Yet another signature Verification
Hello,
We started working on a project several months ago that has a need for
signature verification of an xml file. We had completed our tests and
everything was woking. The provider of the file then sent us a new Public Key
and said that it is what we will get for the live data. The file will not read
into our programs (one in C++ and one in Java).
The C code that was working is as follows:
pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL);
fclose (fp);
if (pkey == NULL)
{
error stuff
}
sigDatEnc = g_base64_decode( (gchar *) sigDat, sigDatLen);
EVP_VerifyInit(md_ctx, EVP_sha512());
EVP_VerifyUpdate(md_ctx, xmlDat, strlen((char *) xmlDat));
err = EVP_VerifyFinal (md_ctx, sigDatEnc, sigDatLen, pkey);
free(sigDatEnc);
EVP_PKEY_free (pkey);
It fails on the PEM_read_PUBKEY by returning a NULL when it tries to read in
the file. The only help we can get from the provider is the following code
(Perl) which woks for them:
#!/usr/bin/perl
use Crypt::OpenSSL::Random;
use Crypt::OpenSSL::RSA;
use MIME::Base64;
my $packet = EOD;
-BEGIN GLOBAL ENERGY INNOVATIONS LICENSE DATA-
license_datamac00:0D:15:00:74:1A/macversion1.0.0/versionserialEC
1000-0900018/serialmodule
code=impedancestart2000-01-01/startend2099-12-31/end/modulecoo
kieD2940155EEDB6C92E3FD703A63EC4527/cookietime1265407356/time/licens
e_data
-BEGIN GLOBAL ENERGY INNOVATIONS SIGNATURE-
JkNJD5EG0o+ioFc67Ud+GWuoCjKHgdi9AzGC3B7yqf1QxBR8B4H5/owRrsgcB/KMjV2VP7drWWWD
ETcS60FfYVLsUsakj69tCC8aVZCdkSeXmcvRvva8YzTi5oPzflDC8/o/MrMvy1+o8GgfgPTuAeSy
iCGnI0R1KVIWiAeRB859y4WCJ/ME+CB1zWhf+8QawosQzGtrOL+l+8PRQSHxAU1Lr+8VcIQdF7iW
MYmeS7YDNZRoxfKHev527oNYlR4ymSzgrgjh7sweNwLVuAIfX89PIGXPRWJYyddeE6au8cgJ2LIK
aVU1Kf8MpQfbCm3IKCXgOnGUUGiNclAbOkfI4fR7wwsPM3XyNCtm0vLKZ58bdRC3tUxH3bzveOff
+uyYQB+yRRNvhqMFnVtWr9N2Zd67eAkHlMKlJjBz2qyDcyMLk2NcaOJtcerHYmviBZrUaGJ8WvH8
7zb0FGsHzlkyIbaWrwwXAFl/yWxTwh0sti3QObpIFvY6CgsoCktZg2mtWHCdblgydBYer1dHN37h
fz54lZAC6m5GpKch/K7ChcfmeSgX/3euybP6ZjcUeeyFp5AGhG9xND/e7XPk93iCzj044PyDoQLG
75ZP00LTIwAkG0Vf2WR6O9gTJovCklP2eKxn4BN7UlM/4S5EUkrW4mbV9f34/qGkhqG8f10Xzig=
-END GLOBAL ENERGY INNOVATIONS SIGNATURE-
EOD
my $public_key = EOD;
-BEGIN RSA PUBLIC KEY-
MIICCgKCAgEAvW90MggAl07zMvyQdUk18/iOySyY8P/1vqC5XGNvC5aXIvC8UDpU
2v8EK40SUc0FEqP8g893HgW+yDJa7SF2VyW2IEcnum2yot2ifGHjCDUnea2W5wBO
aFlY9Co9VXDLhRJNQyXyfKCXL/xiM2O2Py1x0+SIXkc1ml2M0x4Fb4QsMO5E2Y6o
2mRVlPlooDPkj4BijvVX/EiPWpfbQAoidk8urHif5OTdIyqunce6b1Fqz7NH118n
DVQp/Txk6hGtGkHxYCC0biG20+u6XlD9qkYWn2KYqxBxJZvV12YO3pC1kzYAR9Xy
VlCfyHK8pGdcHO8LHZsWR5PeryNBWU14xlOVQsziFE4oMyEiSt00cUQhF+yCLQpr
T7+xvKTGA9YTXfI59LprKMXN5RPCBF5WuQZoxlREQMjhYV+b1rQx1jkkrflA0liF
oTgkrGw5mxk9jlQbFNeY4eVAudF3w2OdVD/N5UNoR+L7Jj1gAJjEV6what uYQrJ9f58h
7UzsktkHPgROncZGGZLDM/acRbzar3Iv4CK8hnsHrAan8qd7jh9kU8DEXQ1Is2qf
w1/BMX4DPfijY1zboqUbrFwAmq7twoiTJPK+++aYBU7fu5tvRIPIXdziGOkWmrc6
gjsIQA8GoM4am19VlD6P1inHMa1P4s8Md6AvbeAPkWXGmsYdsHvRDo8CAwEAAQ==
-END RSA PUBLIC KEY-
EOD
my ($payload, $signature) =
($packet =~ m{--\n(.*?)--[^\n]+\n(.*?)--}ms);
my $decoded_signature = decode_base64($signature);
my $rsa_pub = Crypt::OpenSSL::RSA-new_public_key($public_key);
$rsa_pub-use_sha512_hash();
if ($rsa_pub-verify($payload, $decoded_signature)) {
print Signature verifies.\n;
}
else {
print Signature DOES NOT verify.\n;
}
My question is -- can anyone tell me what OpenSSL function calls (in both C and
Java) are made using this code written in Perl?
