java - ECDSA 签名 Java vs Go

Question

我正在尝试学习一些围棋和区 block 链……从 ECDSA 签名开始。为了弄清楚如何测试我是否有一个正确工作的 ECDSA 签名的 Go 实现，我想我会尝试在 Java 中创建一个类似的版本并比较结果，看看我是否能让它们匹配。

所以 Java 尝试:

public static void main(String[] args) throws Exception {
    //the keys below are previously generated with "generateKey();" and base64 encoded
    generateKey();
    String privStr = "MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCAQ7bMVIcWr9NpSD3hPkns5C0qET87UvyY5WI6UML2p0Q==";
    String pubStr = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAES8VdACZT/9u1NmaiQk0KIjEXxiaxms74nu/ps6bP0OvYMIlTdIWWU2s35LEKsNJH9u5QM2ocX53BPjwbsENXJw==";
    PrivateKey privateKey = base64ToPrivateKey(privStr);
    PublicKey publicKey = base64ToPublicKey(pubStr);
    String str = "This is string to sign";
    byte[] signature = signMsg(str, privateKey);
    boolean ok = verifySignature(publicKey, str, signature);
    System.out.println("signature ok:" + ok);
    String privHex = getPrivateKeyAsHex(privateKey);
}

public static byte[] signMsg(String msg, PrivateKey priv) throws Exception {
    Signature ecdsa = Signature.getInstance("SHA1withECDSA");

    ecdsa.initSign(priv);

    byte[] strByte = msg.getBytes("UTF-8");
    ecdsa.update(strByte);

    byte[] realSig = ecdsa.sign();
    //the printed signature from here is what is used in the Go version (hex string)
    System.out.println("Signature: " + new BigInteger(1, realSig).toString(16));
    return realSig;
}

//https://stackoverflow.com/questions/30175149/error-when-verifying-ecdsa-signature-in-java-with-bouncycastle

private static boolean verifySignature(PublicKey pubKey, String msg, byte[] signature) throws Exception {
    byte[] message = msg.getBytes("UTF-8");
    Signature ecdsa = Signature.getInstance("SHA1withECDSA");
    ecdsa.initVerify(pubKey);
    ecdsa.update(message);
    return ecdsa.verify(signature);
}

public static String generateKey() throws Exception {
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
    SecureRandom random = SecureRandom.getInstance("SHA1PRNG");

    keyGen.initialize(256, random); //256 bit key size

    KeyPair pair = keyGen.generateKeyPair();
    PrivateKey priv = pair.getPrivate();
    ECPrivateKey ePriv = (ECPrivateKey) priv;
    PublicKey pub = pair.getPublic();

    //https://stackoverflow.com/questions/5355466/converting-secret-key-into-a-string-and-vice-versa
    String encodedPrivateKey = Base64.getEncoder().encodeToString(priv.getEncoded());
    byte[] pubEncoded = pub.getEncoded();
    String encodedPublicKey = Base64.getEncoder().encodeToString(pubEncoded);
    System.out.println(encodedPrivateKey);
    System.out.println(encodedPublicKey);
    return encodedPrivateKey;
}

public static PrivateKey base64ToPrivateKey(String encodedKey) throws Exception {
    byte[] decodedKey = Base64.getDecoder().decode(encodedKey);
    return bytesToPrivateKey(decodedKey);
}

public static PrivateKey bytesToPrivateKey(byte[] pkcs8key) throws GeneralSecurityException {
    PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(pkcs8key);
    KeyFactory factory = KeyFactory.getInstance("EC");
    PrivateKey privateKey = factory.generatePrivate(spec);
    return privateKey;
}

public static PublicKey base64ToPublicKey(String encodedKey) throws Exception {
    byte[] decodedKey = Base64.getDecoder().decode(encodedKey);
    return bytesToPublicKey(decodedKey);
}

public static PublicKey bytesToPublicKey(byte[] x509key) throws GeneralSecurityException {
    X509EncodedKeySpec spec = new X509EncodedKeySpec(x509key);
    KeyFactory factory = KeyFactory.getInstance("EC");
    PublicKey publicKey = factory.generatePublic(spec);
    return publicKey;
}

