I'm trying to get a client application written in C++ using OpenSSL to
verify a signature sent by a
server (in Java) and vice versa. Not sure I specified it correctly, but the
signatures generated on
both sides, from the same input data, are not the same, and therefore, can't
be verify. And this
is using the same key, of course.
Here is the code in Java for signing it:
======================================================
String testKey =
"-----BEGIN RSA PRIVATE KEY-----\n" +
"MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ\n" +
"2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF\n" +
"oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr\n" +
"8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc\n" +
"a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7\n" +
"WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA\n" +
"6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=\n" +
"-----END RSA PRIVATE KEY-----\n";
String testCert =
"-----BEGIN CERTIFICATE-----\n" +
"MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD\n" +
"VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv\n" +
"bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy\n" +
"dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X\n" +
"DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw\n" +
"EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l\n" +
"dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT\n" +
"EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp\n" +
"MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw\n" +
"L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN\n" +
"BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX\n" +
"9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=\n" +
"-----END CERTIFICATE-----\n";
// same input string for both Java and C++
String input = "9O2CQ14zAXEd7GzJ9XELhQH.aE6";
public void doSign()
{
try
{
// Note: PEMReader is from BouncyCastle
StringReader sReader = new StringReader(testKey);
PEMReader pemReader = new PEMReader(sReader);
KeyPair keypair = (KeyPair) pemReader.readObject();
PrivateKey privKey = keypair.getPrivate();
PublicKey pubKey = keypair.getPublic();
sReader = new StringReader(testCert);
pemReader = new PEMReader(sReader);
X509Certificate cert =
(X509Certificate)pemReader.readObject();
PublicKey pubKey2 = cert.getPublicKey();
Signature sig = Signature.getInstance("SHA1withRSA");
sig.initSign(privKey);
sig.update(input.getBytes());
byte[] sigvalue = sig.sign();
Base64 b64 = new Base64();
byte[] b = b64.encode(sigvalue);
String s = new String(b);
System.out.println("'" + s + "'");
sig.initVerify(pubKey2);
sig.update(input.getBytes());
boolean status = sig.verify(sigvalue);
System.out.println(status);
}
catch(Exception e)
{
e.printStackTrace();
}
}
======================================================
And the code in C for verifying:
======================================================
char * testKey =
"-----BEGIN RSA PRIVATE KEY-----\n" \
"MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ\n" \
"2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF\n" \
"oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr\n" \
"8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc\n" \
"a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7\n" \
"WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA\n" \
"6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=\n" \
"-----END RSA PRIVATE KEY-----\n";
char * testCert =
"-----BEGIN CERTIFICATE-----\n" \
"MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD\n" \
"VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv\n" \
"bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy\n" \
"dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X\n" \
"DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw\n" \
"EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l\n" \
"dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT\n" \
"EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp\n" \
"MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw\n" \
"L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN\n" \
"BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX\n" \
"9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=\n" \
"-----END CERTIFICATE-----\n";
void DoVerify(char *input, char *sig)
{
BIO *bio = BIO_new_mem_buf(testCert, -1);
X509 *x509 = NULL;
PEM_read_bio_X509(bio, &x509, 0, NULL);
if (x509 == NULL)
std::cout << "PEM_read_bio_X509 failed..." << std::endl;
EVP_PKEY * testpubkey = X509_get_pubkey(x509);
EVP_MD_CTX vctx;
EVP_MD_CTX_init(&vctx);
EVP_VerifyInit_ex(&vctx, EVP_sha1(), NULL);
EVP_VerifyUpdate(&vctx, input, strlen(input));
char sigbuf[1024];
memset(sigbuf, 0, 1024);
int sigLen = ::B64ToBytes(sigbuf, sig);
int ret = EVP_VerifyFinal(&vctx, (unsigned char *)sigbuf, sigLen,
testpubkey);
if (ret == 1)
{
std::cout << "Signature is valid" << std::endl;
}
else if (ret == 0)
std::cout << "Signature is invalid..." << std::endl;
else
std::cout << "Verification failed..." << std::endl;
}
======================================================
Funny thing is, using the same input string and same key, the signatures
generated
on both sides are different:
// from C++
char * signature =
"1otFzSd23pVwXxVH.RYUdBB7j1ty0oFnvA0hIA4w55Ufm0fajeN4fgjpEd2.KlhYrXKAmzyTzkDGhr6ynz3Yyj";
// from java
char * signature2 =
"ctz/XJwg83+oe30fm4npyyx7Qd/AMj8eSgK0ihOhRXqcAKZLaFxKarczpwvlL64tYVCsPfHfbjUK9RvMfQ4vLQ==";
Obviously, the signature generated from Java is very different from the one
generated
using OpenSSL, and OpenSSL can't verify it.
The key is an RSA key, for sure, but the following line:
EVP_VerifyInit_ex(&vctx, EVP_sha1(), NULL);
Isn't this equivalent to SHA1withRSA in Java?
The signature is converted into B64 format and transmitted from the server
to the client.
The client converts it back to byte array and performs verification. That's
about it.
The signature generated in Java can be verified in Java, and the signature
generated in C++
can be verified in C++. They just don't work together.
Must have done something wrong. Any help would be very much appreciated.
coco
_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]