Hello coco,
I am also facing the similar problem. I am generating signature
using OpenSSL and passing in to JAVA to verify (running JAVA test
suite). Signature format is in DER encoded PKCS#7 format.
But JAVA is not able to parse the "SignedData" content in the
PKCS#7 format. It is giving "rejects tag type -96" error while parsing.
Any comments on this are greatly appreciated.
If you got any clue........kindly let me know.
Thanking you....
Madhu
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of coco coco
Sent: Wednesday, June 15, 2005 5:17 PM
To: openssl-users@openssl.org
Subject: problem verifying signature from java
I'm trying to get a client application written in C++ using OpenSSL to
verify a signature sent by a
server (in Java) and vice versa. Not sure I specified it correctly, but
the
signatures generated on
both sides, from the same input data, are not the same, and therefore,
can't
be verify. And this
is using the same key, of course.
Here is the code in Java for signing it:
======================================================
String testKey =
"-----BEGIN RSA PRIVATE KEY-----\n" +
"MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ\n" +
"2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF\n" +
"oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr\n" +
"8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc\n" +
"a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7\n" +
"WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA\n" +
"6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=\n" +
"-----END RSA PRIVATE KEY-----\n";
String testCert =
"-----BEGIN CERTIFICATE-----\n" +
"MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD\n" +
"VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv\n" +
"bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy\n" +
"dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X\n" +
"DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw\n" +
"EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l\n" +
"dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT\n" +
"EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp\n" +
"MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw\n" +
"L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN\n" +
"BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX\n" +
"9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=\n" +
"-----END CERTIFICATE-----\n";
// same input string for both Java and C++
String input = "9O2CQ14zAXEd7GzJ9XELhQH.aE6";
public void doSign()
{
try
{
// Note: PEMReader is from BouncyCastle
StringReader sReader = new
StringReader(testKey);
PEMReader pemReader = new PEMReader(sReader);
KeyPair keypair = (KeyPair)
pemReader.readObject();
PrivateKey privKey = keypair.getPrivate();
PublicKey pubKey = keypair.getPublic();
sReader = new StringReader(testCert);
pemReader = new PEMReader(sReader);
X509Certificate cert =
(X509Certificate)pemReader.readObject();
PublicKey pubKey2 = cert.getPublicKey();
Signature sig =
Signature.getInstance("SHA1withRSA");
sig.initSign(privKey);
sig.update(input.getBytes());
byte[] sigvalue = sig.sign();
Base64 b64 = new Base64();
byte[] b = b64.encode(sigvalue);
String s = new String(b);
System.out.println("'" + s + "'");
sig.initVerify(pubKey2);
sig.update(input.getBytes());
boolean status = sig.verify(sigvalue);
System.out.println(status);
}
catch(Exception e)
{
e.printStackTrace();
}
}
======================================================
And the code in C for verifying:
======================================================
char * testKey =
"-----BEGIN RSA PRIVATE KEY-----\n" \
"MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ\n" \
"2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF\n" \
"oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr\n" \
"8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc\n" \
"a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7\n" \
"WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA\n" \
"6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=\n" \
"-----END RSA PRIVATE KEY-----\n";
char * testCert =
"-----BEGIN CERTIFICATE-----\n" \
"MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD\n" \
"VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv\n" \
"bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy\n" \
"dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X\n" \
"DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw\n" \
"EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l\n" \
"dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT\n" \
"EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp\n" \
"MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw\n" \
"L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN\n" \
"BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX\n" \
"9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=\n" \
"-----END CERTIFICATE-----\n";
void DoVerify(char *input, char *sig)
{
BIO *bio = BIO_new_mem_buf(testCert, -1);
X509 *x509 = NULL;
PEM_read_bio_X509(bio, &x509, 0, NULL);
if (x509 == NULL)
std::cout << "PEM_read_bio_X509 failed..." << std::endl;
EVP_PKEY * testpubkey = X509_get_pubkey(x509);
EVP_MD_CTX vctx;
EVP_MD_CTX_init(&vctx);
EVP_VerifyInit_ex(&vctx, EVP_sha1(), NULL);
EVP_VerifyUpdate(&vctx, input, strlen(input));
char sigbuf[1024];
memset(sigbuf, 0, 1024);
int sigLen = ::B64ToBytes(sigbuf, sig);
int ret = EVP_VerifyFinal(&vctx, (unsigned char *)sigbuf,
sigLen,
testpubkey);
if (ret == 1)
{
std::cout << "Signature is valid" << std::endl;
}
else if (ret == 0)
std::cout << "Signature is invalid..." << std::endl;
else
std::cout << "Verification failed..." << std::endl;
}
======================================================
Funny thing is, using the same input string and same key, the signatures
generated
on both sides are different:
// from C++
char * signature =
"1otFzSd23pVwXxVH.RYUdBB7j1ty0oFnvA0hIA4w55Ufm0fajeN4fgjpEd2.KlhYrXKAmzy
TzkDGhr6ynz3Yyj";
// from java
char * signature2 =
"ctz/XJwg83+oe30fm4npyyx7Qd/AMj8eSgK0ihOhRXqcAKZLaFxKarczpwvlL64tYVCsPfH
fbjUK9RvMfQ4vLQ==";
Obviously, the signature generated from Java is very different from the
one
generated
using OpenSSL, and OpenSSL can't verify it.
The key is an RSA key, for sure, but the following line:
EVP_VerifyInit_ex(&vctx, EVP_sha1(), NULL);
Isn't this equivalent to SHA1withRSA in Java?
The signature is converted into B64 format and transmitted from the
server
to the client.
The client converts it back to byte array and performs verification.
That's
about it.
The signature generated in Java can be verified in Java, and the
signature
generated in C++
can be verified in C++. They just don't work together.
Must have done something wrong. Any help would be very much appreciated.
coco
_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from
McAfee(r)
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
#####################################################################
This Email Message is for the sole use of the intended recipient(s) and May
contain CONFIDENTIAL and PRIVILEGED information.
LG Soft India will not be responisible for any viruses or defects or
any forwarded attachements emanating either from within
LG Soft India or outside. Any unauthorised review , use, disclosure or
distribution is prohibited. If you are not intentded
recipient, please contact the sender by reply email and destroy all
copies of the original message.
#####################################################################
