Good morning.
I need to generate a certificate on a mobile device for later send to the server.
The intention is to sign some unique feature of the device and check it on the server.
I use the following method
// Create cert
var publickey="";
publickey=publickey "-----BEGIN PUBLIC KEY-----\n";
publickey=publickey "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2Alder/8ByIu 565IRZS xB6t";
publickey=publickey "hJkmlwNy7wMRTX7YysHC9S75wR/FLWFdsjMP 3TElvxsck A3emsd2TYcJr0s4p7";
publickey=publickey "5vP8k3Cap39mTXVNLRyaiFZt4ViJTYhsNWtAfS8t8T56FWPxy1prilR0AQHp Qj5";
publickey=publickey "VKdp8Rwfik4GrHOGWQIDAQAB\n";
publickey=publickey "-----END PUBLIC KEY-----";
var privatekey="";
privatekey=privatekey "-----BEGIN RSA PRIVATE KEY-----\n";
privatekey=privatekey "MIICXAIBAAKBgQD2Alder/8ByIu 565IRZS xB6thJkmlwNy7wMRTX7YysHC9S75";
privatekey=privatekey "wR/FLWFdsjMP 3TElvxsck A3emsd2TYcJr0s4p75vP8k3Cap39mTXVNLRyaiFZt";
privatekey=privatekey "4ViJTYhsNWtAfS8t8T56FWPxy1prilR0AQHp Qj5VKdp8Rwfik4GrHOGWQIDAQAB";
privatekey=privatekey "AoGAbhYIIPAi7hpfJrOoUuEIOgGrNLzEh/dF7NW2CrUiEUNSR7rOJaddXy/6hSIs";
privatekey=privatekey "JXfB/gMOvDy/BQzI94uKDiz9uahMcuADhpUJBpDQMP5B1xMwVAxm8MLHEi86Bn3T";
privatekey=privatekey "W/yaTsa7SYlnMu0TJl1xQFeB9cQS4qZIUgGR44774yIM/V0CQQD92Xz9ojSgcT4m";
privatekey=privatekey "Hz1ua4jNTBtUPT Buxr3IZraaXVYKIUiW1dFXiD6BZ0PVFdA8yBTvltoidjv/5zv";
privatekey=privatekey "7Pm6alHDAkEA BfZkqBvLXFQtHgxVaj JMIXei9TWkhtQt9no1IWAZd/vvBDJelE";
privatekey=privatekey "utOsG824g/I2 mLnYHDFLfH7CBeMz4mJswJAXbRq7zVxN8iVqHzfsGMBnMb7T51M";
privatekey=privatekey "VBc9XPyKrRVAu8o5WvVcwb59bc2krIP1sYQN6tvZ4j0AV5eD1w0jIi0dAQJBAKQ7";
privatekey=privatekey "ZZRjEDYM5VgSmNYT4OmEcvY3jf4eI/Y43eqH1HmJSM lTU4zdYQXy788GAGAvlRS";
privatekey=privatekey "VMjK3jzkC0H4FQbuDXECQDaFTYpdYkUDeGPX4YTEPBbwMyJygjRDD3X067bgAJ/ ";
privatekey=privatekey "z9pgsAsHhle6aQv09c0t2j 6LPVeFpSvd2u8g9 9U0o=\n";
privatekey=privatekey "-----END RSA PRIVATE KEY-----";
var rsa = new RSAKey();
rsa.readPrivateKeyFromPEMString(privatekey);
var tbsc = new KJUR.asn1.x509.TBSCertificate();
tbsc.setSerialNumberByParam({'int': 9999});
tbsc.setSignatureAlgByParam({'name': 'SHA256withRSA'});
tbsc.setIssuerByParam({'str': '/C=ES/O=MOBILE-CA'});
tbsc.setNotBeforeByParam({'str': '130501235959Z'});
tbsc.setNotAfterByParam({'str': '230501235959Z'});
tbsc.setSubjectByParam({'str': '/C=ES/CN=SOME'});
tbsc.setSubjectPublicKeyByParam({'rsapem': publickey});
var cert = new KJUR.asn1.x509.Certificate({'tbscertobj': tbsc,
'prvkeyobj': rsa
});
cert.sign();
var x509toServer=cert.getPEMString(); // Send to server
// Generate sign
var xig = new KJUR.crypto.Signature({"alg": "SHA256withRSA"});
xig.init(rsa);
xig.updateString("zzzzttttzzzz");
var xSigVal = xig.sign();
console.log('Sign: ');
console.log(xSigVal);
console.log(' ');
// Verify sign
var sig = new KJUR.crypto.Signature({"alg": "SHA256withRSA"});
sig.initVerifyByCertificatePEM(cert.getPEMString()); // signer's certificate
sig.updateString(me.getApplication().device_uid);
var isValid = sig.verify(xSigVal)
if (isValid) {
console.log("valid");
} else {
console.log("invalid");
}
The above code works perfectly, and shows me that the signature is valid.
