Re: [Ejbca-develop] CMP Response signature verify

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

In your code "message.getEncoded()" looks suspicious. You can not just
get the bytes from a CMP message and try to verify a signature over
that, because that is not the bytes that the signature was created over.

Find a snippet of test code from EJBCA test cases:

            // Verify the signature
            byte[] protBytes =
CmpMessageHelper.getProtectedBytes(respObject);
            DERBitString bs = respObject.getProtection();
            Signature sig;
            try {
                sig = Signature.getInstance(expectedSignAlg, "BC");
                sig.initVerify(cacert);
                sig.update(protBytes);
                boolean ret = sig.verify(bs.getBytes());
                assertTrue(ret);
            } catch (NoSuchAlgorithmException e) {

Regards,
Tomas
**********
PrimeKey Solutions AB
Lundagatan 16, 171 63 Solna, Sweden
Mob: +46 (0)707421096
Internet: www.primekey.se
Twitter: twitter.com/primekeyPKI
**********

On 2016-10-14 09:10, Brian Dechoux (ext) wrote:
> Hello,
> 
> I'm using CMP and after an Initialisation Request, I got a signed response from EJBCA.
> In 'Certificate Confirmation' > 'default CA' -> I've got a CA ('test'), created in EJBCA and its issuer is the default CA ManagementCA.
> 
> With which public key should I verify this signature ?
> I tried with the 3 public keys in the 'Crypto Token' view and I just can't make this work properly.
> 
> I use this (Java):
> 	byte[] decodedPkey = Base64.decode(publicKeyString);
>             KeyFactory keyFactory = KeyFactory.getInstance("RSA");
>             KeySpec publicKeySpec = new X509EncodedKeySpec(decodedPkey);
>             PublicKey publicKey = keyFactory.generatePublic(publicKeySpec);
> 
>             sig.initVerify(publicKey);
>             sig.update(message.getEncoded());
>             sig.verify(message.getProtection().getBytes())
> 
> Thanks a lot
> Have a good day
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 