Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Why signed data using two methods do not match?

user-7hjahMay 1 2023

Hi,

I created a CSR file and a private key PEM file used the following command in openSSL

openssl req -new -utf8 -nameopt multiline,utf8 -config rahat.cnf -newkey rsa:2048 -nodes -keyout rahat.key -out rahat.Csr

Then I got the certificate from authorities in the form of a crt file. I converted to cer and then extract the public key with the following command in OpenSSL

openssl x509 -pubkey -noout -in rahat.cer > pubkey.txt

Then I created a p12 file containing the certificate and also both the public and private keys using the following OpenSSL command:

openssl pkcs12 -export -out rahat.p12 -inkey rahat.key -in rahat.cer

I have a physical actual ePass3003Auto token. I imported the p12 file into this Token used ePassManagerAdm_3003.exe application to create a signature. Then extracted the cer file and extracted the public key and compared with the pubkey.txt above and both were identical.

Now the problem:

I used the actual token to sign a "Hello World" string in java. It worked and then I could verify the signed data using certificate and public key again in java.

On the other hand I used contents of the rahat.key file that is actually Base64 private key, and with the following lines in java I signed "Hello World" again.

Suppose PRIVATE_KEY is the private key string.

import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import java.security.Provider;
import java.security.Security;
import java.util.Base64;

import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;


public byte[] signData(byte[] data, String PRIVATE_KEY) throws Exception {

    byte[] encoded = Base64.getDecoder().decode(PRIVATE_KEY);

    PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded);
    KeyFactory kf = KeyFactory.getInstance("RSA");
    PrivateKey pk = kf.generatePrivate(keySpec);
    
    Signature signature = Signature.getInstance("SHA256withRSA");
    signature.initSign(pk);
    signature.update(data);

    byte[] signedData = signature.sign();

    return signedData;
}`

WHY the result are different? Shouldn't be the resulting signed data from two methods be identical?

Here is the signing code with the actual Token:

    Provider p = Security.getProvider("SunPKCS11");
    p = p.configure("config.cfg");
    Security.addProvider(p);
    KeyStore keyStore = KeyStore.getInstance("PKCS11", p);

    char[] pin = "4321".toCharArray();
    keyStore.load(null, pin);

    java.util.Enumeration<String> aliases = keyStore.aliases();
    String alias = aliases.nextElement();

    PrivateKey pk = (PrivateKey)keyStore.getKey(alias, "4321".toCharArray());
    Certificate[] chain = keyStore.getCertificateChain(alias);
    X509Certificate cert = (X509Certificate)chain[0];

    Signature signature = Signature.getInstance("SHA256withRSA");
    signature.initSign(pk);
    signature.update(data);

    byte[] signedData = signature.sign();

    signature.initVerify(cert.getPublicKey());
    signature.update(data);
    boolean verified = signature.verify(signedData);
    System.out.println("Verified: " + verified);
    return signedData;

Please check the second part of the code "signing with token". What changes should I make?

I can do nothing about the first part of code. What I am concerned is regarding the second part of code when signing with the Token.

The result of Token signature:

xDFul4EPEjzDpEzRqh9Dkp1fSDR7YcfSHqnEqO+f80tDg0DLcKdHtXOJp/ZdPVmwrd295JEG/6BQ7LCCgbGfwRcfgibAMD8H8reJw+MuW9ms4+dfTj16kTC+nQ9G2diOX4Gmxf6wISPGsLp6/MJs6Uu2SRA3kkXvwUTEPgEtehm3XzXKeHNQ+rGhb3nYH20uCv3y4uayxqm5QNZVLbRmeHQEXC3abqHcSSJwr7CSE+IDhlpB6SgO2f0wtrHftieZTL5zGHiN0fEIRkV6x3dd1wYhbSbr8+gxd+S8vclkljQt7vs4ffTLOcAuXyqjnIxy4avsN85BAW1cUtfbgOqrwQ==
256

The result of PKCS8 signature:

YcwHcx8jvDwuZDTmSXMFtoob3k4kFkm2ZG/TBOkJNilV6Zd81oK+uBWrJ/BrqUIabaDl6VPrTTQpWyY+QjMsRKHOtdlyIHD3EKDBJBamNRrbWNcixsYg9ettUukqTql/wy/PSfLVQCLb5AFbc1SdcH88x6U8IZYMkbv0HqlJ2YJhbUX1vhGPkUEXMqBl00W7En8HP5HUfNJMyJdnydByRKw4kjE2o2tRedID3sgqXI9ALV1Beow7rAjViTy3Huf9KDCLZN+JAmuDXYXD9UhtZrSq3Mdo3KLXdXxckss2/rzj033eEqhJUdA/s4IGfGCo15sLt9Qo7n5fkZSLF1Jk9g==
256

I could manage it somehow if only one or two characters were different!!

Any comment on this matter is appreciated.

Comments
Post Details
Added on May 1 2023
0 comments
238 views