The certificate server receives the message (zzzzttttzzzz) and signed (variable xSigVal).
and the next files are generated
device.cer with
-----BEGIN CERTIFICATE-----
MIIBwjCCASugAwIBAgICJw8wDQYJKoZIhvcNAQELBQAwITELMAkGA1UEBhMCRVMx
EjAQBgNVBAoMCU1PQklMRS1DQTAeFw0xMzA1MDEyMzU5NTlaFw0yMzA1MDEyMzU5
NTlaMCwxCzAJBgNVBAYTAkVTMR0wGwYDVQQDDBR1MDIwODg1LXp6enp0dHR0enp6
ejCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9gJXXq//AciLvueuSEWUvsQe
rYSZJpcDcu8DEU1 2MrBwvUu cEfxS1hXbIzD/t0xJb8bHJPgN3prHdk2HCa9LOK
e bz/JNwmqd/Zk11TS0cmohWbeFYiU2IbDVrQH0vLfE ehVj8ctaa4pUdAEB6fkI
VSnafEcH4pOBqxzhlkCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCj7lCmpZt4Icej
KyH1fLseEAHACoR/FB8vknaLL3Bk8X4ADOEWGQD3ZL5TdQYRKxpqYz49j2Iu90qc
YfBeLD/WJ8bwBwnWal1n02pFZJWKldlYjhcQ7Z910AsP2oG3A4tsOUMaUSs+Al2+
U+YKn08m09RRubGVDuxboVtdBicK/A==
-----END CERTIFICATE-----
message.txt with
zzzzttttzzzz
firma.sign with
cbfbaa6f099fafdb9d892a9d2ea7378a66685e429f77e24241e2e5531db9c020829de125467a891504aaa42b174b0d47d6c83e8234fe32918900ba219cd75b024fa21c241a8c8463ffe629a8e3cf094014cb19a70734db8a0f7b856fb60f4cf9425af8982a9404bfaa8a9e09d742160bca588c4464c17467ef2de69d1b0c46d0
The information returned by the certificate on server is
openssl x509 -in c/device.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9999 (0x270f)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=ES, O=MOBILE-CA
Validity
Not Before: May 1 23:59:59 2013 GMT
Not After : May 1 23:59:59 2023 GMT
Subject: C=ES, CN=u020885-zzzzttttzzzz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f6:02:57:5e:af:ff:01:c8:8b:be:e7:ae:48:45:
94:be:c4:1e:ad:84:99:26:97:03:72:ef:03:11:4d:
7e:d8:ca:c1:c2:f5:2e:f9:c1:1f:c5:2d:61:5d:b2:
33:0f:fb:74:c4:96:fc:6c:72:4f:80:dd:e9:ac:77:
64:d8:70:9a:f4:b3:8a:7b:e6:f3:fc:93:70:9a:a7:
7f:66:4d:75:4d:2d:1c:9a:88:56:6d:e1:58:89:4d:
88:6c:35:6b:40:7d:2f:2d:f1:3e:7a:15:63:f1:cb:
5a:6b:8a:54:74:01:01:e9:f9:08:f9:54:a7:69:f1:
1c:1f:8a:4e:06:ac:73:86:59
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
a3:ee:50:a6:a5:9b:78:21:c7:a3:2b:21:f5:7c:bb:1e:10:01:
c0:0a:84:7f:14:1f:2f:92:76:8b:2f:70:64:f1:7e:00:0c:e1:
16:19:00:f7:64:be:53:75:06:11:2b:1a:6a:63:3e:3d:8f:62:
2e:f7:4a:9c:61:f0:5e:2c:3f:d6:27:c6:f0:07:09:d6:6a:5d:
67:d3:6a:45:64:95:8a:95:d9:58:8e:17:10:ed:9f:75:d0:0b:
0f:da:81:b7:03:8b:6c:39:43:1a:51:2b:3e:02:5d:be:53:e6:
0a:9f:4f:26:d3:d4:51:b9:b1:95:0e:ec:5b:a1:5b:5d:06:27:
0a:fc
I extract the public key with
openssl x509 -in c/device.cer -noout -pubkey > c/device.pub.key.cer
and exactly matches that have javascript (var publickey)
Now comes the question. How do I make the same signature verification with OpenSSL on the server?
The file with the signature contains a hexadecimal number and tried
1 -.
openssl dgst -verify c/device.pub.key.cer -signature firma.sign message.txt
2 -.
openssl dgst -sha256 -verify c/device.pub.key.cer -signature firma.sign message.txt
3 -.
cat firma.sign | xxd -r -p > firma.s2
openssl dgst -verify c/device.pub.key.cer -signature firma.s2 message.txt
and other options, but the answer is always :
Verification Failure
Can anyone help?
Thanks in advance and greetings.