Fork me on GitHub

rsa签名以及java验签实现

在开放平台领域,需要给isv提供sdk,签名是Sdk中需要提供的功能之一。由于isv使用的开发语言不是单一的,因此sdk需要提供多种语言的版本。譬如java、php、c#。另外,在电子商务尤其是支付领域,对安全性的要求比较高,所以会采用非对称密钥RSA

本文主要介绍如何基于java、php、c#在客户端使用rsa签名,然后在服务端使用Java验签。

基于openssl生成RSA公私钥对

  1. 从网上下载openssl工具:http://www.slproweb.com/products/Win32OpenSSL.html
  2. 生成私钥

    进入到openssl的bin目录下,执行以下命令:

    openssl genrsa -out rsa_private_key.pem 1024

    会在bin目录下看到新生成的私钥文件rsa_private_key.pem,文件内容如下:

    MIICXgIBAAKBgQDtd1lKsX6ylsAEWFi7E/ut8krJy9PQ7sGYKhIm9TvIdZiq5xzy
    aw8NOLzKZ1k486MePYG4tSuoaxSbwuPLwVUzYFvnUZo7aWCIGKn16UWTM4nxc/+d
    wce+bhcKrlLbTWi8l580LTE7GxclTh8z7gHq59ivhaoGbK7FNxlUfB4TSQIDAQAB
    AoGBAIgTk0x1J+hI8KHMypPxoJCOPoMi1S9uEewTd7FxaB+4G5Mbuv/Dj62A7NaD
    oKI9IyUqE9L3ppvtOLMFXCofkKU0p4j7MEJdZ+CjVvgextkWa80nj/UZiM1oOL6Y
    HwH4ZtPtY+pFCTK1rdn3+070qBB9tnVntbN/jq0Ld7f0t7UNAkEA9ryI0kxJL9Pu
    pO9NEeWuCUo4xcl9x/M9+mtkfY3VoDDDV1E/eUjmoTfANYwrjcddiQrO0MLyEdoo
    tiLpN77qOwJBAPZhtv/+pqMVTrLxWnVKLZ4ZVTPPgJQQkFdhWwYlz7oKzB3VbQRt
    /jLFXUyCN2eCP7rglrXnaz7AYBftF0ajHEsCQQDDNfkeQULqN0gpcDdOwKRIL1Pp
    kHgWmWlg1lTETVJGEi6Kx/prL/VgeiZ1dzgCTUjAoy9r1cEFxM/PAqH3+/F/AkEA
    zsTCp6Q2hLblDRewKq7OCdiIwKpr5dbgy/RQR6CD7EYTdxYeH5GPu1wXKJY/mQae
    JV9GG/LS9h7MhkfbONS6cQJAdBEb5vloBDLcSQFDQO/VZ9SKFHCmHLXluhhIizYK
    Gzgf3OXEGNDSAC3qy+ZTnLd3N5iYrVbK52UoiLOLhhNMqA==
    -----END RSA PRIVATE KEY-----```
  3. 生成公钥

    在bin目录下,执行以下命令:
    openssl rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem

    会在bin目录下看到新生成的公钥文件rsa_public_key.pem,文件内容如下:

y9PQ7sGYKhIm9TvIdZiq5xzyaw8NOLzKZ1k486MePYG4tSuoaxSbwuPLwVUzYFvn
UZo7aWCIGKn16UWTM4nxc/+dwce+bhcKrlLbTWi8l580LTE7GxclTh8z7gHq59iv
haoGbK7FNxlUfB4TSQIDAQAB
-----END PUBLIC KEY-----`

客户端签名

1. java版签名实现

/**
     * rsa签名
     * 
     * @param content
     *            待签名的字符串
     * @param privateKey
     *            rsa私钥字符串
     * @param charset
     *            字符编码
     * @return 签名结果
     * @throws Exception
     *             签名失败则抛出异常     */
    public String rsaSign(String content, String privateKey, String charset) throws SignatureException {        try {
            PrivateKey priKey = getPrivateKeyFromPKCS8("RSA", new ByteArrayInputStream(privateKey.getBytes()));

