Good morning.
I need to generate a certificate on a mobile device for later send to the server.
The intention is to sign some unique feature of the device and check it on the server.
I use the following method
// Create cert
var publickey="";
publickey=publickey+"-----BEGIN PUBLIC KEY-----\n";
publickey=publickey+"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2Alder/8ByIu+565IRZS+xB6t";
publickey=publickey+"hJkmlwNy7wMRTX7YysHC9S75wR/FLWFdsjMP+3TElvxsck+A3emsd2TYcJr0s4p7";
publickey=publickey+"5vP8k3Cap39mTXVNLRyaiFZt4ViJTYhsNWtAfS8t8T56FWPxy1prilR0AQHp+Qj5";
publickey=publickey+"VKdp8Rwfik4GrHOGWQIDAQAB\n";
publickey=publickey+"-----END PUBLIC KEY-----";
var privatekey="";
privatekey=privatekey+"-----BEGIN RSA PRIVATE KEY-----\n";
privatekey=privatekey+"MIICXAIBAAKBgQD2Alder/8ByIu+565IRZS+xB6thJkmlwNy7wMRTX7YysHC9S75";
privatekey=privatekey+"wR/FLWFdsjMP+3TElvxsck+A3emsd2TYcJr0s4p75vP8k3Cap39mTXVNLRyaiFZt";
privatekey=privatekey+"4ViJTYhsNWtAfS8t8T56FWPxy1prilR0AQHp+Qj5VKdp8Rwfik4GrHOGWQIDAQAB";
privatekey=privatekey+"AoGAbhYIIPAi7hpfJrOoUuEIOgGrNLzEh/dF7NW2CrUiEUNSR7rOJaddXy/6hSIs";
privatekey=privatekey+"JXfB/gMOvDy/BQzI94uKDiz9uahMcuADhpUJBpDQMP5B1xMwVAxm8MLHEi86Bn3T";
privatekey=privatekey+"W/yaTsa7SYlnMu0TJl1xQFeB9cQS4qZIUgGR44774yIM/V0CQQD92Xz9ojSgcT4m";
privatekey=privatekey+"Hz1ua4jNTBtUPT+Buxr3IZraaXVYKIUiW1dFXiD6BZ0PVFdA8yBTvltoidjv/5zv";
privatekey=privatekey+"7Pm6alHDAkEA+BfZkqBvLXFQtHgxVaj+JMIXei9TWkhtQt9no1IWAZd/vvBDJelE";
privatekey=privatekey+"utOsG824g/I2+mLnYHDFLfH7CBeMz4mJswJAXbRq7zVxN8iVqHzfsGMBnMb7T51M";
privatekey=privatekey+"VBc9XPyKrRVAu8o5WvVcwb59bc2krIP1sYQN6tvZ4j0AV5eD1w0jIi0dAQJBAKQ7";
privatekey=privatekey+"ZZRjEDYM5VgSmNYT4OmEcvY3jf4eI/Y43eqH1HmJSM+lTU4zdYQXy788GAGAvlRS";
privatekey=privatekey+"VMjK3jzkC0H4FQbuDXECQDaFTYpdYkUDeGPX4YTEPBbwMyJygjRDD3X067bgAJ/+";
privatekey=privatekey+"z9pgsAsHhle6aQv09c0t2j+6LPVeFpSvd2u8g9+9U0o=\n";
privatekey=privatekey+"-----END RSA PRIVATE KEY-----";
var rsa = new RSAKey();
rsa.readPrivateKeyFromPEMString(privatekey);
var tbsc = new KJUR.asn1.x509.TBSCertificate();
tbsc.setSerialNumberByParam({'int': 9999});
tbsc.setSignatureAlgByParam({'name': 'SHA256withRSA'});
tbsc.setIssuerByParam({'str': '/C=ES/O=MOBILE-CA'});
tbsc.setNotBeforeByParam({'str': '130501235959Z'});
tbsc.setNotAfterByParam({'str': '230501235959Z'});
tbsc.setSubjectByParam({'str': '/C=ES/CN=SOME'});
tbsc.setSubjectPublicKeyByParam({'rsapem': publickey});
var cert = new KJUR.asn1.x509.Certificate({'tbscertobj': tbsc,
'prvkeyobj': rsa
});
cert.sign();
var x509toServer=cert.getPEMString(); // Send to server
// Generate sign
var xig = new KJUR.crypto.Signature({"alg": "SHA256withRSA"});
xig.init(rsa);
xig.updateString("zzzzttttzzzz");
var xSigVal = xig.sign();
console.log('Sign: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++');
console.log(xSigVal);
console.log('++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++');
// Verify sign
var sig = new KJUR.crypto.Signature({"alg": "SHA256withRSA"});
sig.initVerifyByCertificatePEM(cert.getPEMString()); // signer's certificate
sig.updateString(me.getApplication().device_uid);
var isValid = sig.verify(xSigVal)
if (isValid) {
console.log("valid");
} else {
console.log("invalid");
}
The above code works perfectly, and shows me that the signature is valid.
