C#使用Google KMS对JWT进行哈希和验证
我们需要使用自定义的AsymmetricSecurityKey对JWT令牌进行散列和验证,该密钥使用Google Cloud KMS API对令牌进行签名/验证 哈希逻辑工作正常,以下是实现:C#使用Google KMS对JWT进行哈希和验证,c#,.net-core,google-cloud-platform,google-cloud-kms,C#,.net Core,Google Cloud Platform,Google Cloud Kms,我们需要使用自定义的AsymmetricSecurityKey对JWT令牌进行散列和验证,该密钥使用Google Cloud KMS API对令牌进行签名/验证 哈希逻辑工作正常,以下是实现: public override byte[] Sign(byte[] input) { string projectId = "<PROJECT-ID>"; string location = "global"; var locationName = new Loc
public override byte[] Sign(byte[] input)
{
string projectId = "<PROJECT-ID>";
string location = "global";
var locationName = new LocationName(projectId, location);
// Instantiate a Cloud KMS client.
var client = KeyManagementServiceClient.Create();
var cryptoKeyVersion = new CryptoKeyVersionName(projectId, location, "test", "asymmetric-signing-key", "1");
var publicKey = client.GetPublicKey(cryptoKeyVersion);
byte[] hashedInput;
using (var hasher = SHA256.Create())
{
hashedInput = hasher.ComputeHash(input);
}
var digest = new Digest
{
Sha256 = ByteString.CopyFrom(hashedInput)
};
var asymmetricSignResponse = client.AsymmetricSign(cryptoKeyVersion, digest);
var output = asymmetricSignResponse.Signature.ToByteArray();
return output;
}
公共覆盖字节[]符号(字节[]输入)
{
字符串projectd=“”;
字符串location=“global”;
var locationName=新的locationName(projectId,location);
//实例化一个云KMS客户端。
var client=KeyManagementServiceClient.Create();
var cryptoKeyVersion=新的CryptoKeyVersionName(项目ID、位置、“测试”、“非对称签名密钥”、“1”);
var publicKey=client.GetPublicKey(cryptoKeyVersion);
字节[]散列输入;
使用(var hasher=SHA256.Create())
{
hashedInput=hasher.ComputeHash(输入);
}
var摘要=新摘要
{
Sha256=ByteString.CopyFrom(哈希输入)
};
var asymmetricSignResponse=client.AsymmetricSign(cryptoKeyVersion,digest);
var output=asymmetricSignResponse.Signature.ToByteArray();
返回输出;
}
我需要知道如何验证签名,我尝试了许多不同的方法和LIB,但总是失败
用于创建和验证数字签名的Google KMS文档没有针对.NET C的实现#
谢谢你的帮助 我发现了一个可能对您有用的回购协议,它包含NetCore和AspNet的KMS示例 此示例需要.NET Core 2.0或更高版本。这意味着使用Visual Studio 2017或命令行 也许此链接对您的研究有用:
我们正在收集这些样本,并在我们的文档中发布()。下面是一个例子:
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
CryptoKeyVersionName keyVersionName = new CryptoKeyVersionName(
projectId, locationId, keyRingId, cryptoKeyId, cryptoKeyVersionId);
byte[] content = File.ReadAllBytes(contentFile);
byte[] signature = File.ReadAllBytes(signatureFile);
string pubKeyPem = client.GetPublicKey(keyVersionName).Pem;
PemReader reader = new PemReader(new StringReader(pubKeyPem));
byte[] publicKeyInfoBytes = reader.ReadPemObject().Content;
AsymmetricKeyParameter key = PublicKeyFactory.CreateKey(publicKeyInfoBytes);
// The algorithm string to use will vary depending on the algorithm associated
// with the CryptoKeyVersion. `SignerUtilities.cs` in BouncyCastle source
// contains a mapping of algorithm strings.
// "SHA512withRSA/PSS" and "SHA256withRSA" (for PKCS1) are also useful example
// values.
const string algorithm = "SHA256withECDSA";
ISigner signer = SignerUtilities.GetSigner(algorithm);
signer.Init(false, key);
signer.BlockUpdate(content, 0, content.Length);
bool verified = signer.VerifySignature(signature);
Console.Write($"Signature verified: {verified}");
另一个目的是,它演示了如何将Google云密钥管理服务API与ASP.NET MVC的appsettings集成,以在一个简单的json文件中存储机密。我不需要加密/解密,我需要分配/验证他们为分配/验证添加了一个示例。。。非常感谢。