            Signature signature = Signature.getInstance("SHA1WithRSA");
            signature.initSign(priKey);            if (StringUtils.isEmpty(charset)) {
                signature.update(content.getBytes());
            } else {
                signature.update(content.getBytes(charset));
            }            byte[] signed = signature.sign();            return new String(Base64.encodeBase64(signed));
        } catch (Exception e) {            throw new SignatureException("RSAcontent = " + content + "; charset = " + charset, e);
        }
    }    public PrivateKey getPrivateKeyFromPKCS8(String algorithm, InputStream ins) throws Exception {        if (ins == null || StringUtils.isEmpty(algorithm)) {            return null;
        }

        KeyFactory keyFactory = KeyFactory.getInstance(algorithm);        byte[] encodedKey = StreamUtil.readText(ins).getBytes();
        encodedKey = Base64.decodeBase64(encodedKey);        return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(encodedKey));
    }

注意:参数privateKey是Pem私钥文件中去除头(-----BEGIN RSA PRIVATE KEY-----)和尾(-----END RSA PRIVATE KEY-----)以及换行符后的字符串。

如果签名报以下错误:

java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : algid parse error, not a sequence

则说明rsa私钥的格式不是pksc8格式,需要使用以下命令转换一下:

openssl pkcs8 -topk8 -inform PEM -in rsa_private_key.pem -outform PEM -nocrypt

然后再提取去除头和尾以及换行符后字符串作为java版用的rsa私钥。

2. php签名实现

function sign($content, $rsaPrivateKeyPem) {        $priKey = file_get_contents($rsaPrivateKeyPem);        $res = openssl_get_privatekey($priKey);
        openssl_sign($content, $sign, $res);
        openssl_free_key($res);        $sign = base64_encode($sign);        return $sign;
    }

注意:$rsaPrivateKeyPem为pem私钥文件路径

服务端java验签

/**
     * rsa验签
     * 
     * @param content 被签名的内容
     * @param sign 签名后的结果
     * @param publicKey rsa公钥
     * @param charset 字符集
     * @return 验签结果
     * @throws SignatureException 验签失败,则抛异常     */
    boolean doCheck(String content, String sign, String publicKey, String charset) throws SignatureException {        try {
            PublicKey pubKey = getPublicKeyFromX509("RSA", new ByteArrayInputStream(publicKey.getBytes()));

            Signature signature = Signature.getInstance("SHA1WithRSA");
            signature.initVerify(pubKey);
            signature.update(getContentBytes(content, charset));            return signature.verify(Base64.decodeBase64(sign.getBytes()));
        } catch (Exception e) {            throw new SignatureException("RSA验证签名[content = " + content + "; charset = " + charset                                         + "; signature = " + sign + "]发生异常!", e);
        }
    }    private PublicKey getPublicKeyFromX509(String algorithm, InputStream ins) throws NoSuchAlgorithmException {        try {
            KeyFactory keyFactory = KeyFactory.getInstance(algorithm);

            StringWriter writer = new StringWriter();
            StreamUtil.io(new InputStreamReader(ins), writer);            byte[] encodedKey = writer.toString().getBytes();            // 先base64解码
            encodedKey = Base64.decodeBase64(encodedKey);            return keyFactory.generatePublic(new X509EncodedKeySpec(encodedKey));
        } catch (IOException ex) {            // 不可能发生
        } catch (InvalidKeySpecException ex) {            // 不可能发生        }        return null;
    }    private byte[] getContentBytes(String content, String charset) throws UnsupportedEncodingException {        if (StringUtil.isEmpty(charset)) {            return content.getBytes();
        }        return content.getBytes(charset);
    }

注意:参数publicKey是Pem公钥文件中去除头(-----BEGIN RSA PRIVATE KEY-----)和尾(-----END RSA PRIVATE KEY-----)以及换行符后的字符串。

原文地址:http://xw-z1985.iteye.com/blog/1837376

标签: rsa

添加新评论