I've been able to use SecKeyRawSign (and verify the signature using SecKeyRawVerify) on the iPhone, however, when I try to verify the signaure server side in PHP using openssl_verify() I get a result that the signature is invalid. I'm using SecPaddingPKCS1SHA1 in the iPhone client and openssl_verify is using the default OPENSSL_ALGO_SHA1 algorithm. I base64 encode before sending the signed data and then base64 decode on the server before trying to verify the signature.
I've also tries sttipping out the "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----" headers in the public key and base64 decoding before using openssl_verity().
If I do a test in PHP only to create some signed data and verify the signature its fine.
On thing Ive noticed is that the signature is different each time when signing the same text, I can see this as I write to NSLog, is this corrent?
Any help would be great and I'll post my code when working as I know other people have issues with signing, I can also provide examples of asymmetric encryption that I have working.
Here is my objective-c:
Code:
uint8_t *plainBuffer;
uint8_t * signedBytes = NULL;
size_t signedBytesSize = 0;
OSStatus sanityCheck = noErr;
NSData * signedHash = nil;
char inputString = *inputText;
int len = strlen(&inputString);
plainBuffer = (uint8_t *)calloc(len, sizeof(uint8_t));
strncpy( (char *)plainBuffer, &inputString, len);
NSString * path = [[NSBundle mainBundle]
pathForResource:@"iphone-cert" ofType:@"p12"];
assert(path != nil);
NSData * data = [NSData dataWithContentsOfFile:path];
assert(data != nil);
//CFArrayRef tmpCFArrayRef = CFArrayCreate(kCFAllocatorDefault,
NULL, 0, NULL);//(CFArrayRef)items;
NSMutableDictionary * options = [[NSMutableDictionary alloc] init];
// Set the public key query dictionary.
[options setObject:@"password" forKey:(id)kSecImportExportPassphrase];
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
OSStatus securityError = SecPKCS12Import((CFDataRef) data,
(CFDictionaryRef)options, &items);
CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
SecIdentityRef identityApp =
(SecIdentityRef)CFDictionaryGetValue(identityDict,
kSecImportItemIdentity);
//NSLog(@"%@", securityError);
SecKeyRef privateKeyRef;
SecIdentityCopyPrivateKey(identityApp, &privateKeyRef);
//NSLog(@"%@", privateKeyRef);
signedBytesSize = SecKeyGetBlockSize(privateKeyRef);
// Malloc a buffer to hold signature.
signedBytes = malloc( signedBytesSize * sizeof(uint8_t) );
memset((void *)signedBytes, 0x0, signedBytesSize);
sanityCheck = SecKeyRawSign( privateKeyRef,
kTypeOfSigPadding,
(const uint8_t *)&inputString,
kChosenDigestLength,
(uint8_t *)signedBytes,
&signedBytesSize
);
signedHash = [NSData dataWithBytes:(const void *)signedBytes
length:(NSUInteger)signedBytesSize];
//NSLog(@"%@", signedHash);
[Base64 initialize];
NSString *b64EncStr = [Base64 encode:signedHash];
//NSLog(@"%@", b64EncStr);
//NSLog(@"String Length: %d", b64EncStr.length);
//Verify Signture
NSString *certPath = [[NSBundle mainBundle]
pathForResource:@"iphone1" ofType:@"cer"];
SecCertificateRef myCertificate = nil;
NSData *certificateData = [[NSData alloc] initWithContentsOfFile:certPath];
myCertificate = SecCertificateCreateWithData(kCFAllocatorDefault,
(CFDataRef)certificateData);
NSLog(@"Status: %@", myCertificate);
SecCertificateRef certArray[1] = {myCertificate};
CFArrayRef myCerts = CFArrayCreate(NULL, (const void **) &certArray, 1, NULL);
SecPolicyRef myPolicy = SecPolicyCreateBasicX509();
SecTrustRef myTrust;
SecTrustResultType trustResult;
OSStatus status = SecTrustCreateWithCertificates(myCerts,
myPolicy, &myTrust);
//NSLog(@"Status: %i", errSecSuccess);
//NSLog(@"Status: %i", status);
//SecTrustSetAnchorCertificates(myTrust, myCerts);
//NSLog(@"Anchor: %i", errSecSuccess);
//CFRelease(myCerts);
//CFRelease(myCACert);
OSStatus trustStatus = SecTrustEvaluate(myTrust, &trustResult);
if (trustStatus == errSecSuccess) {
NSLog(@"We can trust this certificate");
} else {
NSLog(@"We CANNOT trust this certificate");
}
//NSLog(@"Status: %i", errSecSuccess);
SecKeyRef publicKey = SecTrustCopyPublicKey(myTrust);
NSLog(@"Public Key: %d", publicKey);
OSStatus verifySig = SecKeyRawVerify(publicKey,
kTypeOfSigPadding,
(const uint8_t *)&inputString,
kChosenDigestLength,
(uint8_t *)signedBytes,
signedBytesSize
);
if (verifySig == errSecSuccess) {
NSLog(@"Valid Signature");
} else {
NSLog(@"Invalid Signature");
}
Here is my PHP code;
Code:
//verify signature first
$signature = base64_decode($sig);
$data=$uname.$pword;
$fp=fopen("keys/client/iphone-pubkey.pem","r");
$pub_key=fread($fp,8192);
fclose($fp);
$pub_key=base64_decode($key);
$ok = openssl_verify($data, $signature, $pub_key);
if ($ok == 1) {
$okResult= "Signature is good";
} elseif ($ok == 0) {
$okResult= "Signature is bad";
} else {
$okResult= "Signature is ugly, error checking signature";
}
iOS SecKeyRawSign issue
Linear Mode
