Skip to content
Advertisement

Verifying an ECDSA P-384 or P-256 signature with PHP 8

I would like to sign the message “hello” on the browser using SubtleCrypto with ECDSA curve P-384 or P-256, then verify the signature on the server with PHP 8.

On the browser, I generate a keypair and use it to sign the message:

let key      = await crypto.subtle.generateKey({name: 'ECDSA', namedCurve: 'P-384'}, true, ['sign']);
let pk       = await crypto.subtle.exportKey('spki', key.publicKey);
let pk_hex   = [...new Uint8Array(pk)].map(x => x.toString(16).padStart(2, '0')).join('');
let sign     = await crypto.subtle.sign({name: 'ECDSA', hash: 'SHA-512'}, key.privateKey, new TextEncoder().encode('hello'));
let sign_hex = [...new Uint8Array(sign)].map(x => x.toString(16).padStart(2, '0')).join('');

I then send pk_hex and sign_hex to the server. This is what they look like:

pk_hex:
3076301006072a8648ce3d020106052b810400220362000495914dee09e8b26de437496e16b97f9734e5854a5e0f9f7a6a3d2b63d7c4a47e570bb0d21984b24611903fa5707df154e73e9e0ad7c91b51728dc969dd029868c13db568f3e6829c7679e7354d2b7cb9d2d05109a4444a5292b65ac43fdc778a
sign_hex:
ffcdda67026a606e0a0a8933ec25b1d991a211e8ec8d07fd62d0dfe458ab57330f9fb14df6822af703a398df6ebab475ede8456864dd9ae4cf09eb1113c701a725a627d81b70025e32472df2ce8aff1916aa2b13f27c5b811a77f1c5eaffa726

On the server, I reconstruct the signature and public key:

$signature = hex2bin($sign_hex);

$public_key = (
    "-----BEGIN PUBLIC KEY-----n" .
    chunk_split(base64_encode(hex2bin($pk_hex)), 64, "n") .
    "-----END PUBLIC KEY-----"
);

I then use openssl_verify() to verify the signature:

openssl_verify('hello', $signature, $public_key, OPENSSL_ALGO_SHA512);

But the result I get is -1, for both P-384 and P-256.

If I try doing the same operation using RSASSA-PKCS1-v1_5, the verification passes.

What am I doing wrong?

Could it be that the format of the public key that I’m creating is incorrect? If so, what can I do to format it correctly? Or maybe it’s something else?


openssl_error_string() returns:

error:0909006C:PEM routines:get_name:no start line

openssl_get_curve_names() returns:

secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, prime256v1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, wap-wsg-idm-ecid-wtls1, wap-wsg-idm-ecid-wtls3, wap-wsg-idm-ecid-wtls4, wap-wsg-idm-ecid-wtls5, wap-wsg-idm-ecid-wtls6, wap-wsg-idm-ecid-wtls7, wap-wsg-idm-ecid-wtls8, wap-wsg-idm-ecid-wtls9, wap-wsg-idm-ecid-wtls10, wap-wsg-idm-ecid-wtls11, wap-wsg-idm-ecid-wtls12, Oakley-EC2N-3, Oakley-EC2N-4, brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1, SM2

Solution

As the answer details, the problem is the fact that SubtleCrypto encodes the signature using the IEEE P1363 format, while OpenSSL expects it in the ASN.1/DER format.

I wrote the following function to convert between P1363 and ASN.1:

/**
 * Converts an IEEE P1363 signature into ASN.1/DER.
 *
 * @param string $p1363 Binary IEEE P1363 signature.
 */
function p1363_to_asn1(string $p1363): string {
    // P1363 format: r followed by s.

    // ASN.1 format: 0x30 b1 0x02 b2 r 0x02 b3 s.
    //
    // r and s must be prefixed with 0x00 if their first byte is > 0x7f.
    //
    // b1 = length of contents.
    // b2 = length of r after being prefixed if necessary.
    // b3 = length of s after being prefixed if necessary.

    $asn1  = '';                        // ASN.1 contents.
    $len   = 0;                         // Length of ASN.1 contents.
    $c_len = intdiv(strlen($p1363), 2); // Length of each P1363 component.

    // Separate P1363 signature into its two equally sized components.
    foreach (str_split($p1363, $c_len) as $c) {
        // 0x02 prefix before each component.
        $asn1 .= "x02";

        if (unpack('C', $c)[1] > 0x7f) {
            // Add 0x00 because first byte of component > 0x7f.
            // Length of component = ($c_len + 1).
            $asn1 .= pack('C', $c_len + 1) . "x00";
            $len += 2 + ($c_len + 1);
        } else {
            $asn1 .= pack('C', $c_len);
            $len += 2 + $c_len;
        }

        // Append formatted component to ASN.1 contents.
        $asn1 .= $c;
    }

    // 0x30 b1, then contents.
    return "x30" . pack('C', $len) . $asn1;
}

Usage example:

$sign_hex = bin2hex(p1363_to_asn1(hex2bin($sign_hex)));

Advertisement

Answer

EC signatures can be specified in two formats: r|s (IEEE P1363) or ASN.1/DER. WebCrypto uses the r|s format, while PHP requires the ASN.1 format.

The ASN.1 format is explained in detail here. The posted signature in ASN.1 format is hex encoded:

$sign_hex = '3066023100ffcdda67026a606e0a0a8933ec25b1d991a211e8ec8d07fd62d0dfe458ab57330f9fb14df6822af703a398df6ebab475023100ede8456864dd9ae4cf09eb1113c701a725a627d81b70025e32472df2ce8aff1916aa2b13f27c5b811a77f1c5eaffa726';

With this, the verification in PHP is successful.


Both formats are defined in the context of ECC, while RSASSA-PKCS1-v1_5 is a signature scheme in the context of RSA that uses a uniform signature format, so a corresponding problem can generally not occur.


Edit: The ASN.1 format is explained in detail here:

0x30 b1 0x02 b2 (r) 0x02 b3 (s)

Equally dividing the posted signature result in r:

ffcdda67026a606e0a0a8933ec25b1d991a211e8ec8d07fd62d0dfe458ab57330f9fb14df6822af703a398df6ebab475

and s:

ede8456864dd9ae4cf09eb1113c701a725a627d81b70025e32472df2ce8aff1916aa2b13f27c5b811a77f1c5eaffa726

Since in both cases the leading byte is larger than 0x7f, a leading 0x00 must be prepended in both cases.

b2 and b3 denote the lengths of r and s, respectively, and are both 0x31. b1 denotes the length of the subsequent data and is 0x66, which finally gives:

3066 0231 00ffcdda67026a606e0a0a8933ec25b1d991a211e8ec8d07fd62d0dfe458ab57330f9fb14df6822af703a398df6ebab475 0231 00ede8456864dd9ae4cf09eb1113c701a725a627d81b70025e32472df2ce8aff1916aa2b13f27c5b811a77f1c5eaffa726
User contributions licensed under: CC BY-SA
10 People found this is helpful
Advertisement