使用RSA在iOS上签名和validation
如何使用RSA密钥在iOS上签名和validation一些数据(最好使用系统自己的libcommonCrypto )?
由于在StackOverflow和Apple文档上找不到关于签名和validation的知识,所以我不得不在iOS头文件中手动浏览并findSecKeyRawSign和SecKeyRawVerify 。 下面的代码行似乎工作。
签署NSData(使用SHA256和RSA):
NSData* PKCSSignBytesSHA256withRSA(NSData* plainData, SecKeyRef privateKey) { size_t signedHashBytesSize = SecKeyGetBlockSize(privateKey); uint8_t* signedHashBytes = malloc(signedHashBytesSize); memset(signedHashBytes, 0x0, signedHashBytesSize); size_t hashBytesSize = CC_SHA256_DIGEST_LENGTH; uint8_t* hashBytes = malloc(hashBytesSize); if (!CC_SHA256([plainData bytes], (CC_LONG)[plainData length], hashBytes)) { return nil; } SecKeyRawSign(privateKey, kSecPaddingPKCS1SHA256, hashBytes, hashBytesSize, signedHashBytes, &signedHashBytesSize); NSData* signedHash = [NSData dataWithBytes:signedHashBytes length:(NSUInteger)signedHashBytesSize]; if (hashBytes) free(hashBytes); if (signedHashBytes) free(signedHashBytes); return signedHash; }
validation(使用SHA256和RSA):
BOOL PKCSVerifyBytesSHA256withRSA(NSData* plainData, NSData* signature, SecKeyRef publicKey) { size_t signedHashBytesSize = SecKeyGetBlockSize(publicKey); const void* signedHashBytes = [signature bytes]; size_t hashBytesSize = CC_SHA256_DIGEST_LENGTH; uint8_t* hashBytes = malloc(hashBytesSize); if (!CC_SHA256([plainData bytes], (CC_LONG)[plainData length], hashBytes)) { return nil; } OSStatus status = SecKeyRawVerify(publicKey, kSecPaddingPKCS1SHA256, hashBytes, hashBytesSize, signedHashBytes, signedHashBytesSize); return status == errSecSuccess; }
替代品(OpenSSL):
有一个非常好的替代方法,直接使用OpenSSL而不是libCommonCrypto。 MIHCrypto是一个devise良好的用于OpenSSL的Objective-C包装库,使得使用密码非常简单。 看下面的例子。
生成密钥很简单:
MIHAESKeyFactory *factory = [[MIHAESKeyFactory alloc] init]; id<MIHSymmetricKey> aesKey = [factory generateKey];
或从文件加载密钥:
NSData *privateKeyData = [[NSFileManager defaultManager] contentsAtPath:"mykey.pem"]; MIHRSAPrivateKey *privateKey = [[MIHRSAPrivateKey alloc] initWithData:privateKeyData];
现在签名:
NSError *signingError = nil; NSData *message = // load something to sign from somewhere NSData *signature = [privateKey signWithSHA256:message error:&signingError]
有关更多示例,请浏览MIHCrypto页面。