对接第三方业务,对方使用私钥生成签名值,本地在验签的时候,发生异常
java.security.SignatureException: Signature length not correct: got 269 but was expecting 256
at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:211)
at java.security.Signature$Delegate.engineVerify(Signature.java:1394)
at java.security.Signature.verify(Signature.java:771)
at com.dcits.openapi.utils.DcRSA.rsa256Check(DcRSA.java:89)
at com.dcits.openapi.utils.DcRSA.checkV2(DcRSA.java:252)
网上很多人说是证书错误,发现并不是。
protected boolean engineVerify(byte[] var1) throws SignatureException {
if (this.publicKey == null) {
throw new SignatureException("Missing public key");
} else if (var1.length != RSACore.getByteLength(this.publicKey)) {
throw new SignatureException("Signature length not correct: got " + var1.length + " but was expecting " + RSACore.getByteLength(this.publicKey));
} else {
byte[] var2 = this.getDigestValue();
try {
byte[] var3 = RSACore.rsa(var1, this.publicKey);
byte[] var4 = this.padding.unpad(var3);
byte[] var5 = decodeSignature(this.digestOID, var4);
return MessageDigest.isEqual(var2, var5);
} catch (BadPaddingException var6) {
return false;
} catch (IOException var7) {
throw new SignatureException("Signature encoding error", var7);
}
}
}
注意是期望长度不正确。得到269,但期望256
对方的签名值里面包含了很多 %3d %3f ,表示对方生成签名值时做过encode,但是本地接收到之后,没有做任何处理才导致的。
解决方案:
URLDecoder.decode(sign);