java - 在 iOS/Swift 中创建并导出为 base64 的 RSA 公钥在 Java 中无法识别

Question

TL;DR:无法识别在 iOS 中生成并存储在钥匙串(keychain)中、导出为 base64 并发送到 java 后端的 RSA 公钥。

我正在 iOS 应用程序中实现聊天加密功能，我正在使用对称 + 非对称 key 来处理它。

无需过多赘述，在后端，我使用用户的公钥来加密用于加密和解密消息的对称 key 。

我创建了两个框架，分别用 Swift 和 Java(后端)来处理 key 生成、加密、解密等。我也对它们进行了测试，所以我 100% 一切都按预期工作。

但是，后端似乎无法识别从 iOS 传来的公钥格式。双方都使用 RSA，这是我在 Swift 中用来生成 key 的代码:

// private key parameters
static let privateKeyParams: [String : Any] = [
        kSecAttrIsPermanent as String: true,
        kSecAttrApplicationTag as String: "..." // I have a proper unique tag here
]

// public  key parameters
static let publicKeyParams: [String : Any] = [
        kSecAttrIsPermanent as String: true,
        kSecAttrApplicationTag as String: "..." // I have a proper unique tag here
]

// global parameters for our key generation
static let keyCreationParameters: [String : Any] = [
        kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
        kSecAttrKeySizeInBits as String: 2048,
        kSecPublicKeyAttrs as String: publicKeyParams,
        kSecPrivateKeyAttrs as String: privateKeyParams
]

...

var publicKey, privateKey: SecKey?
let status = SecKeyGeneratePair(Constants.keyCreationParameters as CFDictionary, &publicKey, &privateKey)

我使用镜面反射代码从钥匙串(keychain)中读取 key 。

这是我用来将公钥导出为 base64 字符串的一段代码:

extension SecKey {
  func asBase64() throws -> String {
    var dataPtr: CFTypeRef?
    let query: [String:Any] = [
      kSecClass as String: kSecClassKey,
      kSecAttrApplicationTag as String: "...", // Same unique tag here
      kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
      kSecReturnData as String: kCFBooleanTrue
    ]
    let result = SecItemCopyMatching(query as CFDictionary, &dataPtr)

    switch (result, dataPtr) {
    case (errSecSuccess, .some(let data)):
      // convert to Base64 string
      let base64PublicKey = data.base64EncodedString(options: [])
      return base64PublicKey
    default:
      throw CryptoError.keyConversionError
    }
  }
}

在后端级别，我使用此 Java 代码将 base64 字符串转换为公钥:

public PublicKey publicKeyFrom(String data) throws NoSuchAlgorithmException, InvalidKeySpecException {
    byte[] publicBytes = Base64.decodeBase64(data);
    X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicBytes);
    KeyFactory keyFactory = KeyFactory.getInstance("RSA");
    return keyFactory.generatePublic(keySpec);
}

但这在最后一行失败了，除了这个异常(exception):

java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: algid parse error, not a sequence

在进行一些手动调试时，我注意到公钥的格式不同 - 当我在 iOS 中生成 key 然后导出为 base 64 时，它看起来像这样:

MIIBCgKCAQEA4M/bRDdH0f6qFIXxOg13RHka+g4Yv8u9PpPp1IR6pSwrM1aq8B6cyKRwnLe/MOkvODvDfJzvGXGQ01zSTxYWAW1B4uc/NCEemCmZqMosSB/VUJdNxxWtt2hJxpz06hAawqV+6HmweAB2dUn9tDEsQLsNHdwYouOKpyRZGimcF9qRFn1RjR0Q54sUh1tQAj/EwmgY2S2bI5TqtZnZw7X7Waji7wWi6Gz88IkuzLAzB9VBNDeV1cfJFiWsZ/MIixSvhpW3dMNCrJShvBouIG8nS+vykBlbFVRGy3gJr8+OcmIq5vuHVhqrWwHNOs+WR87K/qTFO/CB7MiyiIV1b1x5DQIDAQAB

总共 360 个字符，而在 Java 中做同样的事情(仍然使用 RSA)就像:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAAnWO4BXUGP0qM3Op36YXkWNxb4I2pPZuZ7jJtfUO7v+IO1mq43WzNaxLqqLPkTnMrv2ACRDK55vin+leQlL1z0LzVxjtZ9F6pajQo1r7PqBlL5N8bzBFKpagEf0QfyHPw0/0kG9DMnvQ+Im881QyN2zdl33wp5Fi+jRT7cunFQIDAQAB

长度为 216 个字符。

我无法弄清楚出了什么问题 - 显然，如果 iOS 以不同的 key 处理 key ，并且需要特殊处理才能与其他人交谈，我不会感到惊讶。

有什么想法吗？

Answer 1

在将 iOS 应用程序连接到 Java 后端时，我们遇到了完全相同的问题。和 CryptoExportImportManager pedrofb 提到的也帮助了我们，这太棒了。但是，CryptoExportImportManager 类中的代码有点复杂，可能难以维护。这是因为在向 DER 编码添加新组件时使用了自上而下的方法。因此，长度字段包含的数字必须提前计算(即在定义长度适用的内容之前)。因此，我创建了一个新类，我们现在使用它来转换 RSA 公钥的 DER 编码:

class RSAKeyEncoding: NSObject {

  // ASN.1 identifiers
  private let bitStringIdentifier: UInt8 = 0x03
  private let sequenceIdentifier: UInt8 = 0x30

  // ASN.1 AlgorithmIdentfier for RSA encryption: OID 1 2 840 113549 1 1 1 and NULL
  private let algorithmIdentifierForRSAEncryption: [UInt8] = [0x30, 0x0d, 0x06,
    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00]

