Using crypto with an OpenSSL generated PEM File

Wayne_Golding · April 26, 2015, 6:25am

Hey People,

I have a project that uses OpenSSLMBS.SignData from a PEM File created with OpenSSL that works brilliantly. Now I need to port that project to iOS & so I’ll need to use the Xojo.Crypto module. Before I even get to the iOS stuff I want to replace Christian’s excellent plugin & prove that it works.

So I read my pem file into a text variable & strip the begin & end lines, decode the base64 remainder, use BerDecodeprivatekey to get something valid for the crypto module. And the signature is totally different from the correct MBS signature. Just in case of error I also created a DER file from OpenSSL & wrote a Xojo app to convert the DER file into a PEM file which MBS uses happily to sign the data correctly. Using that DER file with crypto still signs the data incorrectly.

What am I doing wrong? Any help will be greatly appreciated.

TIA
Wayne

Christian_Schmitz · April 26, 2015, 11:59am

OpenSSL is not available on iOS currently with Xojo…

Do you make a SHA1 hash for the data to sign the hash?

Thom_McGrath · April 26, 2015, 4:01pm

Looking at the Crypto++ docs, it looks like it may actually be signing the SHA1 hash of the data, as Christian suggests. It outputs the signature in a PKCS1v15 container, which is the OpenSSL default, so you should be fine there.

So maybe try having OpenSSL do the same and see if they compare. What you are trying to do should work, an RSA signature is an RSA signature. But there are plenty of other variables.

Wayne_Golding · April 26, 2015, 9:55pm

Thanks guys, got it working. Now just to figure out why the xojo.Net.HTTPSocket returns a 401 error while the legacy socket returns data.

Thom_McGrath · April 26, 2015, 10:28pm

What was the solution?

Wayne_Golding · April 26, 2015, 10:40pm

A fresh pair of eyes. I was signing a request with a nonce - so I wasn’t signing the same data. D’oh!