使用SHA256WithRSA来签名和验签(.NET/C#)

RSACryptoServiceProvider does work with SHA2-based signatures, but you have to invest some effort into it.

When you use a certificate to get your RSACryptoServiceProvider it really matters what's the underlying CryptoAPI provider. By default, when you create a certificate with 'makecert', it's "RSA-FULL" which only supports SHA1 hashes for signature. You need the new "RSA-AES" one that supports SHA2.

So, you can create your certificate with an additional option: -sp "Microsoft Enhanced RSA and AES Cryptographic Provider" (or an equivalent -sy 24) and then your code would look like (in .NET 4.0):

var rsa = signerCertificate.PrivateKey as RSACryptoServiceProvider;
byte[] signature = rsa.SignData(data, CryptoConfig.CreateFromName("SHA256"));

 

If you are unable to change the way your certificate is issued, there is a semi-ligitimate workaround that is based on the fact that by default RSACryptoServiceProvider is created with support for SHA2. So, the following code would also work, but it is a bit uglier: (what this code does is it creates a new RSACryptoServiceProvider and imports the keys from the one we got from the certificate)

public string Sign(string contentForSign,string priKeyFile, string keyPwd)
{
    var rsa = GetPrivateKey(priKeyFile,keyPwd);
    // Create a new RSACryptoServiceProvider
    var rsaClear = new RSACryptoServiceProvider();
    // Export RSA parameters from 'rsa' and import them into 'rsaClear'
    var paras = rsa.ExportParameters(true);
    rsaClear.ImportParameters(paras);
    using (var sha256 = new SHA256CryptoServiceProvider())
    {
       var signData = rsa.SignData(Encoding.UTF8.GetBytes(contentForSign), sha256);
       return BytesToHex(signData);
    }
}

public bool VerifySign(string contentForSign, string signedData,pubKeyFile)
{
    var  rsa = GetPublicKey(pubKeyFile);

    using (var sha256 = new SHA256CryptoServiceProvider())
    {
       return rsa.VerifyData(Encoding.UTF8.GetBytes(contentForSign), sha256, HexToBytes(signedData));
    }   
}

/// <summary>
/// 获取签名证书私钥
/// </summary>
/// <param name="priKeyFile"></param>
/// <param name="keyPwd"></param>
/// <returns></returns>
private static RSACryptoServiceProvider GetPrivateKey(string priKeyFile, string keyPwd)
{
    var pc = new X509Certificate2(priKeyFile, keyPwd, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet);
    return (RSACryptoServiceProvider) pc.PrivateKey;
}

/// <summary>
/// 获取验签证书
/// </summary>
/// <param name="pubKeyFile"></param>
/// <returns></returns>
private static RSACryptoServiceProvider GetPublicKey(string pubKeyFile)
{
    var pc = new X509Certificate2(pubKeyFile);
    return (RSACryptoServiceProvider) pc.PublicKey.Key;
}
  public static byte[] HexToBytes(string text)
        {
            if (text.Length % 2 != 0)
                throw new ArgumentException("text 长度为奇数。");

            List<byte> lstRet = new List<byte>();
            for (int i = 0; i < text.Length; i = i + 2)
            {
                lstRet.Add(Convert.ToByte(text.Substring(i, 2), 16));
            }
            return lstRet.ToArray();
        }

        /// <summary>
        /// bytes转换hex
        /// </summary>
        /// <param name="data">bytes</param>
        /// <returns>转换后的hex字符串</returns>
        public static string BytesToHex(byte[] data)
        {
            StringBuilder sbRet = new StringBuilder(data.Length * 2);
            for (int i = 0; i < data.Length; i++)
            {
                sbRet.Append(Convert.ToString(data[i], 16).PadLeft(2, '0'));
            }
            return sbRet.ToString();
        }

 https://stackoverflow.com/questions/10673146/signature-with-sha256

posted @ 2018-02-02 14:29  FrankYou  阅读(25910)  评论(23编辑  收藏  举报