gpt4 book ai didi

java - 如何使用 pkcs11 包装器 ECDSA key 签署 CSR

转载 作者:行者123 更新时间:2023-11-30 05:40:38 25 4
gpt4 key购买 nike

我想在 pkcs11 USB token 中生成 ECDSA key 对。之后想用私钥签署CSR,但遇到异常“无效签名”。

Mechanism keyPairGenerationMechanism = Mechanism.get(PKCS11Constants.CKM_EC_KEY_PAIR_GEN);
ECDSAPrivateKey ecdsaPrivateKeyTemplate = new ECDSAPrivateKey();
ecdsaPrivateKeyTemplate.getLabel().setCharArrayValue(keyAlias.toCharArray());
ecdsaPrivateKeyTemplate.getId().setByteArrayValue(keyAlias.getBytes());
ecdsaPrivateKeyTemplate.getSign().setBooleanValue(Boolean.TRUE);
ecdsaPrivateKeyTemplate.getDecrypt().setBooleanValue(Boolean.TRUE);
ecdsaPrivateKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);
ecdsaPrivateKeyTemplate.getPrivate().setBooleanValue(Boolean.TRUE);
ecdsaPrivateKeyTemplate.getSensitive().setBooleanValue(Boolean.TRUE);
ecdsaPrivateKeyTemplate.getExtractable().setBooleanValue(Boolean.FALSE);
ecdsaPrivateKeyTemplate.getKeyType().setLongValue(PKCS11Constants.CKK_EC); ECDSAPublicKey ecdsaPublicKeyTemplate = new ECDSAPublicKey(); ecdsaPublicKeyTemplate.getLabel().setCharArrayValue(keyAlias.toCharArray());
ecdsaPublicKeyTemplate.getId().setByteArrayValue(keyAlias.getBytes());
ecdsaPublicKeyTemplate.getEncrypt().setBooleanValue(Boolean.TRUE);
ecdsaPublicKeyTemplate.getPrivate().setBooleanValue(Boolean.FALSE);
ecdsaPublicKeyTemplate.getVerify().setBooleanValue(Boolean.TRUE);
ecdsaPublicKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);

ecdsaPublicKeyTemplate.getKeyType().setLongValue(PKCS11Constants.CKK_EC);
ecdsaPublicKeyTemplate.getModifiable().setBooleanValue(Boolean.TRUE);

ASN1ObjectIdentifier curveId = getCurveId((getEcdsaParamsOID(256)));
X962Parameters x962 = new X962Parameters(curveId);
byte[] paramsBytes = x962.getEncoded();
ecdsaPublicKeyTemplate.getEcdsaParams().setByteArrayValue(paramsBytes);
KeyPair generatedKeyPair = m_objSession.generateKeyPair(keyPairGenerationMechanism,ecdsaPublicKeyTemplate, ecdsaPrivateKeyTemplate);


ECDSAPublicKey publicKey = (ECDSAPublicKey) generatedKeyPair.getPublicKey();

ECDSAPrivateKey privateKey = (ECDSAPrivateKey) generatedKeyPair.getPrivateKey();
byte[] pubPoint = publicKey.getEcPoint().getByteArrayValue();
DEROctetString os = (DEROctetString) DEROctetString.fromByteArray(pubPoint);
AlgorithmIdentifier keyAlgID = new AlgorithmIdentifier(
X9ObjectIdentifiers.id_ecPublicKey, curveId);
SubjectPublicKeyInfo pkInfo = new SubjectPublicKeyInfo(keyAlgID, os.getOctets());
<小时/>

从评论中签名代码:

ECDSAPrivateKey signatureKey = this.getECDSAPrivateKey(a_strKeyId,m_objSession);

MessageDigest digestEngine = MessageDigest.getInstance("SHA-256");
digestEngine.update(bUnsignedData);
byte[] digest = digestEngine.digest();

Mechanism signatureMechanism = Mechanism.get(PKCS11Constants.CKM_ECDSA);
m_objSession.signInit(signatureMechanism, signatureKey);

DigestInfo digestInfoEngine = new DigestInfo(a_objAlgorithmIdentifier, digest);
byte[] digestInfo = digestInfoEngine.getEncoded();

byte[] signatureValue = m_objSession.sign(digestInfo);

最佳答案

对于 ECDSA,您不需要 DigestInfo,摘要值(以字节为单位)直接签名。 RSA 可能需要 DigestInfo

关于java - 如何使用 pkcs11 包装器 ECDSA key 签署 CSR,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55728760/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com