Yet another signature Verification
Hello, We started working on a project several months ago that has a need for signature verification of an xml file. We had completed our tests and everything was woking. The provider of the file then sent us a new Public Key and said that it is what we will get for the live data. The file will not read into our programs (one in C++ and one in Java). The C code that was working is as follows: pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL); fclose (fp); if (pkey == NULL) { error stuff } sigDatEnc = g_base64_decode( (gchar *) sigDat, sigDatLen); EVP_VerifyInit(md_ctx, EVP_sha512()); EVP_VerifyUpdate(md_ctx, xmlDat, strlen((char *) xmlDat)); err = EVP_VerifyFinal (md_ctx, sigDatEnc, sigDatLen, pkey); free(sigDatEnc); EVP_PKEY_free (pkey); It fails on the PEM_read_PUBKEY by returning a NULL when it tries to read in the file. The only help we can get from the provider is the following code (Perl) which woks for them: #!/usr/bin/perl use Crypt::OpenSSL::Random; use Crypt::OpenSSL::RSA; use MIME::Base64; my $packet = EOD; -BEGIN GLOBAL ENERGY INNOVATIONS LICENSE DATA- license_datamac00:0D:15:00:74:1A/macversion1.0.0/versionserialEC 1000-0900018/serialmodule code=impedancestart2000-01-01/startend2099-12-31/end/modulecoo kieD2940155EEDB6C92E3FD703A63EC4527/cookietime1265407356/time/licens e_data -BEGIN GLOBAL ENERGY INNOVATIONS SIGNATURE- JkNJD5EG0o+ioFc67Ud+GWuoCjKHgdi9AzGC3B7yqf1QxBR8B4H5/owRrsgcB/KMjV2VP7drWWWD ETcS60FfYVLsUsakj69tCC8aVZCdkSeXmcvRvva8YzTi5oPzflDC8/o/MrMvy1+o8GgfgPTuAeSy iCGnI0R1KVIWiAeRB859y4WCJ/ME+CB1zWhf+8QawosQzGtrOL+l+8PRQSHxAU1Lr+8VcIQdF7iW MYmeS7YDNZRoxfKHev527oNYlR4ymSzgrgjh7sweNwLVuAIfX89PIGXPRWJYyddeE6au8cgJ2LIK aVU1Kf8MpQfbCm3IKCXgOnGUUGiNclAbOkfI4fR7wwsPM3XyNCtm0vLKZ58bdRC3tUxH3bzveOff +uyYQB+yRRNvhqMFnVtWr9N2Zd67eAkHlMKlJjBz2qyDcyMLk2NcaOJtcerHYmviBZrUaGJ8WvH8 7zb0FGsHzlkyIbaWrwwXAFl/yWxTwh0sti3QObpIFvY6CgsoCktZg2mtWHCdblgydBYer1dHN37h fz54lZAC6m5GpKch/K7ChcfmeSgX/3euybP6ZjcUeeyFp5AGhG9xND/e7XPk93iCzj044PyDoQLG 75ZP00LTIwAkG0Vf2WR6O9gTJovCklP2eKxn4BN7UlM/4S5EUkrW4mbV9f34/qGkhqG8f10Xzig= -END GLOBAL ENERGY INNOVATIONS SIGNATURE- EOD my $public_key = EOD; -BEGIN RSA PUBLIC KEY- MIICCgKCAgEAvW90MggAl07zMvyQdUk18/iOySyY8P/1vqC5XGNvC5aXIvC8UDpU 2v8EK40SUc0FEqP8g893HgW+yDJa7SF2VyW2IEcnum2yot2ifGHjCDUnea2W5wBO aFlY9Co9VXDLhRJNQyXyfKCXL/xiM2O2Py1x0+SIXkc1ml2M0x4Fb4QsMO5E2Y6o 2mRVlPlooDPkj4BijvVX/EiPWpfbQAoidk8urHif5OTdIyqunce6b1Fqz7NH118n DVQp/Txk6hGtGkHxYCC0biG20+u6XlD9qkYWn2KYqxBxJZvV12YO3pC1kzYAR9Xy VlCfyHK8pGdcHO8LHZsWR5PeryNBWU14xlOVQsziFE4oMyEiSt00cUQhF+yCLQpr T7+xvKTGA9YTXfI59LprKMXN5RPCBF5WuQZoxlREQMjhYV+b1rQx1jkkrflA0liF oTgkrGw5mxk9jlQbFNeY4eVAudF3w2OdVD/N5UNoR+L7Jj1gAJjEV6what uYQrJ9f58h 7UzsktkHPgROncZGGZLDM/acRbzar3Iv4CK8hnsHrAan8qd7jh9kU8DEXQ1Is2qf w1/BMX4DPfijY1zboqUbrFwAmq7twoiTJPK+++aYBU7fu5tvRIPIXdziGOkWmrc6 gjsIQA8GoM4am19VlD6P1inHMa1P4s8Md6AvbeAPkWXGmsYdsHvRDo8CAwEAAQ== -END RSA PUBLIC KEY- EOD my ($payload, $signature) = ($packet =~ m{--\n(.