How to verify digital signature in python which was created from PHP or nodejs

Question

I hope that today your code is written quickly and without bugs :) Let me explain the context a bit.

I have a two projects which will communicate to each other.

Project A - written in PHP, and it will send requests to project B with DigitalSignature provided in Headers

Project B - written in python, and it will receive requests from project A, verify DigitalSignature and save recieved payload in MQ.

The problem is, that project B, always returns that Digital Signature created by project A is invalid, although if you check the same created digital signature on php or nodejs, everything is correct and valid.

Will try to be short and precise.

I created prototypes in 3 languages( nodejs, php and python )

PHP and nodejs - all works as expected and return the same output. Python - generates different output

Sign code in PHP

function encryptNotification($strNotification, $strPrivateKey) {
    $strHash = hash('sha256', $strNotification);
    openssl_private_encrypt($strHash, $strCrypt, $strPrivateKey);
    
    return bin2hex($strCrypt);
}

Verify code in PHP

function validateNotification($strNotification, $strDigitalSignature, $strPublicKey) {
    $strValidate = hash('sha256', $strNotification);
    $strCrypt = hex2bin($strDigitalSignature);
    openssl_public_decrypt($strCrypt, $strDecrypt, $strPublicKey);
    return $strValidate == $strDecrypt;   
}

Sign code in NODEJS

function signNotification(strNotification, strPrivateKeyPath) {
    const strHash = crypto.createHash('sha256').update(strNotification).digest("hex");

    const privateKey = fs.readFileSync(strPrivateKeyPath, 'utf8');

    const strSign = crypto.privateEncrypt(
        {
            key: privateKey,
            padding: crypto.constants.RSA_PKCS1_PADDING
        },
        strHash
    );

    return strSign.toString('hex');
}

Verify code in NODEJS

function validateNotification(strNotification, strDigitalSignature, strPublicKey) {
    const strValidate = crypto.createHash('sha256').update(strNotification).digest('hex');
    const strCrypt = Buffer.from(strDigitalSignature, 'hex');

    const publicKey = fs.readFileSync(strPublicKey, 'utf8');
    const strDecrypt = crypto.publicDecrypt({
        key: publicKey,
        padding: crypto.constants.RSA_PKCS1_PADDING
    }, strCrypt).toString('utf8');

    return strValidate === strDecrypt;
}

Sign code in python ( do not work as expected )

def sign_notification(notification, private_key_path):
    with open(private_key_path, "rb") as key_file:
        private_key = serialization.load_pem_private_key(
            key_file.read(),
            password=None,
            backend=default_backend()
        )

    digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
    digest.update(notification.encode())
    hash = digest.finalize()

    signature = private_key.sign(
        hash,
        padding.PKCS1v15(),
        hashes.SHA256()
    )

    return signature.hex()

Verify code in python ( works only if digital signatrue was created in python )

def validate_notification(str_notification, str_digital_signature, str_public_key_pem):
    # Decode the public key from PEM format
    public_key = serialization.load_pem_public_key(
        str_public_key_pem.encode(),
        backend=default_backend()
    )
    
    # Hash the notification string using SHA-256
    notification = str_notification.encode()

    # Convert the digital signature from hex to binary
    signature = bytes.fromhex(str_digital_signature)

    # Verify the signature
    try:
        public_key.verify(
            signature,
            notification,
            padding.PKCS1v15(),
            hashes.SHA256()
        )
        return True
    except InvalidSignature:
        return False
    except Exception as e:
        print(f"An unexpected error occurred: {e}")
        return False

Generated DigitalSignature in nodejs and php

46e0f90929609f626edc48b57c5f6e0f2852b0c554265a1dfae9008a08fe318b04758af53f0dd35bacb904fd508f9e7466701f7010abd0fb90b2304f59944a19acafc29b05287b07cb8fea360de274bed8f3ae199c2e40b29fd746bac0ee4ee991d9c793a818cc2d0fe8fc8396d9d5bdb3429935fe6d2ce4bba8df6dc9c0c902deb29dc70869c7c2573d68935dcccd8be0e60dc359d0f0d3cedcf40291d8318e6315e9451e5b9610f9264ea4ecb6f8a6bc5ca0d2909e725417cc33f29e247e3dc62a9cf2d9f3fa8e50f7355a09264dbdf33f4be0819ee19f0cb97a31ed02c0d8bc82cd120451bab10d78d399ba9bc5a0fd0618649630335b708f39862f6bc0f4a15e4e1d75e3076a6dbe53814babe6e4bcb146f835fa43e9e19d1fca970591a71d65dd41be374ae979da96f06ea96fa1369d5fc1975a063a04625b3b0f975b9d5664843a3b73138def8c351ce0cd0907fd90378c4f441ab98a325de6f5ee96b85c4898ff3a51c4b0c8c7cb82a91186983197f0cb706690bd0d9d07c3be908f022696e2bedb60523679ea002ee63f7882c4732d681c82e03d190ec0b87c2f94182fadbe3a54ff87921035606969c9ed3de3145b69e3df6cff55cb674bb70de75ddf26ac79cb9fdcf4e7bb5f257e66dece6c4f0d36d174764dec0306ace55855eda83fe2115a8fb93012f3d5491ae055ea921104e89ccfd316fe15a63769237f75

Used message body

hello

Private key

Public key

I am sure that private, public keys are the same for each example. And I am sure that padding alg also is PKCS1v15. I tried several approaches in python, and also asked a lot of questions to chat gpt, but still - nothing helps. Mby some python guru can help me.

The question is, how to verify generated digital signature in python, which was created by PHP, mby I am missing something? Thank you

can you provide signature from nodejs and php, public key?. the code in python look like ok — TanThien
– TanThien, Commented Apr 12, 2024 at 7:50
The Python code hashes implicitly, which is why the message must be passed directly. You seem to be doing this (hash = notification), but you should change the name hash to msg or similar. In addition, the three lines regarding hashing should be removed, as the hash (digest.finalize()) is not used at all. The reason for your problem is that the Python code generates RFC8017 compliant signatures, the other two do not. Can the PHP and NodeJS code be changed? — Topaco
– Topaco, Commented Apr 12, 2024 at 8:36
thank you for your answer, hash = notification -> it was just experiment, forgot to remove that line. But it do not work anyway. Unfortunately to do changes on php side will be difficult, cuz it is third party service - but I think it is possible, if I will speak with them. But what exactly need to be changed on php side? — lavr
– lavr, Commented Apr 12, 2024 at 9:50
The functions used on the PHP and NodeJS side are intended for low level signing that neither hash nor add the digest ID (more precisely the DER encoding of the DigestInfo value). Although both codes explicitly hash, they do not add the digest ID, so that the signature is not compliant with RFC8017. The Python code, on the other hand, is compliant, which is why the verification of the PHP/NodeJS signatures with the Python code fails. — Topaco
– Topaco, Commented Apr 12, 2024 at 10:10
To fix the incompatibility on the NodeJS/PHP side, add the digest ID or - which is more convenient - use the intended high level functions: on the PHP side openssl_sign(), on the NodeJS side e.g. crypto.sign(). If you can't change the NodeJS/PHP side so that the Python code has to be adapted, you need a corresponding Python functionality. The Python crypto libraries known to me adhere to the standard, so you need a custom implementation, see e.g. here. However, I would clearly recommend RFC8017-compliant signatures. — Topaco
– Topaco, Commented Apr 12, 2024 at 10:15

Collectives™ on Stack Overflow

How to verify digital signature in python which was created from PHP or nodejs

0

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Sign up or log in

Post as a guest

Linked