Openssl rsault verification Java implementation

For example I have generated signature:

$ openssl rsautl -sign -inkey private_key.pem -keyform PEM -in data > signature

Then if I want to verify it, I just do:

$ openssl rsautl -verify -inkey public_key.pem -in signature -pubin

And the output will be my data encoded in first step.

So the question is, how to implement this verification with Java? Can I use Signature class somehow or any other way?

P.S. 1 more question: As I know, public key must not be used to decrypt rsa signature, but anyway, in my example it is used for that. So anyone who has public key, can decrypt my message?

Thanks

3

1 Answer

Apparently the rsaautl uses equivalent of NONEwithRSA signature scheme, where the input data are takend as they are (assumed to be hashed or short ( length << N))

Signature verification:

Signature signature = Signature.getInstance("NONEwithRSA");
signature.initVerify(pubKey);
signature.update(data);
boolean verified = signature.verify(signatureBytes);

If data are longer (say longer than a common key / hash length) I suggest to use hashed signature, for example:

openssl dgst -sha256 -sign private.pem data.txt | base64

And verify by Java

Signature signature = Signature.getInstance("SHA256withRSA");
signature.initVerify(pubKey);
signature.update(data);
boolean verified = signature.verify(signatureBytes);

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.

You Might Also Like