On iOS, the Certificate, Key, and Trust Services API contains the following padding types:
在iOS上,Certificate,Key和Trust Services API包含以下填充类型:
kSecPaddingNone- kSecPaddingNone
kSecPaddingPKCS1- kSecPaddingPKCS1
kSecPaddingPKCS1MD2- kSecPaddingPKCS1MD2
kSecPaddingPKCS1MD5- kSecPaddingPKCS1MD5
kSecPaddingPKCS1SHA1- kSecPaddingPKCS1SHA1
A user on the Apple CDSA mailing list says that "kSecPaddingPKCS1 [...] is the same as PKCS #1 1.5". The Certificate, Key, and Trust Services Reference annotates the latter three padding types (kSecPaddingPKCS1MD2, kSecPaddingPKCS1MD5, and kSecPaddingPKCS1SAH) with "Standard ASN.1 padding will be done, as well as PKCS1 padding of the underlying RSA operation".
Apple CDSA邮件列表中的用户说“kSecPaddingPKCS1 [...]与PKCS#1 1.5”相同。证书,密钥和信任服务参考注释后三种填充类型(kSecPaddingPKCS1MD2,kSecPaddingPKCS1MD5和kSecPaddingPKCS1SAH),“标准ASN.1填充将完成,以及底层RSA操作的PKCS1填充”。
- What is the difference to
kSecPaddingPKCS1? - 与kSecPaddingPKCS1有什么区别?
- Is
kSecPaddingPKCS1just the raw padding of the underlying RSA operation according to RFC 3447? - 根据RFC 3447,kSecPaddingPKCS1只是底层RSA操作的原始填充吗?
- When signing a SHA-256, SHA-384, or SHA-512 digest with
SecKeyRawSign(), does a developer need to usekSecPaddingPKCS1and perform the ASN.1 padding herself? Is the ASN.1 padding necessary or can it be omitted? - 使用SecKeyRawSign()签署SHA-256,SHA-384或SHA-512摘要时,开发人员是否需要使用kSecPaddingPKCS1并自行执行ASN.1填充?是否需要ASN.1填充或是否可以省略?
Any hint that points me in the right direction is highly appreciated.
任何暗示我指向正确方向的提示都受到高度赞赏。
1 个解决方案
#1
20
PKCS#1 contains two "paddings" for signatures with RSA, the "new" one (called PSS, added in version 2.1) and the "old" one (renamed "v1.5" since it was already in version 1.5 of PKCS#1). We are talking about the v1.5 padding.
PKCS#1包含两个用于RSA签名的“填充”,“新”签名(称为PSS,在2.1版中添加)和“旧”签名(由于它已经在PKCS版本1.5中已更名为“v1.5”) 1)。我们正在谈论v1.5填充。
When some data is signed, it is first hashed with a suitable hash function (e.g. SHA-1), then the hash value (20 bytes if using SHA-1) is wrapped into two successive layers:
当一些数据被签名时,首先使用合适的散列函数(例如SHA-1)进行散列,然后将散列值(如果使用SHA-1则为20个字节)封装到两个连续的层中:
-
The hash value is encoded into an ASN.1-based structure which also specifies which hash function was used. In practice, if the hash value is H, then the first wrapping results in the sequence of bytes A || H where "||" is concatenation, and "A" is a header which is specific to the hash function (typically 15 to 20 bytes).
哈希值被编码到基于ASN.1的结构中,该结构还指定使用了哪个哈希函数。实际上,如果哈希值是H,那么第一个包装将产生字节序列A || H在哪里“||”是串联,“A”是特定于散列函数的标题(通常为15到20个字节)。
-
The "A || H" is expanded with some extra bytes:
“A || H”扩展了一些额外的字节:
0x00 0x01 0xFF 0xFF ... 0xFF 0x00 || A || H
0x00 0x01 0xFF 0xFF ... 0xFF 0x00 || A || H
The number of bytes of value 0xFF is adjusted to that the total size equals the size of the RSA modulus (i.e. 128 bytes for a 1024-bit RSA key).
将值0xFF的字节数调整为总大小等于RSA模数的大小(即1024位RSA密钥的128字节)。
The second step is what PKCS#1 calls "type 1 padding".
第二步是PKCS#1称之为“类型1填充”。
kSecPaddingPKCS1 means that the function performs only the second step: it assumes that the input data is already the proper "A || H". Note that SSL/TLS (up to version 1.1) uses a signature variant which requires this mode (there's no "A", but there are two hash functions). With kSecPaddingPKCS1SHA1, the signature function expects the hash value as input, and adds the "A" header itself.
kSecPaddingPKCS1表示该函数仅执行第二步:它假定输入数据已经是正确的“A || H”。请注意,SSL / TLS(最高版本1.1)使用需要此模式的签名变体(没有“A”,但有两个散列函数)。使用kSecPaddingPKCS1SHA1,签名函数将散列值作为输入,并添加“A”标头本身。
For a proper, standards-compliant signature which can be verified by third-party implementations, the "A" header must be added at some point. You can add it yourself and use kSecPaddingPKCS1, or use kSecpaddingPKCS1SHA1 and let the engine add it itself, which is probably less error-prone.
