带有 C# 和 Bouncy Castle 的 ECDSA 签名与 MS ECDsa 签名不匹配

编程问答 2022-05-18

问题描述

我正在尝试通过 Xamarin.Forms 项目与 Apple Music API 通信。由于 Microsoft ECDsa 实现在 Xamarin.Android 和 Xamarin.iOS 上不可用,我正在尝试使用 Portable.BouncyCastle Nuget 包解决该限制。总体而言,该过程似乎按预期工作,但在尝试使用签名的开发人员令牌调用 Apple Music API 时,我总是收到 HTTP/2 401。

我有一个可用的 MS ECDsa 实现,我在 ASP.NET Core 项目中使用它与 Apple 推送通知服务进行通信,因此我编写了一个快速的小演示工具,可以在两种方法中生成密钥,结果:签名不匹配并且 MS ECDsa 变体确实有效,我从 Apple 获得了正确的 API 响应。

我在网上看了很多样本​​,但我看不出我到底做错了什么,所以也许这里有人可以指出我正确的方向。

充气城堡方法:

    public static AsymmetricCipherKeyPair GetKeys(string data)
    {
        var tag = $"{_className}.GetECDsa";
        try
        {
            byte[] byteArray = Encoding.ASCII.GetBytes(data);
            MemoryStream stream = new MemoryStream(byteArray);

            using (TextReader reader = new StreamReader(stream))
            {
                var ecPrivateKeyParameters =
                    (ECPrivateKeyParameters)new PemReader(reader).ReadObject();
                var q = ecPrivateKeyParameters.Parameters.G.Multiply(ecPrivateKeyParameters.D).Normalize();

                var ecPublicKeyParameters = new ECPublicKeyParameters(q,ecPrivateKeyParameters.Parameters);
                return new AsymmetricCipherKeyPair(ecPublicKeyParameters,ecPrivateKeyParameters);
            }
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
        return null;
    }
    
    public static string CreateToken(AsymmetricCipherKeyPair keyPair,string p8privateKeyId,string teamId,DateTime date)
    {
        var tag = $"{_className}.CreateJwtToken";
        try
        {
            var header = JsonHelper.Serialize(new { alg = "ES256",kid = p8privateKeyId });
            var payload = JsonHelper.Serialize(new { iss = teamId,iat = ToEpoch(date),exp = ToEpoch(date.AddSeconds(15777000)) });

            var headerBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(header));
            var payloadBasae64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(payload));
            var unsignedJwtData = $"{headerBase64}.{payloadBasae64}";
            var signature = GetSignature(unsignedJwtData,keyPair);

            return $"{unsignedJwtData}.{Convert.ToBase64String(signature)}";
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
        return null;
    }

    private static int ToEpoch(DateTime time)
    {
        var span = DateTime.UtcNow - new DateTime(1970,1,1);
        return Convert.ToInt32(span.TotalSeconds);
    }
    
    private static byte[] GetSignature(string plainText,AsymmetricCipherKeyPair key)
    {
        var encoder = new UTF8Encoding();
        var inputData = encoder.GetBytes(plainText);

        var signer = SignerUtilities.GetSigner("SHA-256withECDSA");
        signer.Init(true,key.Private);
        signer.BlockUpdate(inputData,inputData.Length);

        return signer.GenerateSignature();
    }

MS ECDsa 方法:

    public static string GetPrivateKey(string p8privateKey)
    {
        var tag = $"{_className}.GetPrivateKey";
        try
        {
            var dsa = GetECDsa(p8privateKey);
            var keyBytes = dsa.ExportPkcs8PrivateKey();
            return Convert.ToBase64String(keyBytes);
        }
        catch (Exception ex)
        {
           Console.WriteLine(ex.Message);
        }
        return null;
    }
    
    private static ECDsa GetECDsa(string p8privateKey)
    {
        var tag = $"{_className}.GetECDsa";
        try
        {
            byte[] byteArray = Encoding.ASCII.GetBytes(p8privateKey);
            MemoryStream stream = new MemoryStream(byteArray);

            using (TextReader reader = new StreamReader(stream))
            {
                var ecPrivateKeyParameters =
                    (ECPrivateKeyParameters)new PemReader(reader).ReadObject();
                var q = ecPrivateKeyParameters.Parameters.G.Multiply(ecPrivateKeyParameters.D).Normalize();

                return ECDsa.Create(new ECParameters
                {
                    Curve = ECCurve.CreateFromValue(ecPrivateKeyParameters.PublicKeyParamSet.Id),D = ecPrivateKeyParameters.D.ToByteArrayUnsigned(),Q =
                        {
                            X = q.XCoord.GetEncoded(),Y = q.YCoord.GetEncoded()
                        }
                });
            }
        }
        catch (Exception ex)
        {
           Console.WriteLine(ex.Message);
        }
        return null;
    }
    
    public static string CreateJwtToken(string p8privateKey,exp = ToEpoch(date.AddSeconds(15777000)) });

            using var dsa = ECDsa.Create("ECDsa");

            var keyBytes = Convert.FromBase64String(p8privateKey);
            dsa.ImportPkcs8PrivateKey(keyBytes,out _);

            var headerBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(header));
            var payloadBasae64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(payload));
            var unsignedJwtData = $"{headerBase64}.{payloadBasae64}";
            var unsignedJwtBytes = Encoding.UTF8.GetBytes(unsignedJwtData);
            var signature = dsa.SignData(unsignedJwtBytes,unsignedJwtBytes.Length,HashAlgorithmName.SHA256);

            return $"{unsignedJwtData}.{Convert.ToBase64String(signature)}";
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
        return null;
    }

期待您的反馈。

解决方法

感谢 Topaco 的评论,我用 SHA-256withPLAIN-ECDSA 测试并解决了问题。签名并不相同,但 Apple Music API 接受签名的 JWT 令牌并正确响应。所以感谢 Topaco 指出这一点。

apple-musickitbouncycastlec#c#ecdsaxamarin

相关问答

matplotlib报错:AttributeError: module 'backend_interagg' has no attribute 'FigureCanvas'. Did you mean: 'FigureCanvasAgg'?
使用本地python环境可以成功执行 import pandas as pd impor...
gitlab登录失败,报错:This challenge page was accidentally cached by an intermediary and is no longer available.
设置时间 控制面板
后端开发常见错误
错误1:Request method ‘DELETE‘ not supported 错误还原:...
docker常见错误
错误1:启动docker镜像时报错:Error response from daemon:...
idea常见错误
错误1:private field ‘xxx‘ is never assigned 按Alt...
pip安装依赖失败
报错如下,通过源不能下载,最后警告pip需升级版本 Requirem...