AS3Crypto RSA 签名
我在匹配 RSA 签名返回的值时遇到一些问题 ActionScript as3crypto 库中的 Base64 SHA1 哈希值,结果以 C# 形式返回。
我将解码为字节数组的 Base64 哈希值传递给 sign() as3crypto 中提供的函数和对结果进行 base64 编码。 但是,这个结果永远不会与 ac# 返回的结果匹配 执行相同任务的函数。重要的是 函数接受并返回十六进制,即使它在字节上工作 数组级别?
请查看我下面的签名功能以检查我没有错过 任何事物!
private function signHash(hashInBase64:String):String
{
var src:ByteArray = Base64.decodeToByteArray(hashInBase64);
var key:RSAKey = getRSAKey();
var dst:ByteArray = new ByteArray();
key.sign(src, dst, src.length);
return Base64.encodeByteArray(dst);
}
有人对 AS3Crypto 库有丰富的经验吗?
任何帮助都会很棒!
谢谢,
乔恩
I'm having some troubles matching the value returned from RSA signing
a Base64 SHA1 hash in the actionscript as3crypto library with the result returned in c#.
I'm passing in a Base64 hash decoded as a byte array to the sign()
function provided in as3crypto and base64 encoding the result.
However, this result never matches the returned result from a c#
function which performs the same task. Does it matter that the
function takes in and returns hex even though it works at the byte
array level?
Please see my below signing function to check i haven't missed
anything!
private function signHash(hashInBase64:String):String
{
var src:ByteArray = Base64.decodeToByteArray(hashInBase64);
var key:RSAKey = getRSAKey();
var dst:ByteArray = new ByteArray();
key.sign(src, dst, src.length);
return Base64.encodeByteArray(dst);
}
Anyone had much experience with the AS3Crypto library?
Any help would be great!!!
Thanks,
Jon
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我假设您的 C# 版本使用 RSA PKCS #1 版本 1.5 。该标准通过对组成的字节字符串执行 RSA 私钥操作来计算签名。
查看 as3crypto 代码表明 RSAKey 类在签名操作期间不会添加任何 OID。因此,如果您不这样做,您将得到不正确的结果。
查看代码还表明,as3crypto 容易受到此攻击,因为它没有正确验证填充。这次攻击已有3年多了。因此,使用与 as3crypto 不同的库似乎是一个不错的选择。
I assume that your C# version is using RSA PKCS #1 version 1.5. The standard computes signatures by doing an RSA private key operation over a byte string composed as
Looking at the as3crypto code shows that the RSAKey class does not add any OID during the sign operation. Hence if you don't do it you'll get incorrect results.
Looking at the code also shows that as3crypto is vulnerable to this attack, because it does not verify the padding properly. This attack is more than 3 years old. Hence it seems like a good to use a different library than as3crypto.
现在有一个与 .NET 兼容的 ActionScript 加密库。如下:http://code.google.com/p/flame。看起来它支持 RSA 的方式与 .NET 完全一样。
Now there is an ActionScript crypto library compatible with .NET. Here it is: http://code.google.com/p/flame. Looks like it supports RSA exactly the way .NET does.