签名解密,内容验证

前面一个文章里面,我们把一个字符串进行hash计算,并且签名。

现在就需要在接收方来验证了。

CryptImportKey

首先,我们需要把发方发过来的公钥导入到CSP里面。我们这里假设pbKeyBlob就是收到的公钥信息(比如从证书里面获取)。

    if (CryptImportKey(
        hProv,
        pbKeyBlob,
        dwBlobLen,
        0,
        0,
        &hPubKey))
    {
        printf("The key has been imported.\n");
    }
    else
    {
        MyHandleError("Public key import failed.");
    }


CryptCreateHash,CrypteHashData

假设pbBuffer就是收到的内容,下面的代码就计算了一个hash值。

    //-------------------------------------------------------------------
    // Create a new hash object.

    if (CryptCreateHash(
        hProv,
        CALG_MD5,
        0,
        0,
        &hHash))
    {
        printf("The hash object has been recreated. \n");
    }
    else
    {
        MyHandleError("Error during CryptCreateHash.");
    }
    //-------------------------------------------------------------------
    // Compute the cryptographic hash of the buffer.

    if (CryptHashData(
        hHash,
        pbBuffer,
        dwBufferLen,
        0))
    {
        printf("The new hash has been created.\n");
    }
    else
    {
        MyHandleError("Error during CryptHashData.");
    }

现在就可以verify了。

CryptVerifySignature

这个API会把pbSignature用hPubKey解密并且和hHash进行比较。

    //-------------------------------------------------------------------
    // Validate the digital signature.

    if (CryptVerifySignature(
        hHash,
        pbSignature,
        dwSigLen,
        hPubKey,
        NULL,
        0))
    {
        printf("The signature has been verified.\n");
    }
    else
    {
        printf("Signature not validated!\n");
    }


就这样,我们可以把发方发过来的数据进行验证了。


附:完整代码

//--------------------------------------------------------------------
// Copyright (C) Microsoft.  All rights reserved.
// Example of signing a hash and 
// verifying the hash signature.
#pragma comment(lib, "crypt32.lib")

#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <Wincrypt.h>
#define MY_ENCODING_TYPE  (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING)
void MyHandleError(char *s);

void main(void)
{
    //-------------------------------------------------------------------
    // Declare and initialize variables.

    HCRYPTPROV hProv;
    BYTE *pbBuffer = (BYTE *)"The data that is to be hashed and signed.";
    DWORD dwBufferLen = strlen((char *)pbBuffer) + 1;
    HCRYPTHASH hHash;
    HCRYPTKEY hKey;
    HCRYPTKEY hPubKey;
    BYTE *pbKeyBlob;
    BYTE *pbSignature;
    DWORD dwSigLen;
    DWORD dwBlobLen;

    //-------------------------------------------------------------------
    // Acquire a cryptographic provider context handle.

    if (CryptAcquireContext(
        &hProv,
        L"MyContainer",
        NULL,
        PROV_RSA_FULL,
        0))
    {
        printf("CSP context acquired.\n");
    }
    else
    {
        if (GetLastError() == NTE_BAD_KEYSET)
        {
            if (!CryptAcquireContext(
                &hProv,
                L"MyContainer",
                NULL,
                PROV_RSA_FULL,
                CRYPT_NEWKEYSET))
            {
                MyHandleError("Error during CryptAcquireContext.");
            }

        }
        else
        {
            MyHandleError("Error during CryptAcquireContext.");
        }
    }


    HCRYPTPROV hCryptProv;
    BYTE       pbData[1000];       // 1000 will hold the longest 
    // key container name.
    DWORD cbData;

    //-------------------------------------------------------------------
    // An HCRYPTPROV must be acquired before using code like that in 
    // "Example C Program Using CryptAcquireContext."

