Fatal编程技术网
  • openssl/
  • OpenSSL dgst身份验证失败

OpenSSL dgst身份验证失败

openssl

OpenSSL dgst身份验证失败,openssl,rsa,signature,sign,verify,Openssl,Rsa,Signature,Sign,Verify,我已尝试在OpenSSL中复制此博客上显示的工作流: 然而,尽管有许多变化,身份验证似乎失败了。怎么了?请参阅下面的代码,您可以将其复制并粘贴到OpenSSL中。请注意,我使用的是已编译的Windows二进制版本的OpenSSL //================Phase 1 - Setup================ //Generate my private key (myprivatekey.txt) genpkey -algorithm RSA -out C:\mypriva

我已尝试在OpenSSL中复制此博客上显示的工作流:

然而,尽管有许多变化,身份验证似乎失败了。怎么了?请参阅下面的代码,您可以将其复制并粘贴到OpenSSL中。请注意,我使用的是已编译的Windows二进制版本的OpenSSL

//================Phase 1 - Setup================

//Generate my private key (myprivatekey.txt)
genpkey -algorithm RSA -out C:\myprivatekey.txt -pass pass:abc123 -pkeyopt rsa_keygen_bits:2048

//Generate friend's private key (friendprivatekey.txt)
genpkey -algorithm RSA -out C:\friendprivatekey.txt -pass pass:123abc -pkeyopt rsa_keygen_bits:2048

----------------

//Extract my public key (mypublickey.txt) from my private key (myprivatekey.txt)
rsa -passin pass:abc123 -in C:\myprivatekey.txt -pubout -out C:\mypublickey.txt

//Extract friend's public key (friendpublickey.txt) from my private key (friendprivatekey.txt)
rsa -passin pass:123abc -in C:\friendprivatekey.txt -pubout -out C:\friendpublickey.txt

----------------

//Generate my password (a random base64 string password saved mypassword.txt)
rand -base64 -out C:\mypassword.txt 128

//Generate friend's password (a random base64 string password saved to friendpassword.txt)
rand -base64 -out C:\friendpassword.txt 128

//Delete the .rnd file that's generated?  Not sure what it is.

----------------

//Encrypt my password using my private key (encrypted password saved to a binary file - myencryptedpassword.txt)
pkeyutl -in C:\mypassword.txt -out C:\myencryptedpassword.txt -inkey C:\myprivatekey.txt -passin pass:abc123

//Encrypt friend's password using friend's private key (encrypted password saved to a binary file - friendencryptedpassword.txt)
pkeyutl -in C:\friendpassword.txt -out C:\friendencryptedpassword.txt -inkey C:\friendprivatekey.txt -passin pass:123abc

----------------

//Convert my encrypted password to base64 from binary (saved as myencryptedpasswordbase64.txt)
base64 -in C:\myencryptedpassword.txt -out C:\myencryptedpasswordbase64.txt

//Convert friend's encrypted password to base64 from binary (saved as friendencryptedpasswordbase64.txt)
base64 -in C:\friendencryptedpassword.txt -out C:\friendencryptedpasswordbase64.txt

----------------

//Create a signed hash of my password so my friend knows it's coming from me (signed hash saved as mysignedhash.txt and is in binary form)
dgst -sha256 -sign C:\myprivatekey.txt -passin pass:abc123 -out C:\mysignedhash.txt C:\myencryptedpasswordbase64.txt

//Create a signed hash of friend's password so I know it's coming from my friend (signed hash saved as friendsignedhash.txt and is in binary form)
dgst -sha256 -sign C:\friendprivatekey.txt -passin pass:123abc -out C:\friendsignedhash.txt C:\friendencryptedpasswordbase64.txt

----------------

//Convert my signed hash from binary to base64
base64 -in C:\mysignedhash.txt -out C:\mysignedhashbase64.txt

//Convert friend's signed hash from binary to base64
base64 -in C:\friendsignedhash.txt -out C:\friendsignedhashbase64.txt

//================Phase 2 - Authentication================

//Now, we reverse the process and authenticate the friend.  Let's prefix all output files with "phase2"

//I provide friend with my public key and my encrypted password 
//Friend provides me with their public key

//Convert friend's encrypted password from base64 to binary.  The output file will be the same as friendsignedhash.txt
base64 -d -in C:\friendsignedhashbase64.txt -out C:\phase2friendsignedhash.txt

//Convert friend's signed hash from base64 to binary.  The output file will be the same as C:\friendsignedhash.txt
base64 -d -in C:\friendencryptedpasswordbase64.txt -out C:\phase2friendencryptedpassword.txt

//Verify if the password originates from my friend (by checking against my friend's public key)
dgst -sha256 -verify C:\friendpublickey.txt -signature C:\phase2friendsignedhash.txt -out C:\friendresult.txt C:\phase2friendencryptedpassword.txt
知道验证失败的原因吗?

问题是您签署了
friendencryptedpasswordbase64.txt
,但正在尝试使用
phase2friendencryptedpassword.txt
(非base64)进行验证。如果您使用前一种方法进行验证,它将非常有效

除此之外,我确实看到了一些与安全相关的问题。它们并没有引起您所问的问题,但它们违背了良好的安全惯例

首先,你可能想用你朋友的公钥而不是私钥来加密你的密码。那么只有你朋友的私钥才能解密。否则,任何拥有您的公钥的人都可以解密您加密的密码

其次,一般来说,您不希望将同一密钥用于多种目的(即签名和加密)

我投票决定以“离题”结束。这是一个关于软件工具的问题,而不是一个编程问题。你可能想试试。你有没有看过StackOverflow上有多少OpenSSL帖子?是的,这是一个常用的工具,但它用于编程。在这个问题中,我们正在使用这个工具编写一个脚本,以获得期望的结果。谢谢。更详细的讨论可在此处找到,并附有工作修订版: