验证签名—什么原因导致“签名无效”错误?

时间:2022-08-24 15:24:30

I need to sign and verify a string using my company's digital certificate. The VerifyHash(hash, CryptoConfig.MapNameToOID("SHA1"), signature); portion returns false so I get the "Signature not valid" error. What am I doing wrong? What is the most likely cause for this error?

我需要使用公司的数字证书来签署和验证一个字符串。VerifyHash(散列,CryptoConfig.MapNameToOID(SHA1),签名);部分返回false,因此我得到“签名无效”错误。我做错了什么?这个错误最有可能的原因是什么?

using System;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

namespace ConsoleApplication1
{
    class Program
    {
        static byte[] Sign(string text, string certSubject)
        {
            X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
            X509Certificate2 myCert = null;
            RSACryptoServiceProvider provider = new RSACryptoServiceProvider();
            store.Open(OpenFlags.ReadOnly);
            foreach (X509Certificate2 cert in store.Certificates.Find(X509FindType.FindBySubjectName, certSubject, false))
            {
                myCert = cert;
                break;
            }
            store.Close();
            if (myCert == null)
            {
                throw new Exception("Certificate not found: " + certSubject, null);
            }
            // Hash the data
            SHA1Managed sha1 = new SHA1Managed();
            UnicodeEncoding encoding = new UnicodeEncoding();
            byte[] data = encoding.GetBytes(text);
            byte[] hash = sha1.ComputeHash(data);

            // Sign the hash
            return provider.SignHash(hash, CryptoConfig.MapNameToOID("SHA1"));
        }

        static bool Verify(string text, byte[] signature, string certPath)
        {
            // Load the certificate we'll use to verify the signature from a file 
            X509Certificate2 cert = new X509Certificate2(certPath);
            // Note: 
            // If we want to use the client cert in an ASP.NET app, we may use something like this instead:
            // X509Certificate2 cert = new X509Certificate2(Request.ClientCertificate.Certificate);

            // Get its associated CSP and public key
            RSACryptoServiceProvider csp = (RSACryptoServiceProvider)cert.PublicKey.Key;

            // Hash the data
            SHA1Managed sha1 = new SHA1Managed();
            UnicodeEncoding encoding = new UnicodeEncoding();
            byte[] data = encoding.GetBytes(text);
            byte[] hash = sha1.ComputeHash(data);

            // Verify the signature with the hash
            return csp.VerifyHash(hash, CryptoConfig.MapNameToOID("SHA1"), signature);
        }

        static void Main(string[] args)
        {
            // Usage sample
            try
            {
                // Sign text
                byte[] signature = Sign("Test 123", "Ross cert");

                // Verify signature. 
                if (Verify("Test 123", signature, @"C:\...RossTest.cer"))
                {
                    Console.WriteLine("SUCCESS! Signature verified");
                }
                else
                {
                    Console.WriteLine("ERROR: Signature not valid!");
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine("EXCEPTION: " + ex.Message);
            }
            Console.ReadKey();
        }
    }
}

2 个解决方案

#1

1  

I would imagine that the problem is that in your sign method you go to a lot of effort to get myCert but then never use it. You just sign it with your newly created uninitialised RSACryptoServiceProvider.

我想问题是在你的符号方法中你花了很多努力去获得myCert但却从未使用过它。您只需在新创建的未初始化RSACryptoServiceProvider中签名即可。

i'd imagine that after the store.Close() line you want something like the following:

close () line()你想要的东西是这样的:

RSACryptoServiceProvider provider = (RSACryptoServiceProvider)cert.PrivateKey;

#2

1  

RSACryptoServiceProvider provider = new RSACryptoServiceProvider();

That's the only place where provider is assigned when you sign the data. That code means you just created a totally new keypair, i.e. it's not associated with the certificate you looked for.

当您签署数据时,这是唯一分配提供者的地方。这段代码意味着您刚刚创建了一个全新的密钥对,即它与您所查找的证书没有关联。

When you verify the signature you're using the public key of the certificate (not the one from the key pair you generated). Since they don't match you'll never get a valid signature verification.

当您验证签名时,您使用的是证书的公钥(而不是您生成的密钥对的密钥)。由于它们不匹配,您永远不会得到有效的签名验证。

IOW you need to sign with the private key associated with the certificate, not just any keypair.

现在,您需要使用与证书关联的私钥签名,而不仅仅是任何密钥对。

#1

1  

I would imagine that the problem is that in your sign method you go to a lot of effort to get myCert but then never use it. You just sign it with your newly created uninitialised RSACryptoServiceProvider.

我想问题是在你的符号方法中你花了很多努力去获得myCert但却从未使用过它。您只需在新创建的未初始化RSACryptoServiceProvider中签名即可。

i'd imagine that after the store.Close() line you want something like the following:

close () line()你想要的东西是这样的:

RSACryptoServiceProvider provider = (RSACryptoServiceProvider)cert.PrivateKey;

#2

1  

RSACryptoServiceProvider provider = new RSACryptoServiceProvider();

That's the only place where provider is assigned when you sign the data. That code means you just created a totally new keypair, i.e. it's not associated with the certificate you looked for.

当您签署数据时,这是唯一分配提供者的地方。这段代码意味着您刚刚创建了一个全新的密钥对,即它与您所查找的证书没有关联。

When you verify the signature you're using the public key of the certificate (not the one from the key pair you generated). Since they don't match you'll never get a valid signature verification.

当您验证签名时,您使用的是证书的公钥(而不是您生成的密钥对的密钥)。由于它们不匹配,您永远不会得到有效的签名验证。

IOW you need to sign with the private key associated with the certificate, not just any keypair.

现在,您需要使用与证书关联的私钥签名,而不仅仅是任何密钥对。

标签:

相关文章