【发布时间】:2021-03-16 08:36:37
【问题描述】:
我正在尝试通过 Xamarin.Forms 项目与 Apple Music API 进行通信。由于 Microsoft ECDsa 实现在 Xamarin.Android 和 Xamarin.iOS 上不可用,我正在尝试使用 Portable.BouncyCastle Nuget 包解决该限制。总体而言,该过程似乎按预期工作,但是当尝试使用签名的开发人员令牌调用 Apple Music API 时,我总是收到 HTTP/2 401。
我有一个有效的 MS ECDsa 实现,我在 ASP.NET Core 项目中使用它来与 Apple 推送通知服务进行通信,因此我编写了一个快速的小演示工具,可以在这两种方法中生成密钥,结果:签名不匹配并且 MS ECDsa 变体确实有效,我从 Apple 获得了正确的 API 响应。
我在网上查看了很多示例,但我看不出我实际上做错了什么,所以也许这里有人可以指出我正确的方向。
充气城堡方法:
public static AsymmetricCipherKeyPair GetKeys(string data)
{
var tag = $"{_className}.GetECDsa";
try
{
byte[] byteArray = Encoding.ASCII.GetBytes(data);
MemoryStream stream = new MemoryStream(byteArray);
using (TextReader reader = new StreamReader(stream))
{
var ecPrivateKeyParameters =
(ECPrivateKeyParameters)new PemReader(reader).ReadObject();
var q = ecPrivateKeyParameters.Parameters.G.Multiply(ecPrivateKeyParameters.D).Normalize();
var ecPublicKeyParameters = new ECPublicKeyParameters(q, ecPrivateKeyParameters.Parameters);
return new AsymmetricCipherKeyPair(ecPublicKeyParameters, ecPrivateKeyParameters);
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
public static string CreateToken(AsymmetricCipherKeyPair keyPair, string p8privateKeyId, string teamId, DateTime date)
{
var tag = $"{_className}.CreateJwtToken";
try
{
var header = JsonHelper.Serialize(new { alg = "ES256", kid = p8privateKeyId });
var payload = JsonHelper.Serialize(new { iss = teamId, iat = ToEpoch(date), exp = ToEpoch(date.AddSeconds(15777000)) });
var headerBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(header));
var payloadBasae64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(payload));
var unsignedJwtData = $"{headerBase64}.{payloadBasae64}";
var signature = GetSignature(unsignedJwtData, keyPair);
return $"{unsignedJwtData}.{Convert.ToBase64String(signature)}";
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
private static int ToEpoch(DateTime time)
{
var span = DateTime.UtcNow - new DateTime(1970, 1, 1);
return Convert.ToInt32(span.TotalSeconds);
}
private static byte[] GetSignature(string plainText, AsymmetricCipherKeyPair key)
{
var encoder = new UTF8Encoding();
var inputData = encoder.GetBytes(plainText);
var signer = SignerUtilities.GetSigner("SHA-256withECDSA");
signer.Init(true, key.Private);
signer.BlockUpdate(inputData, 0, inputData.Length);
return signer.GenerateSignature();
}
MS ECDsa 方法:
public static string GetPrivateKey(string p8privateKey)
{
var tag = $"{_className}.GetPrivateKey";
try
{
var dsa = GetECDsa(p8privateKey);
var keyBytes = dsa.ExportPkcs8PrivateKey();
return Convert.ToBase64String(keyBytes);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
private static ECDsa GetECDsa(string p8privateKey)
{
var tag = $"{_className}.GetECDsa";
try
{
byte[] byteArray = Encoding.ASCII.GetBytes(p8privateKey);
MemoryStream stream = new MemoryStream(byteArray);
using (TextReader reader = new StreamReader(stream))
{
var ecPrivateKeyParameters =
(ECPrivateKeyParameters)new PemReader(reader).ReadObject();
var q = ecPrivateKeyParameters.Parameters.G.Multiply(ecPrivateKeyParameters.D).Normalize();
return ECDsa.Create(new ECParameters
{
Curve = ECCurve.CreateFromValue(ecPrivateKeyParameters.PublicKeyParamSet.Id),
D = ecPrivateKeyParameters.D.ToByteArrayUnsigned(),
Q =
{
X = q.XCoord.GetEncoded(),
Y = q.YCoord.GetEncoded()
}
});
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
public static string CreateJwtToken(string p8privateKey, string p8privateKeyId, string teamId, DateTime date)
{
var tag = $"{_className}.CreateJwtToken";
try
{
var header = JsonHelper.Serialize(new { alg = "ES256", kid = p8privateKeyId });
var payload = JsonHelper.Serialize(new { iss = teamId, iat = ToEpoch(date), exp = ToEpoch(date.AddSeconds(15777000)) });
using var dsa = ECDsa.Create("ECDsa");
var keyBytes = Convert.FromBase64String(p8privateKey);
dsa.ImportPkcs8PrivateKey(keyBytes, out _);
var headerBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(header));
var payloadBasae64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(payload));
var unsignedJwtData = $"{headerBase64}.{payloadBasae64}";
var unsignedJwtBytes = Encoding.UTF8.GetBytes(unsignedJwtData);
var signature = dsa.SignData(unsignedJwtBytes, 0, unsignedJwtBytes.Length, HashAlgorithmName.SHA256);
return $"{unsignedJwtData}.{Convert.ToBase64String(signature)}";
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
期待您的反馈。
【问题讨论】:
-
BouncyCastle 解决方案中的一个问题可能是
SignerUtilities.GetSigner("SHA-256withECDSA")以 ASN.1 格式返回签名,但在 JWT 上下文中使用了 (r,s) 格式。较新的 BC 版本支持这种格式,例如与SHA-256withPLAIN-ECDSA。如果问题仍然存在,如果您可以完成复制的两个代码(即示例密钥对、调用代码和生成的 JWT 的示例)将会很有帮助。
标签: c# xamarin bouncycastle ecdsa apple-musickit