问题描述
我已经创建了一些要加密的数据,以确保不能修改该数据。我使用elliptic创建了数据然后签名。然后,我修改数据。当我使用生成的签名验证数据完整性时,它返回true。
我对使用elliptic感到困惑吗?
代码如下:
const EC = require("elliptic").ec
const ec = new EC("secp256k1")
class Wallet {
constructor(data,pubKey) {
this.keyPair = ec.genKeyPair();
if (typeof (pubKey) !== "undefined")
this.publicKey = pubKey
else
this.publicKey = this.keyPair.getPublic().encode("hex")
this.data = data
this.creationDate = Date.Now()
}
toString() {
console.log("public key: " + this.publicKey)
}
sign() {
let raw = this.publicKey + this.data + this.creationDate;
console.log("signing data: " + raw)
return this.keyPair.sign(raw)
}
static verify(wallet,signature) {
let raw = wallet.publicKey + wallet.data + wallet.creationDate;
console.log("verifying data: " + raw)
return ec.keyFrompublic(wallet.publicKey,"hex").verify(raw,signature)
}
}
module.exports = Wallet
索引文件:
const Wallet = require("./Wallet")
let wallet = new Wallet("hello");
wallet.toString()
let signature = wallet.sign()
console.log("\n\nSignature: "+JSON.stringify(signature)+"\n\n")
wallet.data = "world"
console.log("wallet data: "+ wallet.data)
console.log("Verify: "+ (Wallet.verify(wallet,signature)))
console.log("\n\n---------------Another wallet hacking-------------\n\n")
let wallet2 = new Wallet("bar",wallet.publicKey);
wallet2.toString()
let signature2 = wallet2.sign()
console.log("\n\nSignature: "+JSON.stringify(signature)+"\n\n")
console.log("wallet data: "+ wallet2.data)
console.log("Verify: "+ (Wallet.verify(wallet2,signature)))
输出:
public key: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fc
signing data: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fchello1604430087928
Signature: {"r":"9ed97af6f4f3becdfa910c91d4865b9c8d9a317ac47b4b7edbd5d4873ca3b3c3","s":"46e76b801de77ee596a7726b08b1db0cdbd9a6b0404bee7c49be0fccee85e99f","recoveryParam":0}
wallet data: world
verifying data: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fcworld1604430087928
Verify: true
---------------Another wallet hacking-------------
public key: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fc
signing data: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fcbar1604430087974
Signature: {"r":"9ed97af6f4f3becdfa910c91d4865b9c8d9a317ac47b4b7edbd5d4873ca3b3c3","recoveryParam":0}
wallet data: bar
verifying data: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fcbar1604430087974
Verify: true
解决方法
感谢@Topaco的回答。我了解elliptic不会签署任何形式的内容。我还将该字符串错误地转换为array和elliptic的内容,仍然错误地转换为sign和verify。
考虑了
["0","4","3","7","d","0","6","2","a","9","5","f","e","b","8","1","c","h","l","o","8"]
与
相同 ["0","w","r","8"]
第一个包含hello,第二个包含world。
我通过将sha256编码的字符串传递到sign和verify来解决它。
我安装了软件包crypto-js,然后对字符串进行了编码:
const Sha256 = require("crypto-js/sha256")
// Signing
const encContent = Sha256(raw).toString()
this.keyPair.sign(encContent )
// Verifying
const encContent = Sha256(raw).toString()
ec.keyFromPublic(wallet.publicKey,"hex").verify(encContent,signature)