  /// Converts the DER encoding of an RSA public key that is either fetched from the
  /// keychain (e.g. by using `SecItemCopyMatching(_:_:)`) or retrieved in another way
  /// (e.g. by using `SecKeyCopyExternalRepresentation(_:_:)`), to a format typically
  /// used by tools and programming languages outside the Apple ecosystem (such as
  /// OpenSSL, Java, PHP and Perl). The DER encoding of an RSA public key created by
  /// iOS is represented with the ASN.1 RSAPublicKey type as defined by PKCS #1.
  /// However, many systems outside the Apple ecosystem expect the DER encoding of a
  /// key to be represented with the ASN.1 SubjectPublicKeyInfo type as defined by
  /// X.509. The two types are related in a way that if the SubjectPublicKeyInfo’s
  /// algorithm field contains the rsaEncryption object identifier as defined by
  /// PKCS #1, the subjectPublicKey field shall contain the DER encoding of an
  /// RSAPublicKey type.
  ///
  /// - Parameter rsaPublicKeyData: A data object containing the DER encoding of an
  ///     RSA public key, which is represented with the ASN.1 RSAPublicKey type.
  /// - Returns: A data object containing the DER encoding of an RSA public key, which
  ///     is represented with the ASN.1 SubjectPublicKeyInfo type.
  func convertToX509EncodedKey(_ rsaPublicKeyData: Data) -> Data {
    var derEncodedKeyBytes = [UInt8](rsaPublicKeyData)

    // Insert ASN.1 BIT STRING bytes at the beginning of the array
    derEncodedKeyBytes.insert(0x00, at: 0)
    derEncodedKeyBytes.insert(contentsOf: lengthField(of: derEncodedKeyBytes), at: 0)
    derEncodedKeyBytes.insert(bitStringIdentifier, at: 0)

    // Insert ASN.1 AlgorithmIdentifier bytes at the beginning of the array
    derEncodedKeyBytes.insert(contentsOf: algorithmIdentifierForRSAEncryption, at: 0)

    // Insert ASN.1 SEQUENCE bytes at the beginning of the array
    derEncodedKeyBytes.insert(contentsOf: lengthField(of: derEncodedKeyBytes), at: 0)
    derEncodedKeyBytes.insert(sequenceIdentifier, at: 0)

    return Data(derEncodedKeyBytes)
  }

  private func lengthField(of valueField: [UInt8]) -> [UInt8] {
    var length = valueField.count

    if length < 128 {
      return [ UInt8(length) ]
    }

    // Number of bytes needed to encode the length
    let lengthBytesCount = Int((log2(Double(length)) / 8) + 1)

    // First byte encodes the number of remaining bytes in this field
    let firstLengthFieldByte = UInt8(128 + lengthBytesCount)

    var lengthField: [UInt8] = []
    for _ in 0..<lengthBytesCount {
      // Take the last 8 bits of length
      let lengthByte = UInt8(length & 0xff)
      // Insert them at the beginning of the array
      lengthField.insert(lengthByte, at: 0)
      // Delete the last 8 bits of length
      length = length >> 8
    }

    // Insert firstLengthFieldByte at the beginning of the array
    lengthField.insert(firstLengthFieldByte, at: 0)

    return lengthField
  }
}

用法

您可以像这样在函数 asBase64() 中使用此类:

extension SecKey {
  func asBase64() throws -> String {
    var dataPtr: CFTypeRef?
    let query: [String:Any] = [
      kSecClass as String: kSecClassKey,
      kSecAttrApplicationTag as String: "...", // Same unique tag here
      kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
      kSecReturnData as String: kCFBooleanTrue
    ]
    let result = SecItemCopyMatching(query as CFDictionary, &dataPtr)

    switch (result, dataPtr) {
    case (errSecSuccess, .some(let data)):

      // convert to X509 encoded key
      let convertedData = RSAKeyEncoding().convertToX509EncodedKey(data)

      // convert to Base64 string
      let base64PublicKey = convertedData.base64EncodedString(options: [])
      return base64PublicKey
    default:
      throw CryptoError.keyConversionError
    }
  }
}

更新 - 其他问题

在使用上面的类一段时间后，我们偶然发现了另一个问题。有时，从钥匙串(keychain)中获取的公钥似乎无效，因为由于某种原因，它的大小增加了。此行为与问题中描述的发现相匹配(尽管在我们的示例中，Base64 编码 key 的大小已增长到 392 个字符而不是 360 个字符)。不幸的是，我们没有找到这种奇怪行为的确切原因，但我们找到了两种解决方案。第一种解决方案是在定义查询时指定 kSecAttrKeySizeInBits 和 kSecAttrEffectiveKeySize，如以下代码片段所示:

let keySize = ... // Key size specified when storing the key, for example: 2048

let query: [String: Any] = [
    kSecAttrKeySizeInBits as String: keySize,
    kSecAttrEffectiveKeySize as String: keySize,
    ... // More attributes
]

var dataPtr: CFTypeRef?

let result = SecItemCopyMatching(query as CFDictionary, &dataPtr)

第二种解决方案是在添加具有相同标签的新 key 之前始终从钥匙串(keychain)(如果有的话)中删除旧 key 。

更新 - 替代解决方案

我发布了 this project在 GitHub 上，可以用作上述类的替代品。

引用资料

A Layman’s Guide to a Subset of ASN.1, BER, and DER

RFC 5280 (X.509 v3)

RFC 8017 (PKCS #1 v2.2)

我找到的一些代码 here在创建 lengthField(...) 函数时启发了我。