I'm attempting to implement some single sign-on code from this site:
http://www.single-signon.com/en/single-signon.html I downloaded their PHP-based agent code, and successfully run it on our IIS7 server. The PHP code can use either PHP's internal openssl code, or can be configured to use the external openssl binaries. As implemented, the external openssl utility cannot possibly run correctly because the command line built for it assumes it's running on a Unix-based server. Establishing these results were necessary to determine that the original php code would work. Next, I converted the PHP code to C# (.Net 2.0), and it also runs fine on our IIS7 server. However, I had to come up with a different way to run the external openssl windows binaries. This meant using the following command line: C:\openssl\bin\openssl.exe dgst -sha1 -out "unique_fname.out" -verify "my_public.key" -signature "unique_fname.sig" "unique_fname.dgs" The file "unique_fname.dgs" contains the query string up to - but not including - the signature portion. The file "unique_fname.sig" contains the decoded signature that was passed as part of the query string The file "unique.fname.out" will contain the results of the verification attempt. When I run the original PHP code, the internal openssl module returns "Verify OK" with a given query string/public key/signature. Using my C# code, the external openssl.exe utility returns "Verification Failure" in "unique_fname.out" with the same query string/public key/signature. What could I be doing to prevent openssl from verifying that the signature is valid?
