signature=c46eb6506a9975740265181e69a4a8be,javascript - Jsrsasign. How to verify the signature on th...

Good morning.

I need to generate a certificate on a mobile device for later send to the server.

The intention is to sign some unique feature of the device and check it on the server.

I use the following method

// Create cert

var publickey="";

publickey=publickey+"-----BEGIN PUBLIC KEY-----\n";

publickey=publickey+"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2Alder/8ByIu+565IRZS+xB6t";

publickey=publickey+"hJkmlwNy7wMRTX7YysHC9S75wR/FLWFdsjMP+3TElvxsck+A3emsd2TYcJr0s4p7";

publickey=publickey+"5vP8k3Cap39mTXVNLRyaiFZt4ViJTYhsNWtAfS8t8T56FWPxy1prilR0AQHp+Qj5";

publickey=publickey+"VKdp8Rwfik4GrHOGWQIDAQAB\n";

publickey=publickey+"-----END PUBLIC KEY-----";

var privatekey="";

privatekey=privatekey+"-----BEGIN RSA PRIVATE KEY-----\n";

privatekey=privatekey+"MIICXAIBAAKBgQD2Alder/8ByIu+565IRZS+xB6thJkmlwNy7wMRTX7YysHC9S75";

privatekey=privatekey+"wR/FLWFdsjMP+3TElvxsck+A3emsd2TYcJr0s4p75vP8k3Cap39mTXVNLRyaiFZt";

privatekey=privatekey+"4ViJTYhsNWtAfS8t8T56FWPxy1prilR0AQHp+Qj5VKdp8Rwfik4GrHOGWQIDAQAB";

privatekey=privatekey+"AoGAbhYIIPAi7hpfJrOoUuEIOgGrNLzEh/dF7NW2CrUiEUNSR7rOJaddXy/6hSIs";

privatekey=privatekey+"JXfB/gMOvDy/BQzI94uKDiz9uahMcuADhpUJBpDQMP5B1xMwVAxm8MLHEi86Bn3T";

privatekey=privatekey+"W/yaTsa7SYlnMu0TJl1xQFeB9cQS4qZIUgGR44774yIM/V0CQQD92Xz9ojSgcT4m";

privatekey=privatekey+"Hz1ua4jNTBtUPT+Buxr3IZraaXVYKIUiW1dFXiD6BZ0PVFdA8yBTvltoidjv/5zv";

privatekey=privatekey+"7Pm6alHDAkEA+BfZkqBvLXFQtHgxVaj+JMIXei9TWkhtQt9no1IWAZd/vvBDJelE";

privatekey=privatekey+"utOsG824g/I2+mLnYHDFLfH7CBeMz4mJswJAXbRq7zVxN8iVqHzfsGMBnMb7T51M";

privatekey=privatekey+"VBc9XPyKrRVAu8o5WvVcwb59bc2krIP1sYQN6tvZ4j0AV5eD1w0jIi0dAQJBAKQ7";

privatekey=privatekey+"ZZRjEDYM5VgSmNYT4OmEcvY3jf4eI/Y43eqH1HmJSM+lTU4zdYQXy788GAGAvlRS";

privatekey=privatekey+"VMjK3jzkC0H4FQbuDXECQDaFTYpdYkUDeGPX4YTEPBbwMyJygjRDD3X067bgAJ/+";

privatekey=privatekey+"z9pgsAsHhle6aQv09c0t2j+6LPVeFpSvd2u8g9+9U0o=\n";

privatekey=privatekey+"-----END RSA PRIVATE KEY-----";

var rsa = new RSAKey();

rsa.readPrivateKeyFromPEMString(privatekey);

var tbsc = new KJUR.asn1.x509.TBSCertificate();

tbsc.setSerialNumberByParam({'int': 9999});

tbsc.setSignatureAlgByParam({'name': 'SHA256withRSA'});

tbsc.setIssuerByParam({'str': '/C=ES/O=MOBILE-CA'});

tbsc.setNotBeforeByParam({'str': '130501235959Z'});

tbsc.setNotAfterByParam({'str': '230501235959Z'});

tbsc.setSubjectByParam({'str': '/C=ES/CN=SOME'});

tbsc.setSubjectPublicKeyByParam({'rsapem': publickey});

var cert = new KJUR.asn1.x509.Certificate({'tbscertobj': tbsc,

'prvkeyobj': rsa

});

cert.sign();

var x509toServer=cert.getPEMString(); // Send to server

// Generate sign

var xig = new KJUR.crypto.Signature({"alg": "SHA256withRSA"});

xig.init(rsa);

xig.updateString("zzzzttttzzzz");

var xSigVal = xig.sign();

console.log('Sign: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++');

console.log(xSigVal);

console.log('++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++');

// Verify sign

var sig = new KJUR.crypto.Signature({"alg": "SHA256withRSA"});

sig.initVerifyByCertificatePEM(cert.getPEMString()); // signer's certificate

sig.updateString(me.getApplication().device_uid);

var isValid = sig.verify(xSigVal)

if (isValid) {

console.log("valid");

} else {

console.log("invalid");

}

The above code works perfectly, and shows me that the signature is valid.

