I would like to sign the message “hello” on the browser using SubtleCrypto
with ECDSA
curve P-384
or P-256
, then verify the signature on the server with PHP 8.
On the browser, I generate a keypair and use it to sign the message:
let key = await crypto.subtle.generateKey({name: 'ECDSA', namedCurve: 'P-384'}, true, ['sign']);
let pk = await crypto.subtle.exportKey('spki', key.publicKey);
let pk_hex = [new Uint8Array(pk)].map(x => x.toString(16).padStart(2, '0')).join('');
let sign = await crypto.subtle.sign({name: 'ECDSA', hash: 'SHA-512'}, key.privateKey, new TextEncoder().encode('hello'));
let sign_hex = [new Uint8Array(sign)].map(x => x.toString(16).padStart(2, '0')).join('');
I then send pk_hex
and sign_hex
to the server. This is what they look like:
pk_hex:
3076301006072a8648ce3d020106052b810400220362000495914dee09e8b26de437496e16b97f9734e5854a5e0f9f7a6a3d2b63d7c4a47e570bb0d21984b24611903fa5707df154e73e9e0ad7c91b51728dc969dd029868c13db568f3e6829c7679e7354d2b7cb9d2d05109a4444a5292b65ac43fdc778a
sign_hex:
ffcdda67026a606e0a0a8933ec25b1d991a211e8ec8d07fd62d0dfe458ab57330f9fb14df6822af703a398df6ebab475ede8456864dd9ae4cf09eb1113c701a725a627d81b70025e32472df2ce8aff1916aa2b13f27c5b811a77f1c5eaffa726
On the server, I reconstruct the signature and public key:
$signature = hex2bin($sign_hex);
$public_key = (
"-----BEGIN PUBLIC KEY-----n" .
chunk_split(base64_encode(hex2bin($pk_hex)), 64, "n") .
"-----END PUBLIC KEY-----"
);
I then use openssl_verify()
to verify the signature:
openssl_verify('hello', $signature, $public_key, OPENSSL_ALGO_SHA512);
But the result I get is -1
, for both P-384
and P-256
.
If I try doing the same operation using RSASSA-PKCS1-v1_5
, the verification passes.
What am I doing wrong?
Could it be that the format of the public key that I’m creating is incorrect? If so, what can I do to format it correctly? Or maybe it’s something else?
openssl_error_string()
returns:
error:0909006C:PEM routines:get_name:no start line
openssl_get_curve_names()
returns:
secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, prime256v1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, wap-wsg-idm-ecid-wtls1, wap-wsg-idm-ecid-wtls3, wap-wsg-idm-ecid-wtls4, wap-wsg-idm-ecid-wtls5, wap-wsg-idm-ecid-wtls6, wap-wsg-idm-ecid-wtls7, wap-wsg-idm-ecid-wtls8, wap-wsg-idm-ecid-wtls9, wap-wsg-idm-ecid-wtls10, wap-wsg-idm-ecid-wtls11, wap-wsg-idm-ecid-wtls12, Oakley-EC2N-3, Oakley-EC2N-4, brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1, SM2
Solution
As the answer details, the problem is the fact that SubtleCrypto
encodes the signature using the IEEE P1363 format, while OpenSSL expects it in the ASN.1/DER format.
I wrote the following function to convert between P1363 and ASN.1:
/**
* Converts an IEEE P1363 signature into ASN.1/DER.
*
* @param string $p1363 Binary IEEE P1363 signature.
*/
function p1363_to_asn1(string $p1363): string {
// P1363 format: r followed by s.
// ASN.1 format: 0x30 b1 0x02 b2 r 0x02 b3 s.
//
// r and s must be prefixed with 0x00 if their first byte is > 0x7f.
//
// b1 = length of contents.
// b2 = length of r after being prefixed if necessary.
// b3 = length of s after being prefixed if necessary.
$asn1 = ''; // ASN.1 contents.
$len = 0; // Length of ASN.1 contents.
$c_len = intdiv(strlen($p1363), 2); // Length of each P1363 component.
// Separate P1363 signature into its two equally sized components.
foreach (str_split($p1363, $c_len) as $c) {
// 0x02 prefix before each component.
$asn1 .= "x02";
if (unpack('C', $c)[1] > 0x7f) {
// Add 0x00 because first byte of component > 0x7f.
// Length of component = ($c_len + 1).
$asn1 .= pack('C', $c_len + 1) . "x00";
$len += 2 + ($c_len + 1);
} else {
$asn1 .= pack('C', $c_len);
$len += 2 + $c_len;
}
// Append formatted component to ASN.1 contents.
$asn1 .= $c;
}
// 0x30 b1, then contents.
return "x30" . pack('C', $len) . $asn1;
}
Usage example:
$sign_hex = bin2hex(p1363_to_asn1(hex2bin($sign_hex)));
Advertisement
Answer
EC signatures can be specified in two formats: r|s (IEEE P1363) or ASN.1/DER. WebCrypto uses the r|s format, while PHP requires the ASN.1 format.
The ASN.1 format is explained in detail here. The posted signature in ASN.1 format is hex encoded:
$sign_hex = '3066023100ffcdda67026a606e0a0a8933ec25b1d991a211e8ec8d07fd62d0dfe458ab57330f9fb14df6822af703a398df6ebab475023100ede8456864dd9ae4cf09eb1113c701a725a627d81b70025e32472df2ce8aff1916aa2b13f27c5b811a77f1c5eaffa726';
With this, the verification in PHP is successful.
Both formats are defined in the context of ECC, while RSASSA-PKCS1-v1_5 is a signature scheme in the context of RSA that uses a uniform signature format, so a corresponding problem can generally not occur.
Edit: The ASN.1 format is explained in detail here:
0x30 b1 0x02 b2 (r) 0x02 b3 (s)
Equally dividing the posted signature result in r
:
ffcdda67026a606e0a0a8933ec25b1d991a211e8ec8d07fd62d0dfe458ab57330f9fb14df6822af703a398df6ebab475
and s
:
ede8456864dd9ae4cf09eb1113c701a725a627d81b70025e32472df2ce8aff1916aa2b13f27c5b811a77f1c5eaffa726
Since in both cases the leading byte is larger than 0x7f
, a leading 0x00
must be prepended in both cases.
b2
and b3
denote the lengths of r
and s
, respectively, and are both 0x31
. b1
denotes the length of the subsequent data and is 0x66
, which finally gives:
3066 0231 00ffcdda67026a606e0a0a8933ec25b1d991a211e8ec8d07fd62d0dfe458ab57330f9fb14df6822af703a398df6ebab475 0231 00ede8456864dd9ae4cf09eb1113c701a725a627d81b70025e32472df2ce8aff1916aa2b13f27c5b811a77f1c5eaffa726