*?)--[^\n]+\n(.*?)--}ms); my $decoded_signature = decode_base64($signature); my $rsa_pub = Crypt::OpenSSL::RSA-new_public_key($public_key); $rsa_pub-use_sha512_hash(); if ($rsa_pub-verify($payload, $decoded_signature)) { print Signature verifies.\n; } else { print Signature DOES NOT verify.\n; } My question is -- can anyone tell me what OpenSSL function calls (in both C and Java) are made using this code written in Perl? I suppose a secondary question would be -- what function would read in this Public key from a file as my original code did? Thank you for the help Jim
Re: Yet another signature Verification
On Sat, Feb 06, 2010, Jim Welch wrote: Hello, We started working on a project several months ago that has a need for signature verification of an xml file. We had completed our tests and everything was woking. The provider of the file then sent us a new Public Key and said that it is what we will get for the live data. The file will not read into our programs (one in C++ and one in Java). The C code that was working is as follows: pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL); fclose (fp); if (pkey == NULL) { error stuff } sigDatEnc = g_base64_decode( (gchar *) sigDat, sigDatLen); EVP_VerifyInit(md_ctx, EVP_sha512()); EVP_VerifyUpdate(md_ctx, xmlDat, strlen((char *) xmlDat)); err = EVP_VerifyFinal (md_ctx, sigDatEnc, sigDatLen, pkey); free(sigDatEnc); EVP_PKEY_free (pkey); It fails on the PEM_read_PUBKEY by returning a NULL when it tries to read in the file. The only help we can get from the provider is the following code (Perl) which woks for them: The FAQ tells you how to get more information however... -BEGIN RSA PUBLIC KEY- MIICCgKCAgEAvW90MggAl07zMvyQdUk18/iOySyY8P/1vqC5XGNvC5aXIvC8UDpU 2v8EK40SUc0FEqP8g893HgW+yDJa7SF2VyW2IEcnum2yot2ifGHjCDUnea2W5wBO aFlY9Co9VXDLhRJNQyXyfKCXL/xiM2O2Py1x0+SIXkc1ml2M0x4Fb4QsMO5E2Y6o 2mRVlPlooDPkj4BijvVX/EiPWpfbQAoidk8urHif5OTdIyqunce6b1Fqz7NH118n DVQp/Txk6hGtGkHxYCC0biG20+u6XlD9qkYWn2KYqxBxJZvV12YO3pC1kzYAR9Xy VlCfyHK8pGdcHO8LHZsWR5PeryNBWU14xlOVQsziFE4oMyEiSt00cUQhF+yCLQpr T7+xvKTGA9YTXfI59LprKMXN5RPCBF5WuQZoxlREQMjhYV+b1rQx1jkkrflA0liF oTgkrGw5mxk9jlQbFNeY4eVAudF3w2OdVD/N5UNoR+L7Jj1gAJjEV6what uYQrJ9f58h 7UzsktkHPgROncZGGZLDM/acRbzar3Iv4CK8hnsHrAan8qd7jh9kU8DEXQ1Is2qf w1/BMX4DPfijY1zboqUbrFwAmq7twoiTJPK+++aYBU7fu5tvRIPIXdziGOkWmrc6 gjsIQA8GoM4am19VlD6P1inHMa1P4s8Md6AvbeAPkWXGmsYdsHvRDo8CAwEAAQ== -END RSA PUBLIC KEY- That is an RSAPublicKey structure for which you call PEM_read_RSAPublicKey(). That returns an RSA structure which you need to convert to an EVP_PKEY structure using EVP_PKEY_new() and EVP_PKEY_assign_RSA() Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org