signature.verify() Always returns False

后端 未结 3 2099
一整个雨季
一整个雨季 2021-01-06 13:06
 public static void main(String[] args) {
    try{
        String mod = \"q0AwozeUj0VVkoksDQSCTj3QEgODomq4sAr02xMyIrWldZrNHhWfZAIcWt2MuAY3X6S3ZVUfOFXOrVbltRrO3F9Z6R8         


        
相关标签:
3条回答
  • 2021-01-06 13:52

    You were right, thanks Jack. The below method works perfectly (even with a key created in .NET)! I hope this helps others.

    public static void main(String[] args) {
        try{
            String userID = "189711";
            String companyCode = "ILIKEPIZZA";
            String combine = userID + "." + companyCode;
            String mod = "q0AwozeUj0VVkoksDQSCTj3QEgODomq4sAr02xMyIrWldZrNHhWfZAIcWt2MuAY3X6S3ZVUfOFXOrVbltRrO3F9Z6R8/jJIMv7wjkeVBFC5gncwGR0C3aV9gmF6II19jTKfF1sxb26iMEMAlMEOSnAAceNaJH91zBoaW7ZIh+qk=";
            String exp = "AQAB";
            byte[] modulusBytes = Base64.decodeBase64(mod.getBytes("UTF-8"));
            byte[] exponentBytes = Base64.decodeBase64(exp.getBytes("UTF-8"));
            String sign = "3753e672cfb21e3c182ef2df51f19edeffb63432ed338a47251326ccc14aa63883e910a140cf313754ebc6425aad434e309307cc882da6cd4a4f9f40bd14a9823aca145e5ffc97cd63dbb5925c049282416bdfd7d74ddeef7055065210a841793fe315dff5a44af19c1522daafdc2f7e61ce5a2b42ebf79dfb086e6d210168dd";
            BigInteger modulus = new BigInteger(1, modulusBytes );               
            BigInteger exponent = new BigInteger(1, exponentBytes);
            RSAPublicKeySpec rsaPubKey = new RSAPublicKeySpec(modulus, exponent);
            KeyFactory fact = KeyFactory.getInstance("RSA");
            PublicKey pubKey = fact.generatePublic(rsaPubKey);
            Signature signature = Signature.getInstance("SHA1withRSA");
            byte[] sigBytes = hexStringToByteArray(sign);
            signature.initVerify(pubKey);
            signature.update(combine.getBytes("UTF-8"));
            System.out.println(signature.verify(sigBytes));
        }catch(Exception e){
            System.out.println("Error: " + e.toString());
        }
    }
    
    0 讨论(0)
  • 2021-01-06 13:54

    I think the problem is that you are not actually giving it a message to verify.

    An RSA signature works by first hashing the message (that's the "SHA1" in "SHA1withRSA"), and then performing an trapdoor operation to it. This is an operation which is easy to do in one direction and hard in the other direction, unless you know some secret information (the RSA private key).

    To verify, you first invert the mathematical transformation (because it's easy in one direction), and then compare the hash that is embedded in the signature with the hash of the message you just computed. The signature does not in itself contain the message; to verify a signature you need both the signature and the message that was signed.

    At an API level, it looks like the Signature class is expecting you to call update with the contents of the message that this signature was for. Without this, it probably is comparing the hash with the hash of an empty string, so unless your originally signed message was also an empty string, the signature is in fact not valid.

    0 讨论(0)
  • 2021-01-06 13:59

    Where you sign the message you should have some code like this:

    Signature signature = Signature.getInstance("SHA1withRSA");
    signature.initSign(privKey);
    signature.update(message);
    byte[] signatureValue = signature.sign();
    

    Note the byte-array named signatureValue. That is the actual signature on the data. That is what you should provide to the verify()-method. The message that is signed should be provided in a call to the update()-method. I.e.:

    Signature signature = Signature.getInstance("SHA1withRSA");
    signature.initVerify(pubKey);
    signature.update(message);
    bool ok = signature.verify(signatureValue);
    
    0 讨论(0)
提交回复
热议问题