The certificate server receives the message (zzzzttttzzzz) and signed (variable xSigVal).
and the next files are generated
device.cer with
-----BEGIN CERTIFICATE-----
MIIBwjCCASugAwIBAgICJw8wDQYJKoZIhvcNAQELBQAwITELMAkGA1UEBhMCRVMx
EjAQBgNVBAoMCU1PQklMRS1DQTAeFw0xMzA1MDEyMzU5NTlaFw0yMzA1MDEyMzU5
NTlaMCwxCzAJBgNVBAYTAkVTMR0wGwYDVQQDDBR1MDIwODg1LXp6enp0dHR0enp6
ejCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9gJXXq//AciLvueuSEWUvsQe
rYSZJpcDcu8DEU1+2MrBwvUu+cEfxS1hXbIzD/t0xJb8bHJPgN3prHdk2HCa9LOK
e+bz/JNwmqd/Zk11TS0cmohWbeFYiU2IbDVrQH0vLfE+ehVj8ctaa4pUdAEB6fkI
+VSnafEcH4pOBqxzhlkCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCj7lCmpZt4Icej
KyH1fLseEAHACoR/FB8vknaLL3Bk8X4ADOEWGQD3ZL5TdQYRKxpqYz49j2Iu90qc
YfBeLD/WJ8bwBwnWal1n02pFZJWKldlYjhcQ7Z910AsP2oG3A4tsOUMaUSs+Al2+
U+YKn08m09RRubGVDuxboVtdBicK/A==
-----END CERTIFICATE-----
message.txt with
zzzzttttzzzz
firma.sign with
cbfbaa6f099fafdb9d892a9d2ea7378a66685e429f77e24241e2e5531db9c020829de125467a891504aaa42b174b0d47d6c83e8234fe32918900ba219cd75b024fa21c241a8c8463ffe629a8e3cf094014cb19a70734db8a0f7b856fb60f4cf9425af8982a9404bfaa8a9e09d742160bca588c4464c17467ef2de69d1b0c46d0
The information returned by the certificate on server is
openssl x509 -in c/device.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9999 (0x270f)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=ES, O=MOBILE-CA
Validity
Not Before: May 1 23:59:59 2013 GMT
Not After : May 1 23:59:59 2023 GMT
Subject: C=ES, CN=u020885-zzzzttttzzzz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f6:02:57:5e:af:ff:01:c8:8b:be:e7:ae:48:45:
94:be:c4:1e:ad:84:99:26:97:03:72:ef:03:11:4d:
7e:d8:ca:c1:c2:f5:2e:f9:c1:1f:c5:2d:61:5d:b2:
33:0f:fb:74:c4:96:fc:6c:72:4f:80:dd:e9:ac:77:
64:d8:70:9a:f4:b3:8a:7b:e6:f3:fc:93:70:9a:a7:
7f:66:4d:75:4d:2d:1c:9a:88:56:6d:e1:58:89:4d:
88:6c:35:6b:40:7d:2f:2d:f1:3e:7a:15:63:f1:cb:
5a:6b:8a:54:74:01:01:e9:f9:08:f9:54:a7:69:f1:
1c:1f:8a:4e:06:ac:73:86:59
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
a3:ee:50:a6:a5:9b:78:21:c7:a3:2b:21:f5:7c:bb:1e:10:01:
c0:0a:84:7f:14:1f:2f:92:76:8b:2f:70:64:f1:7e:00:0c:e1:
16:19:00:f7:64:be:53:75:06:11:2b:1a:6a:63:3e:3d:8f:62:
2e:f7:4a:9c:61:f0:5e:2c:3f:d6:27:c6:f0:07:09:d6:6a:5d:
67:d3:6a:45:64:95:8a:95:d9:58:8e:17:10:ed:9f:75:d0:0b:
0f:da:81:b7:03:8b:6c:39:43:1a:51:2b:3e:02:5d:be:53:e6:
0a:9f:4f:26:d3:d4:51:b9:b1:95:0e:ec:5b:a1:5b:5d:06:27:
0a:fc
I extract the public key with
openssl x509 -in c/device.cer -noout -pubkey > c/device.pub.key.cer
and exactly matches that have javascript (var publickey)
Now comes the question. How do I make the same signature verification with OpenSSL on the server?
The file with the signature contains a hexadecimal number and tried
1 -.
openssl dgst -verify c/device.pub.key.cer -signature firma.sign message.txt
2 -.
openssl dgst -sha256 -verify c/device.pub.key.cer -signature firma.sign message.txt
3 -.
cat firma.sign | xxd -r -p > firma.s2
openssl dgst -verify c/device.pub.key.cer -signature firma.s2 message.txt
and other options, but the answer is always :
Verification Failure
Can anyone help?
Thanks in advance and greetings.