openssl signature verification using SHA256withRSA.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bhargava
Forum Newbie
Posts: 2
Joined: Fri Aug 07, 2009 10:51 pm

openssl signature verification using SHA256withRSA.

Post by bhargava »

Hi,
I am using php openssl for verifying the signatures. My usecase is like this:

1. I want to send notifications to my clients (web servers). Naturally, I do a POST. As I want security, I am also sending a signature (will explain what kind later) in the POST request.
2. Client will have to verify the signature that request indeed came from me and was not tampered.

Now for signature,
1. I am signing request parameters using private key of x509 certificate.
2. I will publish a public key certificate for the client which she uses to verify the signature i sent.

So far so good? Now the problem : From my side I am using algorithm 'SHA256withRSA' (in Java) for signature generation. But my client is using PHP? I don't see anyplace when openssl supports this algorithm I could only find SHA1_WITH_RSA.

Is there any way, I can verify the SHA256withRSA signature? perhaps a different library or some hidden openssl gotcha
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: openssl signature verification using SHA256withRSA.

Post by kaisellgren »

bhargava wrote:2. Client will have to verify the signature that request indeed came from me and was not tampered.
Why don't you just use SSL/TLS for this? Connect to the client with SSL/TLS and send the POST parameters as is.
bhargava
Forum Newbie
Posts: 2
Joined: Fri Aug 07, 2009 10:51 pm

Re: openssl signature verification using SHA256withRSA.

Post by bhargava »

kaisellgren wrote:
bhargava wrote:2. Client will have to verify the signature that request indeed came from me and was not tampered.
Why don't you just use SSL/TLS for this? Connect to the client with SSL/TLS and send the POST parameters as is.
Thanks Kai, but I don't want to put that restriction on my client as my client will not be just one but too many ranging from small merchants to super big merchants.

Thats why the whole pain :)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: openssl signature verification using SHA256withRSA.

Post by kaisellgren »

A web server should be able to handle SSL/TLS. Apache is the most popular HTTPD and it comes with an easy-to-use SSL/TLS module so I don't think you would put any restriction on your clients.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: openssl signature verification using SHA256withRSA.

Post by Eran »

Yes, PHP only has a small set of hashing algorithm for use with SSL built in. Either you create the hashing procedure yourself (if you know how it works) or hash on your side with SHA1.
Post Reply