Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Other Security APIs, Tools, and Issues

verify java signature with openSSL under PHP

Hi i need to verify a signature that was generated with java using openSSL under PHP.

This is what I'm doing with no success:

I'm generating a signature in Java with this code:

Signature dsa = Signature.getInstance("SHA1withDSA", "SUN");

dsa.initSign(priv);

String cadena="string to sign";

byte[] a = cadena.getBytes();

dsa.update(a);

byte[] realSig = dsa.sign();

Then I'm saving the signature to a file

FileOutputStream sigfos = new FileOutputStream("inventic.sig");

sigfos.write(realSig);

sigfos.close();

Now, I want to verify the signature in PHP using openSSL.

I've converted my certificate generated by keytool to PEM

I have this code:

// I get the public key

$fp = fopen("inventic.pem", "r");

$cert = fread($fp, 8192);

fclose($fp);

$pubkeyid = openssl_get_publickey($cert);

// I get the signature

$fp = fopen("inventic.sig", "r");

$signature = fread($fp, filsesize("inventic.sig"));

fclose($fp);

//I verify the signature

$data = 'string to verify';

$ok = openssl_verify($data, $signature, $pubkeyid);

if ($ok == 1) {

echo "

good";

} elseif ($ok == 0) {

echo "

bad";

} else {

echo "

ugly, error checking signature:

";

}

I always get -1 on verify, do you know what I'm doing wrong? or I'm trying to compare oranges with apples?

Thank you!

Banzinho

[1514 byte] By [Banzinhoa] at [2007-10-2 6:04:04]
«« Demonstrating Threads
»» Another newbie question...
# 1

The Strings in java are unicode UTF8 encoded which by default is not the case in other langauges.

Most likely that's the origin of the problem in this case. I would suggest you save the signed bytes as signed data too, and read them on your php script and do the verification against them instead of instantiating string literals in different languages.

babakNa at 2007-7-16 13:04:29 > top of Java-index,Security,Other Security APIs, Tools, and Issues...
# 2
Hi babaKN, i've tried and it's not working, If the problem was a different encoding, maybe the result would be a not verified signature, but the result i'm having is an error other than true or false for the signature, there's an error trying to verify. Thanks.Banzinho
Banzinhoa at 2007-7-16 13:04:29 > top of Java-index,Security,Other Security APIs, Tools, and Issues...
# 3

seems like the openssl_verify method of php library you use is not as generic as it should be. it is using the EVP methods of openssl which will require your installation to set the engines as you might be expecting in your signatures and just simply depends on them.

That's at least what I can see from:

http://lxr.php.net/source/php-src/ext/openssl/openssl.c#2893

The default openssl engines on the other hand, are not set to take your dsa publickey for the verification.

So, you can either set those engines in openssl to the proper ones, you use:

http://www.openssl.org/docs/crypto/evp.html

or

implement/use an alternative PHP module using the dsa functions of openssl directly (defined in include/openssl/dsa.h of openssl sources) .

I don't think it is a java issue anyway, as far as your generated keys are of proper types and you get no exception loading your privatekey and generating your signature.

The easiest alternative though is, if you are free to take, taking RSA instead DSA from the begining.

babakNa at 2007-7-16 13:04:29 > top of Java-index,Security,Other Security APIs, Tools, and Issues...
# 4
Thanx babakN I'll try with RSA Thank you for your help.
Banzinhoa at 2007-7-16 13:04:29 > top of Java-index,Security,Other Security APIs, Tools, and Issues...
# 5
I've tried with RSA and it works perfect!!!Thanks again.Banzinho
Banzinhoa at 2007-7-16 13:04:29 > top of Java-index,Security,Other Security APIs, Tools, and Issues...
Security
Other Security APIs, Tools, and Issues

Security New Topic

Security Hot Topic

Security

All Classified