//https://stackoverflow.com/questions/40552688/generating-a-ecdsa-private-key-in-bouncy-castle-returns-a-public-key
private static String getPrivateKeyAsHex(PrivateKey privateKey) {
    ECPrivateKey ecPrivateKey = (ECPrivateKey) privateKey;
    byte[] privateKeyBytes = ecPrivateKey.getS().toByteArray();
    System.out.println("S:"+ecPrivateKey.getS());

    String hex = bytesToHex(privateKeyBytes);

    System.out.println("Private key bytes: " + Arrays.toString(privateKeyBytes));
    System.out.println("Private key hex: " + hex);

    return hex;
}

private final static char[] hexArray = "0123456789ABCDEF".toCharArray();

public static String bytesToHex(byte[] bytes) {
    char[] hexChars = new char[bytes.length * 2];
    for (int j = 0 ; j < bytes.length ; j++) {
        int v = bytes[j] & 0xFF;
        hexChars[j * 2] = hexArray[v >>> 4];
        hexChars[j * 2 + 1] = hexArray[v & 0x0F];
    }
    return new String(hexChars);
}

用 Java 进行签名和验证工作得很好。当然易于配置，因为它们都是相同的库、参数和所有内容。

为了在 Go 中验证相同的签名，我尝试了:

func TestSigning(t *testing.T) {
    privKey := hexToPrivateKey("10EDB31521C5ABF4DA520F784F927B390B4A844FCED4BF2639588E9430BDA9D1")
    pubKey := privKey.Public()
    sig := "3045022071f06054f450f808aa53294d34f76afd288a23749628cc58add828e8b8f2b742022100f82dcb51cc63b29f4f8b0b838c6546be228ba11a7c23dc102c6d9dcba11a8ff2"
    sigHex, _ := hex.DecodeString(sig)
    ePubKey := pubKey.(*ecdsa.PublicKey)
    ok := verifyMySig(ePubKey, "This is string to sign", sigHex)
    println(ok)
}

func verifyMySig(pub *ecdsa.PublicKey, msg string, sig []byte) bool {
    r := new(big.Int).SetBytes(sig[:len(sig)/2])
    s := new(big.Int).SetBytes(sig[len(sig)/2:])
    return ecdsa.Verify(pub, []byte(msg), r, s)
}

func hexToPrivateKey(hexStr string)  *ecdsa.PrivateKey {
    bytes, _ := hex.DecodeString(hexStr)

    k := new(big.Int)
    k.SetBytes(bytes)
    println("k:")
    fmt.Println(k.String())

    priv := new(ecdsa.PrivateKey)
    curve := elliptic.P256()
    priv.PublicKey.Curve = curve
    priv.D = k
    priv.PublicKey.X, priv.PublicKey.Y = curve.ScalarBaseMult(k.Bytes())

    return priv
}

最初，我尝试将 Java 中的私钥导出为 base64 编码的字符串，然后将其导入到 Go 中。但是我不知道如何让 Go 以 Java 存储的格式加载 key if (X509EncodedKeySpec)。因此，我尝试通过这种方式仅复制私钥的大整数，并从中生成公钥。如果我让它工作，然后尝试只复制公钥..

无论如何，Go 代码无法验证签名。它总是错误的。此外，我无法从“SHA1withECDSA”部分弄清楚将 SHA 函数放在 Go 中的什么位置。

我确信我在这里遗漏了一些基本概念。如何正确执行此操作？

Answer 1

设法让它发挥作用。所以只是为了我自己和任何感兴趣的人记录它..

正如评论中所指出的，Java 的签名采用 ASN1 格式。在这里找到了一个很好的格式描述:https://crypto.stackexchange.com/questions/1795/how-can-i-convert-a-der-ecdsa-signature-to-asn-1 .

