The sender of the original message may use whatever algorithm he likes to sign his message, using the private key that corresponds to the certificate. While you can get the OID of the algorithm used to sign the certificate from its the SignatureAlgorithm property, nothing prevents the sender to use a different signing or hashing algorithm.
根据本文档,为RSA提供唯一有效的哈希算法是SHA1和MD5。也许你应该尝试VerifyHash既算法和检查哪一个成功。你可以得到适当的OID为每一个使用 CryptoConfig.MapNameToOID 方法是这样的:
According to the documentation, the only valid hashing algorithms for the RSA provider are SHA1 and MD5. Perhaps you should try VerifyHash with both algorithms and check which one succeeds. You can get the proper OID for each one using the CryptoConfig.MapNameToOID method like this:
string sha1Oid = CryptoConfig.MapNameToOID("SHA1");
string md5Oid = CryptoConfig.MapNameToOID("MD5");
bool sha1Valid = rsa.VerifyHash(data, sha1Oid, signature);
bool md5Valid = rsa.VerifyHash(data, md5Oid, signature);
valid = sha1Valid || md5Valid;
这篇关于检查X509证书签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
