Verifying a payload using an RSA public key

714 views
Skip to first unread message

xrl...@gmail.com

unread,
Aug 17, 2015, 4:04:59 PM8/17/15
to golang-nuts
I need to verify a ticket using an existing signing scheme. The ticket is a presented in clear text then followed by a signature from an authoritative source. The signature is base64 url encoded value. The signature holds the SHA256 of the clear text signed by the RSA private key. I have the public key and I need to verify the clear text is valid. However, I cannot figure out how to do this with the crypto module.

I have a nodejs implementation which hashes the value, and uses a very high level 'verify' function from the node stdlib.

Ticket.prototype.verify = function (ticket) {
    if (!ticket) return null;
    var pubkey = fs.readFileSync('/etc/SCAMP/auth/ticket_verify_public_key.pem');
    var parts = ticket.split(',');
    if (parts[0] != '1') return null;
    var sig = new Buffer(parts.pop().replace(/-/g,'+').replace(/_/g,'/'), 'base64');
    var valid = crypto.createVerify('sha256').update( new Buffer(parts.join(',')) ).verify( pubkey, sig )
}

Can I get similar functionality from the go stdlib? Here is a failing playground example of what I am doing, it includes a public key and does all the steps mentioned before: http://play.golang.org/p/COx2OG-AiA

jasdel

unread,
Aug 17, 2015, 6:39:19 PM8/17/15
to golang-nuts, xrl...@gmail.com
I would suggest checking out the rsa.VerifyPKCS1v15 function, given the hashed token, and signature it will validate the signature using a public key.

Here is an example of a verify func: http://play.golang.org/p/bUvJ4-MOlx

    func verify(token, b64Sig []byte, pubKey *rsa.PublicKey) error {
        hash := sha256.New()
        if _, err := bytes.NewReader(token).WriteTo(hash); err != nil {
            return fmt.Errorf("unable to hash signed token, %s", err.Error())
        }

        decodedSig, err := base64.StdEncoding.DecodeString(string(b64Sig))
        if err != nil {
            return fmt.Errorf("unable to decode base64 signature, %s", err.Error())
        }

        if err := rsa.VerifyPKCS1v15(pubKey, crypto.SHA256, hash.Sum(nil), decodedSig); err != nil {
            return fmt.Errorf("unable to verify signature, %s", err.Error())
        }
        return nil
    }
Reply all
Reply to author
Forward
0 new messages