我还在 https://github.com/gtank/cryptopasta 找到了一些关于如何在 Go 中使用 ECDSA 执行 SHAxx 的好例子。 (sign.go 和 sign_test.go)。只需要在ECDSA代码之前运行相关的SHA函数即可。

在 http://codrspace.com/supcik/golang-jwt-ecdsa/ 找到了从 Go 中的参数构建公钥的示例代码.

我把相关代码贴在下面，如果有人发现问题，请告诉我..

相关Java代码:

public static PublicKey bytesToPublicKey(byte[] x509key) throws GeneralSecurityException {
    X509EncodedKeySpec spec = new X509EncodedKeySpec(x509key);
    KeyFactory factory = KeyFactory.getInstance("EC");
    ECPublicKey publicKey = (ECPublicKey) factory.generatePublic(spec);
    //We should be able to use these X and Y in Go to build the public key
    BigInteger x = publicKey.getW().getAffineX();
    BigInteger y = publicKey.getW().getAffineY();
    System.out.println(publicKey.toString());
    return publicKey;
}

//we can either use the Java standard signature ANS1 format output, or just take the R and S parameters from it, and pass those to Go
//https://stackoverflow.com/questions/48783809/ecdsa-sign-with-bouncycastle-and-verify-with-crypto
public static BigInteger extractR(byte[] signature) throws Exception {
    int startR = (signature[1] & 0x80) != 0 ? 3 : 2;
    int lengthR = signature[startR + 1];
    return new BigInteger(Arrays.copyOfRange(signature, startR + 2, startR + 2 + lengthR));
}

public static BigInteger extractS(byte[] signature) throws Exception {
    int startR = (signature[1] & 0x80) != 0 ? 3 : 2;
    int lengthR = signature[startR + 1];
    int startS = startR + 2 + lengthR;
    int lengthS = signature[startS + 1];
    return new BigInteger(Arrays.copyOfRange(signature, startS + 2, startS + 2 + lengthS));
}

public static byte[] signMsg(String msg, PrivateKey priv) throws Exception {
    Signature ecdsa = Signature.getInstance("SHA1withECDSA");

    ecdsa.initSign(priv);

    byte[] strByte = msg.getBytes("UTF-8");
    ecdsa.update(strByte);

    byte[] realSig = ecdsa.sign();

    //this is the R and S we could also pass as the signature
    System.out.println("R: "+extractR(realSig));
    System.out.println("S: "+extractS(realSig));

    return realSig;
}

相关Go代码:

func verifyMySig(pub *ecdsa.PublicKey, msg string, sig []byte) bool {
    //https://github.com/gtank/cryptopasta
    digest := sha1.Sum([]byte(msg))

    var esig ecdsaSignature
    asn1.Unmarshal(sig, &esig)
    //above is ASN1 decoding from the Java format. Alternatively, we can just transfer R and S parameters and set those
    //  esig.R.SetString("89498588918986623250776516710529930937349633484023489594523498325650057801271", 0)
    //  esig.S.SetString("67852785826834317523806560409094108489491289922250506276160316152060290646810", 0)
    fmt.Printf("R: %d , S: %d", esig.R, esig.S)
    println()
    return ecdsa.Verify(pub, digest[:], esig.R, esig.S)
}

func hexToPrivateKey(hexStr string)  *ecdsa.PrivateKey {
    bytes, err := hex.DecodeString(hexStr)
    print(err)

    k := new(big.Int)
    k.SetBytes(bytes)
    println("k:")
    fmt.Println(k.String())

    priv := new(ecdsa.PrivateKey)
    curve := elliptic.P256()
    priv.PublicKey.Curve = curve
    priv.D = k
    priv.PublicKey.X, priv.PublicKey.Y = curve.ScalarBaseMult(k.Bytes())
    //we can check these against the Java implementation to see if it matches to know key was transferred OK
    fmt.Printf("X: %d, Y: %d", priv.PublicKey.X, priv.PublicKey.Y)
    println()

    return priv
}