    //-------------------------------------------------------------------
    // Read the name of the default CSP.

    cbData = 1000;
    CryptGetProvParam(
        hProv,
        PP_NAME,
        pbData,  // should be "Microsoft Strong Cryptographic Provider"
        &cbData,
        0);

    cbData = 1000;
    CryptGetProvParam(
        hProv,
        PP_CONTAINER,
        pbData,  // should be "MyContainter"
        &cbData,
        0);

    //-------------------------------------------------------------------
    // Get the public at signature key. This is the public key
    // that will be used by the receiver of the hash to verify
    // the signature. In situations where the receiver could obtain the
    // sender's public key from a certificate, this step would not be
    // needed.

    if (CryptGetUserKey(
        hProv,
        AT_SIGNATURE,
        &hKey))
    {
        printf("The signature key has been acquired. \n");
    }
    else
    {
        if (GetLastError() == NTE_NO_KEY)               // NTE_NO_KEY意味着密钥不存在,下面就生成一个密钥
        {
            _tprintf(TEXT("The signature key does not exist./n"));
            _tprintf(TEXT("Create a signature key pair./n"));
            if (CryptGenKey(                           // CryptGenKey生成一个密钥
                hProv,                           //指定CSP模块的句柄
                AT_SIGNATURE,                     //对于公钥密码系统,生成一个私钥和一个公钥,这个参数指定了这个密钥是公钥,于是生成了一个密码对。如果不是公钥系统,则指定了密码算法,具体看MSDN。
                0,                                  //指定了生成密钥的类型,这个参数的说明挺多的,想获取更为详尽的资料请看MSDN。
                &hKey))
            {
                _tprintf(TEXT("Created a signature key pair./n"));
            }
            else
            {
                MyHandleError("CryptGenKey failed");
            }
        }
        else
        {
            MyHandleError("Error during CryptGetUserKey for signkey.");
        }
    }
    //-------------------------------------------------------------------
    // Export the public key. Here the public key is exported to a 
    // PUBLICKEYBOLB so that the receiver of the signed hash can
    // verify the signature. This BLOB could be written to a file and
    // sent to another user.

    if (CryptExportKey(
        hKey,
        NULL,
        PUBLICKEYBLOB,
        0,
        NULL,
        &dwBlobLen))
    {
        printf("Size of the BLOB for the public key determined. \n");
    }
    else
    {
        MyHandleError("Error computing BLOB length.");
    }
    //-------------------------------------------------------------------
    // Allocate memory for the pbKeyBlob.

    if (pbKeyBlob = (BYTE*)malloc(dwBlobLen))
    {
        printf("Memory has been allocated for the BLOB. \n");
    }
    else
    {
        MyHandleError("Out of memory. \n");
    }
    //-------------------------------------------------------------------
    // Do the actual exporting into the key BLOB.

    if (CryptExportKey(
        hKey,
        NULL,
        PUBLICKEYBLOB,
        0,
        pbKeyBlob,
        &dwBlobLen))
    {
        printf("Contents have been written to the BLOB. \n");
    }
    else
    {
        MyHandleError("Error during CryptExportKey.");
    }
    //-------------------------------------------------------------------
    // Create the hash object.

    if (CryptCreateHash(
        hProv,
        CALG_MD5,
        0,
        0,
        &hHash))
    {
        printf("Hash object created. \n");
    }
    else
    {
        MyHandleError("Error during CryptCreateHash.");
    }
    //-------------------------------------------------------------------
    // Compute the cryptographic hash of the buffer.

    if (CryptHashData(
        hHash,
        pbBuffer,
        dwBufferLen,
        0))
    {
        printf("The data buffer has been hashed.\n");
    }
    else
    {
        MyHandleError("Error during CryptHashData.");
    }
    //-------------------------------------------------------------------
    // Determine the size of the signature and allocate memory.

