Re: [android-developers] Re: BouncyCastle signature value does not match with dotNET signature value.

On Tue, Jan 15, 2013 at 11:14 PM, mbarbiero <marco.barbiero@gmail.com> wrote:
> I read the certificate form a .pfx file and extract keys:
>
> PUBLICKEY
> cert = ks.getCertificate(alias);
> X509Certificate X509 = (X509Certificate) cert;
> publicKey = cert.getPublicKey();
>
> PRIVATEKEY
> key = ks.getKey(alias, senha.toCharArray());
> if (key instanceof PrivateKey) {
> privateKey = (PrivateKey) key;
> }
>

Unless the PFX file has multiple keys and certificates in it,
that should do it.

> I know that the publicKey is correct because they match with dotNET file.
> In the new version of my app i verify the privateKey using the code below.
>
> Signature signer = null;
> signer = Signature.getInstance("SHA1withRSA");
> signer.initSign( privateKey );
> signer.update(msg.getBytes("UTF-8"));
> byte[] theSignature = null;
> theSignature = signer.sign();
> Log.d("theSignature ---> ", theSignature.toString());
>

This last line will only print the address of the byte array,
which is not particularly useful. You'd want to print the contents
by converting to hex. A quick-n-dirty way to do this is to use

BigInteger bi = new BigInteger(theSignature);
Log.d("theSignature --> " + bi.toString(16));

> Signature sig = null;
> sig = Signature.getInstance("SHA1withRSA");
> sig.initVerify(publicKey);
> sig.update(msg.getBytes("UTF-8"));
> boolean verifies = false;
> verifies = sig.verify(theSignature);
> if(verifies){

> The message in Log is "SIGNATURE OK", then I presume that privateKey is OK
> too.

That only confirms that you have a proper private/public key pair.
Should be enough if there is only one key in the PFX.

>
> If this is right, then the error must be in format of theSignature. Maybe
> the signature have a header or footer like public key (-----BEGIN
> CERTIFICATE-----) that interfer in the Base64.encodeToString.

There are no headers/footer. Base64 merely converts the bytes to
a string representation (3 chars per byte). Another obvious thing to
look at would be byte order: Windows/.NET is known to use little
endian for most things, while the rest of the world (including Java)
uses big endian by default. IIRC, some Crypto API calls (which
most .NET APIs use internally) would also swap signature order.
So do check/post the raw signature value in *hex* format from
both platforms.

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en