Yet another signature Verification

Jim Welch Sat, 06 Feb 2010 11:36:50 -0800

Hello,

We started working on a project several months ago that has a need for 
signature verification of an xml file.  We had completed our tests and 
everything was woking.  The provider of the file then sent us a new Public Key 
and said that it is what we will get for the live data.  The file will not read 
into our programs (one in C++ and one in Java).


The C code that was working is as follows:

pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL);
fclose (fp);

if (pkey == NULL)
{
error stuff
}

sigDatEnc = g_base64_decode( (gchar *) sigDat, &sigDatLen);
EVP_VerifyInit(&md_ctx, EVP_sha512());
EVP_VerifyUpdate(&md_ctx, xmlDat, strlen((char *) xmlDat));
err = EVP_VerifyFinal (&md_ctx, sigDatEnc, sigDatLen, pkey);
free(sigDatEnc);
EVP_PKEY_free (pkey);

It fails on the PEM_read_PUBKEY by returning a NULL when it tries to read in 
the file.  The only help we can get from the provider is the following code 
(Perl) which woks for them:

#!/usr/bin/perl

     use Crypt::OpenSSL::Random;
     use Crypt::OpenSSL::RSA;
     use MIME::Base64;

     my $packet = <<EOD;
-----BEGIN GLOBAL ENERGY INNOVATIONS LICENSE DATA-----
<license_data><mac>00:0D:15:00:74:1A</mac><version>1.0.0</version><serial>EC
1000-0900018</serial><module 
code="impedance"><start>2000-01-01</start><end>2099-12-31</end></module><coo
kie>D2940155EEDB6C92E3FD703A63EC4527</cookie><time>1265407356</time></licens
e_data>
-----BEGIN GLOBAL ENERGY INNOVATIONS SIGNATURE-----
JkNJD5EG0o+ioFc67Ud+GWuoCjKHgdi9AzGC3B7yqf1QxBR8B4H5/owRrsgcB/KMjV2VP7drWWWD
ETcS60FfYVLsUsakj69tCC8aVZCdkSeXmcvRvva8YzTi5oPzflDC8/o/MrMvy1+o8GgfgPTuAeSy
iCGnI0R1KVIWiAeRB859y4WCJ/ME+CB1zWhf+8QawosQzGtrOL+l+8PRQSHxAU1Lr+8VcIQdF7iW
MYmeS7YDNZRoxfKHev527oNYlR4ymSzgrgjh7sweNwLVuAIfX89PIGXPRWJYyddeE6au8cgJ2LIK
aVU1Kf8MpQfbCm3IKCXgOnGUUGiNclAbOkfI4fR7wwsPM3XyNCtm0vLKZ58bdRC3tUxH3bzveOff
+uyYQB+yRRNvhqMFnVtWr9N2Zd67eAkHlMKlJjBz2qyDcyMLk2NcaOJtcerHYmviBZrUaGJ8WvH8
7zb0FGsHzlkyIbaWrwwXAFl/yWxTwh0sti3QObpIFvY6CgsoCktZg2mtWHCdblgydBYer1dHN37h
fz54lZAC6m5GpKch/K7ChcfmeSgX/3euybP6ZjcUeeyFp5AGhG9xND/e7XPk93iCzj044PyDoQLG
75ZP00LTIwAkG0Vf2WR6O9gTJovCklP2eKxn4BN7UlM/4S5EUkrW4mbV9f34/qGkhqG8f10Xzig=
-----END GLOBAL ENERGY INNOVATIONS SIGNATURE-----
EOD

     my $public_key = <<EOD;
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAvW90MggAl07zMvyQdUk18/iOySyY8P/1vqC5XGNvC5aXIvC8UDpU
2v8EK40SUc0FEqP8g893HgW+yDJa7SF2VyW2IEcnum2yot2ifGHjCDUnea2W5wBO
aFlY9Co9VXDLhRJNQyXyfKCXL/xiM2O2Py1x0+SIXkc1ml2M0x4Fb4QsMO5E2Y6o
2mRVlPlooDPkj4BijvVX/EiPWpfbQAoidk8urHif5OTdIyqunce6b1Fqz7NH118n
DVQp/Txk6hGtGkHxYCC0biG20+u6XlD9qkYWn2KYqxBxJZvV12YO3pC1kzYAR9Xy
VlCfyHK8pGdcHO8LHZsWR5PeryNBWU14xlOVQsziFE4oMyEiSt00cUQhF+yCLQpr
T7+xvKTGA9YTXfI59LprKMXN5RPCBF5WuQZoxlREQMjhYV+b1rQx1jkkrflA0liF
oTgkrGw5mxk9jlQbFNeY4eVAudF3w2OdVD/N5UNoR+L7Jj1gAJjEV6what uYQrJ9f58h
7UzsktkHPgROncZGGZLDM/acRbzar3Iv4CK8hnsHrAan8qd7jh9kU8DEXQ1Is2qf
w1/BMX4DPfijY1zboqUbrFwAmq7twoiTJPK+++aYBU7fu5tvRIPIXdziGOkWmrc6
gjsIQA8GoM4am19VlD6P1inHMa1P4s8Md6AvbeAPkWXGmsYdsHvRDo8CAwEAAQ==
-----END RSA PUBLIC KEY-----
EOD

     my ($payload, $signature) =
         ($packet =~ m{--\n(.*?)--[^\n]+\n(.*?)--}ms);

     my $decoded_signature = decode_base64($signature);

     my $rsa_pub = Crypt::OpenSSL::RSA->new_public_key($public_key);
     $rsa_pub->use_sha512_hash();

     if ($rsa_pub->verify($payload, $decoded_signature)) {
         print "Signature verifies.\n";
     }
     else {
         print "Signature DOES NOT verify.\n";
     }

My question is -- can anyone tell me what OpenSSL function calls (in both C and 
Java) are made using this code written in Perl?

I suppose a secondary question would be -- what function would read in this 
Public key from a file as my original code did?

Thank you for the help

Jim

Yet another signature Verification

Reply via email to