Louis Burger · Apr 13

Verifying signature against x509 cert

Hi everyone,

We are trying to verify a signature against a certificate without success.

Apologies in advanced if my post lack info.

I've added the cert under the X509 credentials under the management portal (alias Cert).

The code snippet that we are using to verify the cert:

set tX509 = ##class(%SYS.X509Credentials).GetByAlias("Cert")

set tData = "hello"

set tSignature = "CUBMPlVbEKbjFg0nUNz3pwuSwq7tJPg4obsj6LpwbMsEQaDNNw/93V9X0BdgBVzoWN1K7XrG1WX1focFj+EIkeXOJJF7KjQv4p9Xc8JT0wWZ9ivw0+pYvBtMSzP9JEVzapt2Cr+QoBT47yEMeCAxt7Ka7q7xLpxxpAvDQ+QE3Mg="

set isValid = $SYSTEM.Encryption.RSASHAVerify(256, tData, tSignature, tX509.Certificate)

"isValid: " _ isValid

Based on the above code i keep getting isValid = 0 indicating that the certificate verification failed.

Am I missing something?  

Thank you in advanced.

Product version: Ensemble 2018.1
0 228
Discussion (4)0
Log in or sign up to continue

There's a $SYSTEM.Encryption.RSAGetLastError() function that might provide more insight into why validation is failing in this specific case. The code snippet seems correct, so my guess is that this is not the reason validation is failing. Could the signature have been made over more than just the string "hello"? Could the cert have a public key that doesn't correspond to the private key used to make the signature?

It shouldn't be the case, but does it work if you have set isValid = $SYSTEM.Encryption.RSASHAVerify(256, tData, tSignature, tX509.Certificate,"","")? (Because the method does take 6 arguments, though the last two should be optional)

Thank you Mclean,

The string "hello" is actually a dummy value that i have added (not allowed to disclose actual value due to sensitivity of data).

The signature comes from a third party connecting to us, they did supply me with C# code that verified the signature successfully.

What I can say though is that tried the method ($SYSTEM.Encryption.RSAGetLastError()) you mentioned above and it responded with the following: 

error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature length;

I've managed to make some more progress by decoding the signature before passing it to RSASHAVerify, as follows:

set tX509 ##class(%SYS.X509Credentials).GetByAlias("Cert")

set tData "hello"

set tSignature "CUBMPlVbEKbjFg0nUNz3pwuSwq7tJPg4obsj6LpwbMsEQaDNNw/93V9X0BdgBVzoWN1K7XrG1WX1focFj+EIkeXOJJF7KjQv4p9Xc8JT0wWZ9ivw0+pYvBtMSzP9JEVzapt2Cr+QoBT47yEMeCAxt7Ka7q7xLpxxpAvDQ+QE3Mg="

set tSignature = $system.Encryption.Base64Decode(tSignature)

set isValid $SYSTEM.Encryption.RSASHAVerify(256, tDatatSignaturetX509.Certificate)

"isValid: " isValid



which provides the output:

isValid: 0

error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01;error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed;

Hi Louis

Firstly, I don't think there is anything wrong with the code above.. but can you verify that the x509 certificate you created includes reference to the Certificate Authorities (the entire CA chain) that issued the sender's public key .