Hi,
Based on information and suggestions you have given me, I came at the
problem from a different direction. Instead of trying to verify the
signature, I tried using out private key to sign the original data. After a
couple of hours, I suceeded in getting the same signature as was supplied in
the signed message. I then used this information to verify the signature
just created. Just a small amount of more work yielded a routine that
worked in taking the signed file, parsing it and verifying the signature.
Here's a copy of the final verification code. xmlDat is the original xml
file string and sigDat is the signature received.
// Read public key
fp = fopen (filePubKey, r);
if (fp == NULL)
{
printf(Didn't work 1\n);
return(1);
}
pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL);
fclose (fp);
if (pkey == NULL)
{
printf(Didn't work 2\n);
return(2);
}
sigDatEnc = g_base64_decode( sigDat, sigDatLen);
EVP_VerifyInit(md_ctx, EVP_sha512());
EVP_VerifyUpdate(md_ctx, xmlDat, strlen(xmlDat));
err = EVP_VerifyFinal (md_ctx, sigDatEnc, sigDatLen, pkey);
// g_free(sigDatEnc);
free(sigDatEnc);// looked up g_free and it seems to just do a
free()
EVP_PKEY_free (pkey);
if (err != 1)
{
printf(Didn't Verify %d\n, err);
return(2);
}
printf (Signature Verified Ok.\n);
return(0);
Thanks for everything.
Jim
- Original Message -
From: Mounir IDRASSI mounir.idra...@idrix.net
To: openssl-users@openssl.org
Sent: Saturday, November 07, 2009 4:09 AM
Subject: Re: Signature Verification
Hi,
In order to help you further, can you post :
- The data to be hashed which is the content of your variable xmlDat
- The signature to be verified which is the content of your variable
sigDat (maybe it's what you posted first)
- The public key that will be used for the verification
- The endianess of the the signature. It should be big endian as
expected by OpenSSL
And just one last confirmation : In your first email, you posted some
BASE64 data that you say is the signature. This data is 512 bytes long. So
this would mean that the key used is a 4096 bit RSA key. Is this correct?
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
Jim Welch wrote:
Hello Again,
The code is there to check for a non-null pkey. It wasn't copied to keep
the original message shorter. I've now made sure that I've Base64'd the
xml string and Base64'd the signature string. These are what I'm giving
to the EVP_VerifyUpdate and EVP_VerifyFinal. Still not verifying.
Thanks Again,
Jim
- Original Message - From: Mounir IDRASSI
mounir.idra...@idrix.net
To: openssl-users@openssl.org
Sent: Friday, November 06, 2009 5:11 PM
Subject: Re: Signature Verification
Hi,
You must also handle BASE64 decoding in EVP_VerifyUpdate not only
EVP_VerifyFinal. Those two functions must have as input the byte arrays
that represent the binary data and the binary signature respectively.
Concerning PEM_read_PUBKEY, if it returns a non NULL pointer then
everything is OK with the public key and you don't have to worry.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
Jim Welch wrote:
Hi,
Thank you for the response. It was sha512 not 256. I changed it to
EVP_sha512 in the code but it still won't verify. On the verify final,
I've tried it both with and without a Base64 converted string (and
corresponding length). I'm not sure from what I've read if the
PEM_read_PUBKEY does a Base64 conversion on the Public Key or not and
I'm not sure where to look in the pkey to find out.
Jim
- Original Message - From: Mounir IDRASSI
mounir.idra...@idrix.net
To: openssl-users@openssl.org
Sent: Friday, November 06, 2009 3:55 PM
Subject: Re: Signature Verification
Hi,
In your description you say that the signature was created with SHA256
but in your code you are using SHA-1 through EVP_sha1. Replace this
with EVP_sha256 to have a correct processing.
Also, your data seems to be BASE64 encoded and you are computing the
digest directly on the BASE64 string. You should convert this BASE64
string to the corresponding byte array and then compute the digest on
this byte array.
I hope this will help.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
Jim Welch wrote:
Hello,
I've been trying to verify the signature from the following xml data:
license_dataversion1.0/versionserialEC1000-0900018/serialmac00:54:66:18:3A:40/macmodule
code=impedancestart2000-01-01/startend2099-12-31/end/modulemodule
code=multimeterstart2000-01-01/startend2099-12-31/end/modulemodule
code=sulfationstart2000-01-01/startend2099-12-31/end/modulecookieAA80A2A7119FD4F1C122080E1AD17490/cookie/license_data
using this signature:
C4S953HqB8S/SZ8nOO5IgGA0Vm3BxHT8vByWJFG2gn/OrBKc45QvjEdX855bb9p8KdSa1YQt3nnv
p6MCA+5YCDePEIuYpbTYzAIJ9p7zqpJsXzb8YlDpw4qpf0TSbCCEFZZReSRSAxlE2gH/SOvPAjRY
ykvxbjrgMQ07Jf/ae4lX+CaBxA/Az8efhsBDyT6wCPECkj1SiufTtVA2MAt9Bf76Y1T5RnHph/kf
Hj3/osgrMKKbIPhii2nPktMH223QfgmTOtHxw21ahi2vcSnADb9p1WIjDiq