对于可以由第三方实现验证的正确的,符合标准的签名,必须在某个时刻添加“A”头。您可以自己添加它并使用kSecPaddingPKCS1,或者使用kSecpaddingPKCS1SHA1并让引擎自己添加它,这可能不太容易出错。
(As of 2011, use of SHA-1 is not recommended; you'd better switch to SHA-256 or SHA-512. Also, the API you are trying to use seem to be quite low-level, and the whole thing suspiciously looks as if you are tying to implement your own cryptographic protocol instead of using an existing library or framework.)
(截至2011年,不建议使用SHA-1;您最好切换到SHA-256或SHA-512。此外,您尝试使用的API似乎相当低级,整个事情可疑看起来好像你想要实现自己的加密协议而不是使用现有的库或框架。)
#1
20
PKCS#1 contains two "paddings" for signatures with RSA, the "new" one (called PSS, added in version 2.1) and the "old" one (renamed "v1.5" since it was already in version 1.5 of PKCS#1). We are talking about the v1.5 padding.
PKCS#1包含两个用于RSA签名的“填充”,“新”签名(称为PSS,在2.1版中添加)和“旧”签名(由于它已经在PKCS版本1.5中已更名为“v1.5”) 1)。我们正在谈论v1.5填充。
When some data is signed, it is first hashed with a suitable hash function (e.g. SHA-1), then the hash value (20 bytes if using SHA-1) is wrapped into two successive layers:
当一些数据被签名时,首先使用合适的散列函数(例如SHA-1)进行散列,然后将散列值(如果使用SHA-1则为20个字节)封装到两个连续的层中:
-
The hash value is encoded into an ASN.1-based structure which also specifies which hash function was used. In practice, if the hash value is H, then the first wrapping results in the sequence of bytes A || H where "||" is concatenation, and "A" is a header which is specific to the hash function (typically 15 to 20 bytes).
哈希值被编码到基于ASN.1的结构中,该结构还指定使用了哪个哈希函数。实际上,如果哈希值是H,那么第一个包装将产生字节序列A || H在哪里“||”是串联,“A”是特定于散列函数的标题(通常为15到20个字节)。
-
The "A || H" is expanded with some extra bytes:
“A || H”扩展了一些额外的字节:
0x00 0x01 0xFF 0xFF ... 0xFF 0x00 || A || H
0x00 0x01 0xFF 0xFF ... 0xFF 0x00 || A || H
The number of bytes of value 0xFF is adjusted to that the total size equals the size of the RSA modulus (i.e. 128 bytes for a 1024-bit RSA key).
将值0xFF的字节数调整为总大小等于RSA模数的大小(即1024位RSA密钥的128字节)。
The second step is what PKCS#1 calls "type 1 padding".
第二步是PKCS#1称之为“类型1填充”。
kSecPaddingPKCS1 means that the function performs only the second step: it assumes that the input data is already the proper "A || H". Note that SSL/TLS (up to version 1.1) uses a signature variant which requires this mode (there's no "A", but there are two hash functions). With kSecPaddingPKCS1SHA1, the signature function expects the hash value as input, and adds the "A" header itself.
kSecPaddingPKCS1表示该函数仅执行第二步:它假定输入数据已经是正确的“A || H”。请注意,SSL / TLS(最高版本1.1)使用需要此模式的签名变体(没有“A”,但有两个散列函数)。使用kSecPaddingPKCS1SHA1,签名函数将散列值作为输入,并添加“A”标头本身。
For a proper, standards-compliant signature which can be verified by third-party implementations, the "A" header must be added at some point. You can add it yourself and use kSecPaddingPKCS1, or use kSecpaddingPKCS1SHA1 and let the engine add it itself, which is probably less error-prone.
对于可以由第三方实现验证的正确的,符合标准的签名,必须在某个时刻添加“A”头。您可以自己添加它并使用kSecPaddingPKCS1,或者使用kSecpaddingPKCS1SHA1并让引擎自己添加它,这可能不太容易出错。
(As of 2011, use of SHA-1 is not recommended; you'd better switch to SHA-256 or SHA-512. Also, the API you are trying to use seem to be quite low-level, and the whole thing suspiciously looks as if you are tying to implement your own cryptographic protocol instead of using an existing library or framework.)
(截至2011年,不建议使用SHA-1;您最好切换到SHA-256或SHA-512。此外,您尝试使用的API似乎相当低级,整个事情可疑看起来好像你想要实现自己的加密协议而不是使用现有的库或框架。)