    dwSigLen = 0;
    if (CryptSignHash(
        hHash,
        AT_SIGNATURE,
        NULL,
        0,
        NULL,
        &dwSigLen))
    {
        printf("Signature length %d found.\n", dwSigLen);
    }
    else
    {
        MyHandleError("Error during CryptSignHash.");
    }
    //-------------------------------------------------------------------
    // Allocate memory for the signature buffer.

    if (pbSignature = (BYTE *)malloc(dwSigLen))
    {
        printf("Memory allocated for the signature.\n");
    }
    else
    {
        MyHandleError("Out of memory.");
    }
    //-------------------------------------------------------------------
    // Sign the hash object.

    if (CryptSignHash(
        hHash,
        AT_SIGNATURE,
        NULL,
        0,
        pbSignature,
        &dwSigLen))
    {
        printf("pbSignature is the hash signature.\n");
    }
    else
    {
        MyHandleError("Error during CryptSignHash.");
    }
    //-------------------------------------------------------------------
    // Destroy the hash object.

    if (hHash)
        CryptDestroyHash(hHash);

    printf("The hash object has been destroyed.\n");
    printf("The signing phase of this program is completed.\n\n");

    //-------------------------------------------------------------------
    // In the second phase, the hash signature is verified.
    // This would most often be done by a different user in a
    // separate program. The hash, signature, and the PUBLICKEYBLOB
    // would be read from a file, an email message, 
    // or some other source.

    // Here, the original pbBuffer, pbSignature, szDescription. 
    // pbKeyBlob, and their lengths are used.

    // The contents of the pbBuffer must be the same data 
    // that was originally signed.

    //-------------------------------------------------------------------
    // Get the public key of the user who created the digital signature 
    // and import it into the CSP by using CryptImportKey. This returns
    // a handle to the public key in hPubKey.

    if (CryptImportKey(
        hProv,
        pbKeyBlob,
        dwBlobLen,
        0,
        0,
        &hPubKey))
    {
        printf("The key has been imported.\n");
    }
    else
    {
        MyHandleError("Public key import failed.");
    }
    //-------------------------------------------------------------------
    // Create a new hash object.

    if (CryptCreateHash(
        hProv,
        CALG_MD5,
        0,
        0,
        &hHash))
    {
        printf("The hash object has been recreated. \n");
    }
    else
    {
        MyHandleError("Error during CryptCreateHash.");
    }
    //-------------------------------------------------------------------
    // Compute the cryptographic hash of the buffer.

    if (CryptHashData(
        hHash,
        pbBuffer,
        dwBufferLen,
        0))
    {
        printf("The new hash has been created.\n");
    }
    else
    {
        MyHandleError("Error during CryptHashData.");
    }
    //-------------------------------------------------------------------
    // Validate the digital signature.

    if (CryptVerifySignature(
        hHash,
        pbSignature,
        dwSigLen,
        hPubKey,
        NULL,
        0))
    {
        printf("The signature has been verified.\n");
    }
    else
    {
        printf("Signature not validated!\n");
    }
    //-------------------------------------------------------------------
    // Free memory to be used to store signature.

    if (pbSignature)
        free(pbSignature);

    //-------------------------------------------------------------------
    // Destroy the hash object.

    if (hHash)
        CryptDestroyHash(hHash);

    //-------------------------------------------------------------------
    // Release the provider handle.

    if (hProv)
        CryptReleaseContext(hProv, 0);
} //  End of main

//-------------------------------------------------------------------
//  This example uses the function MyHandleError, a simple error
//  handling function, to print an error message to the  
//  standard error (stderr) file and exit the program. 
//  For most applications, replace this function with one 
//  that does more extensive error reporting.

void MyHandleError(char *s)
{
    fprintf(stderr, "An error occurred in running the program. \n");
    fprintf(stderr, "%s\n", s);
    fprintf(stderr, "Error number %x.\n", GetLastError());
    fprintf(stderr, "Program terminating. \n");
    exit(1);
} // End of MyHandleError



没有更多推荐了,返回首页