RSA verifying failing

[Technified]

Hello All,

 

I am working on a project where the client has provided me with the public key file and the private-key is being passed via url, along with 2 params that will be used on my end.

 

These are the basics of the process that I am to use for verifying.
 

1. Generate your own plaintext message matching the format of the string provided
2. Create a SHA1withRSA hash of this message using the provided public key (UTF-16LE encode and pass this value)
3. Base64 decode the signature
4. Using a SHA1withRSA validator, verify your hashed message matches the Base64 decoded value in step 3

At this point I have performed steps 1-3 but am having an issue with step 4.

 

The code is failing here.  When I say failing I mean it is not being verified.   

 

$base64Sig = base64_decode($signature, true);

$publickey  = getPemKey();

 

$rsa = new Crypt_RSA();

$rsa->loadKey($publickey, CRYPT_RSA_PUBLIC_FORMAT_RAW);

 

$hashedPlainText = sha1($utfString);

$utfString = mb_convert_encoding($hashedPlainText ,"UTF-16LE");

 

echo $rsa->verify($hashedPlainText, $base64Sig) ? 'verified' : 'unverified';

 

If anyone can provide me with a basic example or a few sites that have examples with example data, it would be appreciated as I'm not sure I am "Using a SHA1withRSA validator".

 

Thanks ahead of time!

[darkfreaks]

here is a phpseclib link that shows examples how to  do this

 

http://phpseclib.sourceforge.net/rsa/examples.html#encrypt,enc2

Edited September 29, 2014 by darkfreaks

[Technified]

Thanks @darkfreaks!  I seem to have gotten much further however I am now receiving an error Invalid signature in ..\Crypt\RSA.php on line <b>2757</b>

 

This is how I am approaching it.

 

$rsa = new Crypt_RSA();

$rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1);

$plaintext = mb_convert_encoding($msg, "UTF-16LE");

$plainTextInt = new Math_BigInteger($plaintext);

$plainTextBytes = $plainTextInt->toBytes();

 

$signature = $rsa->sign($plainTextBytes);

 

$ok =  $rsa->verify($plainTextBytes, $newsignature) ? 'verified' : 'unverified'; { ERROR IS OCCURING HERE }

 

I don't see what it is that I am missing...

Edited September 29, 2014 by Technified

[Jacques1]

None of this makes any sense whatsoever, and cryptography is definitely not the right place for guessing and trial-and-error.

 

First of all, you said the private key is passed via the URL. You mean passed to the server? In that case you clearly don't understand how asymmetric cryptography works. The whole point of the private key is that it's indeed private. It isn't passed anywhere. If you send it to the server, then the entire concept is bogus.

 

To be honest, the situation looks fishy: So some layman in your team(?) has invented a homegrown security protocol, and now they're asking another layman (you) to play around a bit and maybe come up with an implementation? What is this? A school project about bad cryptography? 

[Technified]

Jacques1, I agree it does not make any sense and I passed that info on to the person who "developed" it in this manner.  It is not a school project.  The project is a SSO method.  So this data is being passed from the main party to an intermediate bridge, this is where the verification takes place and if it passes their validation then the user will be redirected and auto logged in to the next party's address.

 

I hope this makes it a little clearer however it still is not making any sense to me.

[darkfreaks]

should read up on how sign()  and verify() work before you attempt to fool around with it.

 

 

http://search.cpan.org/~vipul/Crypt-RSA-1.99/lib/Crypt/RSA/SS/PKCS1v15.pm

Here's an example of how to create signatures and verify signatures with this library:
* <code>
* <?php
* include 'Crypt/RSA.php';
*
* $rsa = new Crypt_RSA();
* extract($rsa->createKey());
*
* $plaintext = 'terrafrost';
*
* $rsa->loadKey($privatekey);
* $signature = $rsa->sign($plaintext);
*
* $rsa->loadKey($publickey);
* echo $rsa->verify($plaintext, $signature) ? 'verified' : 'unverified';
* ?>
* </code>

Edited September 29, 2014 by darkfreaks

[KevinM1]

Jacques1, I agree it does not make any sense and I passed that info on to the person who "developed" it in this manner.  It is not a school project.  The project is a SSO method.  So this data is being passed from the main party to an intermediate bridge, this is where the verification takes place and if it passes their validation then the user will be redirected and auto logged in to the next party's address.

 

I hope this makes it a little clearer however it still is not making any sense to me.

IMO, if you consider yourself a professional, you should either put your foot down and attempt to do it right or you should abandon this project if that's not an option. This isn't the kind of thing you'll want your named attached to unless it's implemented properly, and sending a private key via URL of all things is the exact opposite of proper implementation.

[Technified]

Thanks for all the feedback.  I have done my research on sign() and verify(), the issue is that this isn't a normal request and since I've never done anything in the manner that it has been asked for I am reaching out. This is a paying customer for which I have 1) attempted to put my foot down and provide them with my professional opinion 2) they are verifying it on their end in the same manner they have asked me to do so however the code sample they have provided me with is Java.  I am simply trying to recreate the steps they used to produce a successful outcome on their end, in php.  If it is just impossible, I can let them know that however I was not 100% sure that was a correct answer and therefore looked to those that have may have more knowledge than I.

 

Again I appreciate the responses and help.