- 我正在使用带有ECC_SECG_P256K1密钥的AWS KMS。当我检索公钥通过aws-sdk密钥为88字节,支持64字节(如代码所示(
- 更重要的是,签名的大小在70,71,72之间变化意味着我们不能根据r=[0:32],s=[32,64]来计算(r,s(值
var kms = new AWS.KMS();
var pubKeyParam = {
KeyId: 'xxxxxxxx', /* required */
};
kms.getPublicKey(pubKeyParam, function(err, data) {
if (err) console.log(err, err.stack);
else
publicKey = data.PublicKey
console.log(publicKey.length) <-- 88 bytes not 64 bytes
});
提前感谢的帮助
KMS公钥解析
KMS正在返回ASN.1格式的公钥。
如果您在这里使用publicKeyFromAsn1转换密钥,它将返回64字节:
import * as asn1js from 'asn1js';
function toArrayBuffer(buffer: Buffer): ArrayBuffer {
const ab = new ArrayBuffer(buffer.length);
const view = new Uint8Array(ab);
for (let i = 0; i < buffer.length; ++i) {
view[i] = buffer[i];
}
return ab;
}
// call this with your KMS public key
function publicKeyFromAsn1(buf: Buffer): Buffer {
const { result } = asn1js.fromBER(toArrayBuffer(buf));
const values = (result as asn1js.Sequence).valueBlock.value;
const value = values[1] as asn1js.BitString;
return Buffer.from(value.valueBlock.valueHex.slice(1));
}
KMS签名解析
KMS签名采用DER格式(这是有效的BER(。它最终看起来是这样的:30440220{r}0220{s}这里有一些解析逻辑可以帮助您提取r&s.
import * as asn1js from 'asn1js';
function toArrayBuffer(buffer: Buffer): ArrayBuffer {
const ab = new ArrayBuffer(buffer.length);
const view = new Uint8Array(ab);
for (let i = 0; i < buffer.length; ++i) {
view[i] = buffer[i];
}
return ab;
}
//call this with your signature buffer
function parseBERSignature(sig: Buffer): { r: Buffer; s: Buffer } {
const { result } = asn1js.fromBER(toArrayBuffer(sig));
const part1 = (result as asn1js.Sequence).valueBlock.value[0] as asn1js.BitString;
const part2 = (result as asn1js.Sequence).valueBlock.value[1] as asn1js.BitString;
return {
r: Buffer.from(part1.valueBlock.valueHex),
s: Buffer.from(part2.valueBlock.valueHex),
};
}