Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Problem verifying signature created with openssl generated key

843811Aug 22 2006 — edited Aug 24 2006
This is a long posting so please bear with me!

I am having problems verifying a signature created by an openssl generated key and certificate.

I created a private key and self signed certificate as described in http://developer.softwareag.com/tamino/documentation/ssl/ssl_support/certificates.htm

I then used the php script below to sign some text and write the signature to a file. The signature is then read back in and verified using the certificate. This works:

PHP Script 
<?php
// The file the source data will be saved in
$sourceFile = "/tmp/SourceData.txt";

// Create the unencrypted text info and store it in a file
$source = "Some text to be signed\n";
file_put_contents($sourceFile, $source);

// Paths to private key and certificate generated by openssl
$privateKeyPath="/Projects/CreateKeys/server.key.unsecure";
$certPath = "/Projects/CreateKeys/server.crt";

// Read in the private key data
$fp=fopen($privateKeyPath,"r"); 
$priv_key_data=fread($fp,8192); 
fclose($fp);
$priv_key = openssl_pkey_get_private($priv_key_data); 

// Read in the source data from the file
$fp=fopen($sourceFile,"r"); 
$srcDataFromFile=fread($fp,8192); 
fclose($fp); 

// compute signature
$result = openssl_sign($srcDataFromFile, $signature, $priv_key);

if ($result == True)
{
	print "<br>";
	print "Signature created successfully:";
	print "<br>";
	// Write the signature to the output file base64 encoded
	$sig = base64_encode($signature);
	file_put_contents("/tmp/signature.txt", $sig);
}
else
{
	print "<br>Failed to sign<br>";
}

// Now try to verify signature
$fp=fopen($certPath,"r"); 
$cert_data=fread($fp,8192); 
fclose($fp); 

$pub_key = openssl_get_publickey($cert_data); 
$cert_res = openssl_x509_read($cert_data);
$keyCheck = openssl_x509_check_private_key($cert_res, $priv_key);

if ($keyCheck == True)
{
	$result = openssl_verify($srcDataFromFile, $signature, $pub_key);
	if ($result == True)
	{
		print "<br><br>";
		print "Signature verified";
		print "<br><br>";
	}
}

openssl_free_key($pub_key);
openssl_x509_free($cert_res);
?>
Now we get to the Java code.
All I want to do here is to verify the signature created by the PHP code using the same certificate I used to verify the signature in PHP:
import java.io.BufferedInputStream;
import java.io.DataInputStream;
import java.io.FileInputStream;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;

public class SignatureTest
{
	public static void main(String[] unused) throws Exception
	{
		// Get the public key from the certificate
		Certificate cert = readCertificateFromFile();
		PublicKey publicKey = ((X509Certificate)cert).getPublicKey();
		
		byte[] sigbytes = getSignatureBytes("C:/tmp/signature.txt");
		boolean result = verify("C:/tmp/sourceData.txt", publicKey, "MD5withRSA", sigbytes);
		System.out.println("Signature Verification Result = " + result);
	}

	private static Certificate readCertificateFromFile()
	{
		Certificate cert = null;

		try
		{
			FileInputStream fis = new FileInputStream("C:/Projects/CreateKeys/server.pem");
			BufferedInputStream bis = new BufferedInputStream(fis);

			CertificateFactory cf = CertificateFactory.getInstance("X.509");

			while (bis.available() > 0)
			{
				cert = cf.generateCertificate(bis);
				System.out.println(cert.toString());
			}
		}
		catch (Exception e)
		{
			System.out.println("ERROR: " + e);
			e.printStackTrace();
		}
		return cert;

	}

	public static byte[] getSignatureBytes(String filename)
	{
		byte[] sigBytes = null;
		
		try
		{
			FileInputStream in = new FileInputStream(filename);
			sigBytes = new byte[8192];
			int count = in.read(sigBytes);
			in.close();
		}
		catch (Exception e)
		{
			System.out.println(e.toString());
			e.printStackTrace();
		}
		
		return sigBytes;
	}
}
Which produces the result:

Signature Verification Result = false


Please can someone help? I have spent several days trying to sort out this problem.

Thanks in advance...
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Sep 21 2006
Added on Aug 22 2006
#cryptography
7 comments
1,484 views