我需要在Java中使用Sha1算法在Key Vault中实现一个标志,但是不支持,我该如何实现,我尝试使用bouncy castle进行de digest并使用带有RSNULL算法的密钥库客户端,但结果是nos正确。
String stringToSign = "holamund";
byte[] digestSha1Bytes = DigestUtils.sha1(stringToSign.getBytes());
keyOperationResult = keyVaultClient.sign("AZURE_URL_KEY", JsonWebKeySignatureAlgorithm.RSNULL, digestSha1Bytes);
生成的输出:IoGXIIIZ5ZyM2m7ozz / ET8UOWWTwmKeseJVvs9w9cPHz11wKFZ / ikGx2Sj4Adhcn32QCDBOSv / knaTvPyw + EXkVX / 3NrAmxuIUUGhQF4 / muu7Y2644IWuECXqp8o1iXL8mN7sCEB5sh0sNArK77dvfRk7A0unZR / 82wpFxMjxYYeh8k / CiFRHK / MWX6sZe + 1Rm6vDmkaodyRqR1LsusS0wzOiuVdTXNkyL55MaTs5cLpWIpbHU + H4YaAO1 + B + nFVkJeeDDGbjHvmMO1EO / KT7HSHReOukYR2mwKxklzCZA3DWRp3pSi9Rdirpoc / IvFIOcWcYK44xfx0UKVHDzhZ4w ==
输出预期:pHOyaoTuOTELmTbfgRPg12tJP0JdjQY1GsdMR63s8L8hMb4lsirmalxSVRm5D2ed2d6PMdMxvA + OjUW / Pxzx5R8M5b3SeIiXde5JloOKoOc2PbKIGJI5Sf7 + yCSowCSgTdxmwkTQdBCZWeRhw1hs5hNJW / uBkbImdF0RtR478JxePH9AYEHOFjanLlI5 / OHzduPS8Px9qzQIr / KYRWk32Z14dUGPctYeT5ttY7lYu4ksTeyCwea5booNaZAN8EnT41s564cCPR2ZdYirzcNnWlTQxD7innpuFWP + rvLZHLYp3y + iiYIU6eyJurDoTUHHzTp + mEQSD / IMtgE43FWb6w ==
我试图用不同的api来做消化,比如充气城堡,java原生等等,但是没有fins正确的约定来处理密钥保险库标志。
在Azure Key Vault中,RSNULL算法提供原始RSA签名。为了使用原始SHA1签名算法生成标准RSA签名,您必须首先将您的摘要包装到将要签名的ASN.1 DigestInfo结构中。以下示例显示:
import java.io.IOException;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.Signature;
import com.microsoft.azure.keyvault.KeyVaultClient;
import com.microsoft.azure.keyvault.models.KeyBundle;
import com.microsoft.azure.keyvault.models.KeyOperationResult;
import com.microsoft.azure.keyvault.webkey.JsonWebKey;
import com.microsoft.azure.keyvault.webkey.JsonWebKeySignatureAlgorithm;
...
/**
* @param keyVaultClient An instance of Key Vault client.
* @param keyIdentifer The Key Identifier. This is the kid field of JsonWebKey structure.
* @param message The message to be signed.
*/
void sampleSHA1SignatureWithAzureKeyVault(KeyVaultClient keyVaultClient, String keyIdentifer, byte[] message) throws Throwable {
/////////////////////////////////////////
// Signs message using Azure Key Vault //
/////////////////////////////////////////
// Compute SHA1 hash:
MessageDigest md = MessageDigest.getInstance("SHA1");
md.update(message);
byte[] digest = md.digest();
// Convert SHA1 digest into ASN.1:
byte[] digestInfo = getDigestInfoForSHA1Digest(digest);
// Call Azure Key Vault to perform the signature using the server key.
// Note that we are passing the DigestInfo to RSNULL, instead of SHA1 digest.
KeyOperationResult result = keyVaultClient.sign(keyIdentifer, JsonWebKeySignatureAlgorithm.RSNULL, digestInfo);
byte[] signature = result.result();
/////////////////////////////////////////////////////////
// Verifies the signature locally, using java.security //
/////////////////////////////////////////////////////////
// Read the public key from Azure Key Vault
KeyBundle keyBundle = keyVaultClient.getKey(keyIdentifer);
// Initialize java.security instances with the Public Key and message.
KeyPair kp = keyBundle.key().toRSA(false);
Signature signImpl = Signature.getInstance("SHA1withRSA");
signImpl.initVerify(kp.getPublic());
signImpl.update(message);
// Verify the signature.
if (signImpl.verify(signature))
System.out.println("Signature was verified.");
else
System.out.println("Signature verification failed.");
}
byte[] getDigestInfoForSHA1Digest(byte[] digest) {
// Constructs an ASN.1 DigestInfo structure for the caller-specified SHA1 hash.
// ASN.1 data:
byte[] digestInfo = new byte[] { //
0x30, 0x21, // SEQUENCE DigestInfo (33 bytes) (13 of header + 20 of SHA1 digest)
0x30, 0x09, // SEQUENCE AlgorithmIdentifier (9 bytes)
0x06, 0x05, // OBJECT IDENTIFIER algorithm (5 bytes)
0x2b, 0x0e, 0x03, 0x02, 0x1a, // OID of SHA1 (1.3.14.3.2.26)
0x05, 0x00, // NUL algorithm parameters (05 00 is the DER encoding for NUL)
0x04, 0x14, // OCTET STRING digest (20 bytes)
00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 // SHA1, copied below
};
System.arraycopy(digest, 0, digestInfo, 15, digest.length);
return digestInfo;
}