The certificate server receives the message (zzzzttttzzzz) and signed (variable xSigVal).

and the next files are generated

device.cer with

-----BEGIN CERTIFICATE-----

MIIBwjCCASugAwIBAgICJw8wDQYJKoZIhvcNAQELBQAwITELMAkGA1UEBhMCRVMx

EjAQBgNVBAoMCU1PQklMRS1DQTAeFw0xMzA1MDEyMzU5NTlaFw0yMzA1MDEyMzU5

NTlaMCwxCzAJBgNVBAYTAkVTMR0wGwYDVQQDDBR1MDIwODg1LXp6enp0dHR0enp6

ejCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9gJXXq//AciLvueuSEWUvsQe

rYSZJpcDcu8DEU1+2MrBwvUu+cEfxS1hXbIzD/t0xJb8bHJPgN3prHdk2HCa9LOK

e+bz/JNwmqd/Zk11TS0cmohWbeFYiU2IbDVrQH0vLfE+ehVj8ctaa4pUdAEB6fkI

+VSnafEcH4pOBqxzhlkCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCj7lCmpZt4Icej

KyH1fLseEAHACoR/FB8vknaLL3Bk8X4ADOEWGQD3ZL5TdQYRKxpqYz49j2Iu90qc

YfBeLD/WJ8bwBwnWal1n02pFZJWKldlYjhcQ7Z910AsP2oG3A4tsOUMaUSs+Al2+

U+YKn08m09RRubGVDuxboVtdBicK/A==

-----END CERTIFICATE-----

message.txt with

zzzzttttzzzz

firma.sign with

cbfbaa6f099fafdb9d892a9d2ea7378a66685e429f77e24241e2e5531db9c020829de125467a891504aaa42b174b0d47d6c83e8234fe32918900ba219cd75b024fa21c241a8c8463ffe629a8e3cf094014cb19a70734db8a0f7b856fb60f4cf9425af8982a9404bfaa8a9e09d742160bca588c4464c17467ef2de69d1b0c46d0

The information returned by the certificate on server is

openssl x509 -in c/device.cer -noout -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 9999 (0x270f)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=ES, O=MOBILE-CA

Validity

Not Before: May 1 23:59:59 2013 GMT

Not After : May 1 23:59:59 2023 GMT

Subject: C=ES, CN=u020885-zzzzttttzzzz

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:f6:02:57:5e:af:ff:01:c8:8b:be:e7:ae:48:45:

94:be:c4:1e:ad:84:99:26:97:03:72:ef:03:11:4d:

7e:d8:ca:c1:c2:f5:2e:f9:c1:1f:c5:2d:61:5d:b2:

33:0f:fb:74:c4:96:fc:6c:72:4f:80:dd:e9:ac:77:

64:d8:70:9a:f4:b3:8a:7b:e6:f3:fc:93:70:9a:a7:

7f:66:4d:75:4d:2d:1c:9a:88:56:6d:e1:58:89:4d:

88:6c:35:6b:40:7d:2f:2d:f1:3e:7a:15:63:f1:cb:

5a:6b:8a:54:74:01:01:e9:f9:08:f9:54:a7:69:f1:

1c:1f:8a:4e:06:ac:73:86:59

Exponent: 65537 (0x10001)

Signature Algorithm: sha256WithRSAEncryption

a3:ee:50:a6:a5:9b:78:21:c7:a3:2b:21:f5:7c:bb:1e:10:01:

c0:0a:84:7f:14:1f:2f:92:76:8b:2f:70:64:f1:7e:00:0c:e1:

16:19:00:f7:64:be:53:75:06:11:2b:1a:6a:63:3e:3d:8f:62:

2e:f7:4a:9c:61:f0:5e:2c:3f:d6:27:c6:f0:07:09:d6:6a:5d:

67:d3:6a:45:64:95:8a:95:d9:58:8e:17:10:ed:9f:75:d0:0b:

0f:da:81:b7:03:8b:6c:39:43:1a:51:2b:3e:02:5d:be:53:e6:

0a:9f:4f:26:d3:d4:51:b9:b1:95:0e:ec:5b:a1:5b:5d:06:27:

0a:fc

I extract the public key with

openssl x509 -in c/device.cer -noout -pubkey > c/device.pub.key.cer

and exactly matches that have javascript (var publickey)

Now comes the question. How do I make the same signature verification with OpenSSL on the server?

The file with the signature contains a hexadecimal number and tried

1 -.

openssl dgst -verify c/device.pub.key.cer -signature firma.sign message.txt

2 -.

openssl dgst -sha256 -verify c/device.pub.key.cer -signature firma.sign message.txt

3 -.

cat firma.sign | xxd -r -p > firma.s2

openssl dgst -verify c/device.pub.key.cer -signature firma.s2 message.txt

and other options, but the answer is always :

Verification Failure

Can anyone help?

Thanks in advance and greetings.