Hi,
I am using php openssl for verifying the signatures. My usecase is like this:
1. I want to send notifications to my clients (web servers). Naturally, I do a POST. As I want security, I am also sending a signature (will explain what kind later) in the POST request.
2. Client will have to verify the signature that request indeed came from me and was not tampered.
Now for signature,
1. I am signing request parameters using private key of x509 certificate.
2. I will publish a public key certificate for the client which she uses to verify the signature i sent.
So far so good? Now the problem : From my side I am using algorithm 'SHA256withRSA' (in Java) for signature generation. But my client is using PHP? I don't see anyplace when openssl supports this algorithm I could only find SHA1_WITH_RSA.
Is there any way, I can verify the SHA256withRSA signature? perhaps a different library or some hidden openssl gotcha
openssl signature verification using SHA256withRSA.
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: openssl signature verification using SHA256withRSA.
Why don't you just use SSL/TLS for this? Connect to the client with SSL/TLS and send the POST parameters as is.bhargava wrote:2. Client will have to verify the signature that request indeed came from me and was not tampered.
Re: openssl signature verification using SHA256withRSA.
Thanks Kai, but I don't want to put that restriction on my client as my client will not be just one but too many ranging from small merchants to super big merchants.kaisellgren wrote:Why don't you just use SSL/TLS for this? Connect to the client with SSL/TLS and send the POST parameters as is.bhargava wrote:2. Client will have to verify the signature that request indeed came from me and was not tampered.
Thats why the whole pain
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: openssl signature verification using SHA256withRSA.
A web server should be able to handle SSL/TLS. Apache is the most popular HTTPD and it comes with an easy-to-use SSL/TLS module so I don't think you would put any restriction on your clients.
Re: openssl signature verification using SHA256withRSA.
Yes, PHP only has a small set of hashing algorithm for use with SSL built in. Either you create the hashing procedure yourself (if you know how it works) or hash on your side with SHA1.