I suppose a secondary question would be -- what function would read in this
Public key from a file as my original code did?
Thank you for the help
Jim
Re: Yet another signature Verification
On Sat, Feb 06, 2010, Jim Welch wrote:
Hello,
We started working on a project several months ago that has a need for
signature verification of an xml file. We had completed our tests and
everything was woking. The provider of the file then sent us a new Public
Key and said that it is what we will get for the live data. The file will
not read into our programs (one in C++ and one in Java).
The C code that was working is as follows:
pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL);
fclose (fp);
if (pkey == NULL)
{
error stuff
}
sigDatEnc = g_base64_decode( (gchar *) sigDat, sigDatLen);
EVP_VerifyInit(md_ctx, EVP_sha512());
EVP_VerifyUpdate(md_ctx, xmlDat, strlen((char *) xmlDat));
err = EVP_VerifyFinal (md_ctx, sigDatEnc, sigDatLen, pkey);
free(sigDatEnc);
EVP_PKEY_free (pkey);
It fails on the PEM_read_PUBKEY by returning a NULL when it tries to read in
the file. The only help we can get from the provider is the following code
(Perl) which woks for them:
The FAQ tells you how to get more information however...
-BEGIN RSA PUBLIC KEY-
MIICCgKCAgEAvW90MggAl07zMvyQdUk18/iOySyY8P/1vqC5XGNvC5aXIvC8UDpU
2v8EK40SUc0FEqP8g893HgW+yDJa7SF2VyW2IEcnum2yot2ifGHjCDUnea2W5wBO
aFlY9Co9VXDLhRJNQyXyfKCXL/xiM2O2Py1x0+SIXkc1ml2M0x4Fb4QsMO5E2Y6o
2mRVlPlooDPkj4BijvVX/EiPWpfbQAoidk8urHif5OTdIyqunce6b1Fqz7NH118n
DVQp/Txk6hGtGkHxYCC0biG20+u6XlD9qkYWn2KYqxBxJZvV12YO3pC1kzYAR9Xy
VlCfyHK8pGdcHO8LHZsWR5PeryNBWU14xlOVQsziFE4oMyEiSt00cUQhF+yCLQpr
T7+xvKTGA9YTXfI59LprKMXN5RPCBF5WuQZoxlREQMjhYV+b1rQx1jkkrflA0liF
oTgkrGw5mxk9jlQbFNeY4eVAudF3w2OdVD/N5UNoR+L7Jj1gAJjEV6what uYQrJ9f58h
7UzsktkHPgROncZGGZLDM/acRbzar3Iv4CK8hnsHrAan8qd7jh9kU8DEXQ1Is2qf
w1/BMX4DPfijY1zboqUbrFwAmq7twoiTJPK+++aYBU7fu5tvRIPIXdziGOkWmrc6
gjsIQA8GoM4am19VlD6P1inHMa1P4s8Md6AvbeAPkWXGmsYdsHvRDo8CAwEAAQ==
-END RSA PUBLIC KEY-
That is an RSAPublicKey structure for which you call PEM_read_RSAPublicKey().
That returns an RSA structure which you need to convert to an EVP_PKEY
structure using EVP_PKEY_new() and EVP_PKEY_assign_RSA()
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
