search

hwcrypto / demo

Demo / test site
https://hwcrypto.github.io/demo/
MIT License
4 stars 4 forks source link

Verify the signature on the other end. #2

Open DigitalLeaves opened 6 years ago

DigitalLeaves commented 6 years ago

Hello there! Thanks for this example, really helped me getting started with authentication using the e-Card.

I have the problem that I cannot verify the signatures I get from hwcrypto. As far as I know, these are secp384 EC keys. Then, I generate a SHA1 signature from "Hello world!" and put it as the SHA1 signature in the html page to be signed. Then I generate correctly a signature, but when I use node.js crypto module to verify the signature it always return false (using the signature I get from hwcrypto.js):

I have tried with SHA256 also.

var plain = "Hello world!"
var hash = "d3486ae9136e7856bc42212385ea797094475802"
var signature = "49E717B687170356141B9FEFE3C7BB78EDC3A38B9C17E4222EE82145FB5957188E7233EEE6B5ECBF5059CD5D778883E0C87DE123FC011EFD12DCD8C38689AC77774FF85B83F317BB024ECC5B4FECFC470013841EED0D7DF360BD1DFD01598336"
var signBase64 = "SecXtocXA1YUG5/v48e7eO3Do4ucF+QiLughRftZVxiOcjPu5rXsv1BZzV13iIPgyH3hI/wBHv0S3NjDhomsd3dP+FuD8xe7Ak7MW0/s/EcAE4Qe7Q1982C9Hf0BWYM2" // <<< base64 of the hex representation of signature

var certString = "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"

var pubKey = "-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----"

var certSource = Buffer.from(certString, 'utf8').toString()

var allData = x509.parseCert(certSource)
console.log("All data:")
console.log(allData)

console.log("Validate signature")
console.log("Plain: " + plain)
console.log("Hash: " + hash)
console.log("Signature: " + signature)

var verifier = crypto.createVerify('sha1');
verifier.update(plain);
var ver = verifier.verify(pubKey, signBase64, 'base64');
console.log(ver);//<--- always false!

This is the result:

All data:
{ version: 2,
  subject: 
   {... },
  issuer: 
   { countryName: 'EE',
     organizationName: 'AS Sertifitseerimiskeskus',
     '2.5.4.97': 'NTREE-10747013',
     commonName: 'ESTEID-SK 2015' },
  serial: '...',
  notBefore: 2017-10-30T20:30:10.000Z,
  notAfter: 2020-07-31T20:59:59.000Z,
  subjectHash: '...',
  signatureAlgorithm: 'sha256WithRSAEncryption',
  fingerPrint: 'E7:C7:FC:4F:68:BB:41:6A:EA:87:8E:65:9D:3B:EB:85:90:8C:BB:99',
  publicKey: { algorithm: 'id-ecPublicKey' },
  altNames: [],
  extensions: 
   { ... } 
}

Validate signature
Plain: Hello world!
Hash: d3486ae9136e7856bc42212385ea797094475802
Signature: 49E717B687170356141B9FEFE3C7BB78EDC3A38B9C17E4222EE82145FB5957188E7233EEE6B5ECBF5059CD5D778883E0C87DE123FC011EFD12DCD8C38689AC77774FF85B83F317BB024ECC5B4FECFC470013841EED0D7DF360BD1DFD01598336
false

If I try in openssl, I get this error:

$ openssl dgst -sha1 -verify pubkey.pem -signature signature.txt < plain.txt 
Error Verifying Data
140735986258824:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/asn1/asn1_lib.c:152:
140735986258824:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/asn1/tasn_dec.c:1152:
140735986258824:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/asn1/tasn_dec.c:314:Type=ECDSA_SIG

Any suggestion or insight in how to verify it will be greatly appreciated.

DigitalLeaves commented 6 years ago

Hello?

brunobaiano commented 6 years ago

Hi, i´m having this problem too. DId you resolve this issue? thanks

metsma commented 6 years ago

Try SHA-384 maybe node.js lib cannot correctly truncate short digests. Openssl probably expects ASN.1 encoded signature, plugin returns concatenated (R || S)

brunobaiano commented 6 years ago

Is there a complete code example that sign ( ok this part i can do) and verify a file? I have the signature but i dont know what to do now to verify. Why hwcrypto don´t have this "verify" method?

metsma commented 6 years ago

because it is not in scope and window.hwcrypto references missing feature in https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto spec. You can try https://hwcrypto.github.io/hwcrypto.js/sign.html use JWT token signing and use SHA-384 with ECC 384 token and then it will show link to jwt.io to validate signature. (JWT page does not refresh signature status on page load. Add space to end of data and remove it and then page will revalidate input)

dvas0004 commented 5 years ago

Hey all. I came across this while trying to resolve the same issue myself. I came up with this reference python script:

https://gist.github.com/dvas0004/3f2dbf2a3ce16bdc865766b990da0e6f

Replace with your own certificate and signature which can be easily copy/pasted off the hwcrypto demo site: https://hwcrypto.github.io/demo/

I would assume you can find something similar in JS, my biggest problem was getting the right formatting - I was honestly under the impression the cards used RSA keys - i guess these got replaces with ECC since the recall last year...

Anyways hope this helps!