Hi,
I created a CSR file and a private key PEM file used the following command in openSSL
openssl req -new -utf8 -nameopt multiline,utf8 -config rahat.cnf -newkey rsa:2048 -nodes -keyout rahat.key -out rahat.Csr
Then I got the certificate from authorities in the form of a crt file. I converted to cer and then extract the public key with the following command in OpenSSL
openssl x509 -pubkey -noout -in rahat.cer > pubkey.txt
Then I created a p12 file containing the certificate and also both the public and private keys using the following OpenSSL command:
openssl pkcs12 -export -out rahat.p12 -inkey rahat.key -in rahat.cer
I have a physical actual ePass3003Auto token. I imported the p12 file into this Token used ePassManagerAdm_3003.exe application to create a signature. Then extracted the cer file and extracted the public key and compared with the pubkey.txt above and both were identical.
Now the problem:
I used the actual token to sign a "Hello World" string in java. It worked and then I could verify the signed data using certificate and public key again in java.
On the other hand I used contents of the rahat.key file that is actually Base64 private key, and with the following lines in java I signed "Hello World" again.
Suppose PRIVATE_KEY is the private key string.
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import java.security.Provider;
import java.security.Security;
import java.util.Base64;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
public byte[] signData(byte[] data, String PRIVATE_KEY) throws Exception {
byte[] encoded = Base64.getDecoder().decode(PRIVATE_KEY);
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded);
KeyFactory kf = KeyFactory.getInstance("RSA");
PrivateKey pk = kf.generatePrivate(keySpec);
Signature signature = Signature.getInstance("SHA256withRSA");
signature.initSign(pk);
signature.update(data);
byte[] signedData = signature.sign();
return signedData;
}`
WHY the result are different? Shouldn't be the resulting signed data from two methods be identical?
Here is the signing code with the actual Token:
Provider p = Security.getProvider("SunPKCS11");
p = p.configure("config.cfg");
Security.addProvider(p);
KeyStore keyStore = KeyStore.getInstance("PKCS11", p);
char[] pin = "4321".toCharArray();
keyStore.load(null, pin);
java.util.Enumeration<String> aliases = keyStore.aliases();
String alias = aliases.nextElement();
PrivateKey pk = (PrivateKey)keyStore.getKey(alias, "4321".toCharArray());
Certificate[] chain = keyStore.getCertificateChain(alias);
X509Certificate cert = (X509Certificate)chain[0];
Signature signature = Signature.getInstance("SHA256withRSA");
signature.initSign(pk);
signature.update(data);
byte[] signedData = signature.sign();
signature.initVerify(cert.getPublicKey());
signature.update(data);
boolean verified = signature.verify(signedData);
System.out.println("Verified: " + verified);
return signedData;
Please check the second part of the code "signing with token". What changes should I make?
I can do nothing about the first part of code. What I am concerned is regarding the second part of code when signing with the Token.
The result of Token signature:
xDFul4EPEjzDpEzRqh9Dkp1fSDR7YcfSHqnEqO+f80tDg0DLcKdHtXOJp/ZdPVmwrd295JEG/6BQ7LCCgbGfwRcfgibAMD8H8reJw+MuW9ms4+dfTj16kTC+nQ9G2diOX4Gmxf6wISPGsLp6/MJs6Uu2SRA3kkXvwUTEPgEtehm3XzXKeHNQ+rGhb3nYH20uCv3y4uayxqm5QNZVLbRmeHQEXC3abqHcSSJwr7CSE+IDhlpB6SgO2f0wtrHftieZTL5zGHiN0fEIRkV6x3dd1wYhbSbr8+gxd+S8vclkljQt7vs4ffTLOcAuXyqjnIxy4avsN85BAW1cUtfbgOqrwQ==
256
The result of PKCS8 signature:
YcwHcx8jvDwuZDTmSXMFtoob3k4kFkm2ZG/TBOkJNilV6Zd81oK+uBWrJ/BrqUIabaDl6VPrTTQpWyY+QjMsRKHOtdlyIHD3EKDBJBamNRrbWNcixsYg9ettUukqTql/wy/PSfLVQCLb5AFbc1SdcH88x6U8IZYMkbv0HqlJ2YJhbUX1vhGPkUEXMqBl00W7En8HP5HUfNJMyJdnydByRKw4kjE2o2tRedID3sgqXI9ALV1Beow7rAjViTy3Huf9KDCLZN+JAmuDXYXD9UhtZrSq3Mdo3KLXdXxckss2/rzj033eEqhJUdA/s4IGfGCo15sLt9Qo7n5fkZSLF1Jk9g==
256
I could manage it somehow if only one or two characters were different!!
Any comment on this matter is appreciated.