use PHP openssl_verify() function to verify Signature and data created by Android Client APP

Issue

I read about post on openssl_verify()

I would like to ask some questions which relates to openssl_verify().

Because my PHP code fails to verify signature created from Java...

For server side, here's my PHP code

<?php
$data =$_POST['data'];
$signature=$_POST['sig'];
$pub_key=$_POST['pubkey'];

function print_input()
{
    global $data;
    global $signature;
    global $pub_key;
////////////////////////////////////////////////////////////////
// I output the public key to file, and check it to make sure they
// are in correct pem format.
///////////////////////////////////////////////////////////////
$f=fopen("./Personnel_Pubkey/pubkey.pem", "w");
fwrite($f,"$pub_key");
fclose($f);
$key = openssl_pkey_get_public ("./Personnel_Pubkey/pubkey.pem");

// doesn't work if you use PEM format public key, only works with X.509 format
// certificate, and cert and private key in PEM format.
$result=openssl_public_decrypt ( $signature, $data, $key);

////////////////////////////////////////////////////////////////
$sig=base64_decode($signature);

// for some reason, the value of $ok is always 0
$ok = openssl_verify($data, $sig, $key);

if ($ok == 1) {
    echo "good";
} 
elseif ($ok == 0) {
    echo "bad";} 
else {
    echo "ugly, error checking signature";
    }
}

print_input();

?>

For the client Android APP, here's the related part of code:

// create public key and private key pair
keyGen = KeyPairGenerator.getInstance("DSA");
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
keyGen.initialize(1024, random);

// Generate the Pair of Keys The final step is to generate the key pair 
// and to store the keys in PrivateKey  and PublicKey objects.
pair = keyGen.generateKeyPair();
priv = pair.getPrivate();
pub = pair.getPublic();

// Change to PEM format from original openssl format    
stringWriter = new StringWriter();
PEMWriter pemWriter = new PEMWriter(stringWriter);  
pemWriter.writeObject( pair.getPublic());
pemWriter.close();

// initialize  the signature
sig = Signature.getInstance("SHA1withDSA"); 
sig.initSign(priv);

// this is the original data     
String msg = "original msg";


OriginalMsgByteArray = msg.getBytes();

// put original data to signature
sig.update(OriginalMsgByteArray);

// sign the data, and get the byte array of signature 
byte[] realSig = sig.sign();

// change the binary to base64 format
signatureB = new String(Base64.encode(realSig));

Basically, I upload msg, signatureB, and stringWriter.toString() these 3 parameters to the PHP server, but it seems doesn't work.... here's my PEM file content:

-----BEGIN PUBLIC KEY-----
MIIBtzCCASsGByqGSM44BAEwggEeAoGBAJ6ZIDqo1sh4pVzK8kUUA8SPxWva3sVH
hrK0D86q+xpD11qhzlw28vLnZNLSq7MaPyUNKRLZL2D3x/e4fkILf7IBh6BdfOlo
dI3CtAQ5Xqfw0aU8UZ35H8HlkrvrTu3qw/Ilb9wcc8Ag9C73TzuG6URK65fgvPK2
oN9MdDlVJztNAhUAkI2VBs/8eHWoG7RBCyTqyVyCwXMCgYBFj9BXduZIhDBGkoub
bLwGWI6zkmC8Xel1jsRFFaRtPVS08li+SQ/XSzekidY6NP3lmYwj/kC9biG9x3mW
c5hELzOVGvLM94y1KksGC+v89M99Tlrx4zVqpajRCFDyPzJQWB/HO493q6J4HwmP
1/ihdtk5THRGmPkx2uSgLKWlJAOBhQACgYEAirx5dLO2EG71ZFnUQ7FtU8FCVOYW
VgZRP9SLqH8Ig5nnwmg5XFSpngzNvQ8FcWRKZkKFxYoo2j7lmQN9gl5O5cKPtuqj
KecFAJA4/0y3jPzM/+1dTizM6n3WLReH2xlS6OOY5EZQmpWB//qepgTT9GUGPyOL
ampB86OjNSicv0Y=
-----END PUBLIC KEY-----

Solution

I see a few potential issues in the code above.

First, according to the PHP documentation, you want to use openssl_get_publickey on an X509 certificate or a private key. Public key is not listed as an option.

Second, you want to do an fread of the file into a variable and then use that variable in the openssl_get_publickey method. See below:

$fp = fopen("./cert.pem", "r");
$cert = fread($fp, 8192);
fclose($fp);
$key = openssl_get_publickey($cert);

Third, $bsig isn't declared or defined anywhere.

Answered By - gtrig