RSA Signing with PHP and verifying with C#

Question

I'm building an application which is Client (C#) & Server (PHP) based application.

I want to sign the data on Server using RSA-SHA1 and send to client.

On Server i.e. PHP I' using PHPSecLib, signing with Private Key. On client i.e. C# I'm using RSACryptoServiceProvider. Sign Hash from Server is not matching with the client. I'm providing both C# and PHP Codes:

PHP #Output

BLkgXU6t6IYNdlrgTaJgaGzZtSc9NjY9q67PbidGo0e79SyQ7b18uKSg1a215r583atzIlFYkAyxDCjvQJIBATdeOKpWuzdtRkZqDX7TQAw5jLHdsFjL3lQWABERFUdEs9XuCykb3I8UNVT2UgmMRZ3pyKknCMdc5AlE9mKXOYI=

PHP Code

$plaintext = 'O';
$rsa = new Crypt_RSA();
$rsa->loadKey("<RSAKeyValue><Modulus>3BqiIB3ouyXHDMpW43TlZrx8fkts2FVVARJKNXFRQ/WIlsthDzL2jY2KEJVN6BKE4A51X+8LMzAI+2z3vIgAQT3bRSfOwygpGBjdhhnXJwFlQ6Gf/+z0ffQfVx/DHw3+QWphcwGDBst+KIA6u6ayy+RDE+jEityyyWDiWqkR9J8=</Modulus><Exponent>AQAB</Exponent><P>8a8nuVhIANh7J2TLn4wWTXhZY1tvlyFKaslOeAOVr+wgEWLQpLZ0Jpjm8aUyyOYPXlk7xrA5BOebtz41diu4RQ==</P><Q>6SQ9y3sEMjrf/c4bHGVlhOj4LUVykradWWUNC0ya7llnR8y1djJ1uUut+EoAa1JQCGukuv4K8NvN1Ieo72Fhkw==</Q><DP>cg0VMusNN5DxNRrk2IrUL4TesfuBQpGMO6554DrY1acZTvsRuNj9IQXA3kH2IEYo9H4prk6U6dKeci/iLLze/Q==</DP><DQ>m/pZNXeZ+RkWnrFzxe24m9FZqMAbxThT0Wkf7v1Tcj9yL8EvbmKYDF4riD/KRAMP9HJABbLNExObg6M3TOAz7Q==</DQ><InverseQ>w8PvW8srrPCuOcphBKXSyoZxCZn81+rovBxuE8AB95m5X+URE8SunK7f+g7hBBin6nUOaVGohBP8jzkQEsdx1Q==</InverseQ>  <D>AsVPDypxOJHkLJQLffeFv8JVqt1WNG72j/nj90JC7KEVpBhRU3inw+ZpO4Y1odtB0vQ7pAaFVJKhOlEH2Va48hNUEQujML8rE+LZXgI3lu0TlqOCIqTHIljeJry0ca30XFtFDp9kh0Kr/0CgGMqgIed+hDUjAad8ke9D2YicDok=</D></RSAKeyValue>",2);//2 for Pivate Key XML
$signature = $rsa->sign($plaintext); 
echo base64_encode($signature);

C# Output

aCqhRe/lj99Yv0cLVxZD9v0M29qiEhlNOTIGuVuUbw58sp/9lLQEoMqKQrIfyTA7O2OIw5QWV9eZXlAlOlvvBPR1IOahk3mr8N8xaT5+T2fG5cEldeOWwKKxSNHqEBzIVT/4FQqlpvrmtoHJIL6n6KjDb/HQD2kgmMLmQffVYGo=

C# Code

string private_xml = @"<RSAKeyValue><Modulus>3BqiIB3ouyXHDMpW43TlZrx8fkts2FVVARJKNXFRQ/WIlsthDzL2jY2KEJVN6BKE4A51X+8LMzAI+2z3vIgAQT3bRSfOwygpGBjdhhnXJwFlQ6Gf/+z0ffQfVx/DHw3+QWphcwGDBst+KIA6u6ayy+RDE+jEityyyWDiWqkR9J8=</Modulus><Exponent>AQAB</Exponent><P>8a8nuVhIANh7J2TLn4wWTXhZY1tvlyFKaslOeAOVr+wgEWLQpLZ0Jpjm8aUyyOYPXlk7xrA5BOebtz41diu4RQ==</P><Q>6SQ9y3sEMjrf/c4bHGVlhOj4LUVykradWWUNC0ya7llnR8y1djJ1uUut+EoAa1JQCGukuv4K8NvN1Ieo72Fhkw==</Q><DP>cg0VMusNN5DxNRrk2IrUL4TesfuBQpGMO6554DrY1acZTvsRuNj9IQXA3kH2IEYo9H4prk6U6dKeci/iLLze/Q==</DP><DQ>m/pZNXeZ+RkWnrFzxe24m9FZqMAbxThT0Wkf7v1Tcj9yL8EvbmKYDF4riD/KRAMP9HJABbLNExObg6M3TOAz7Q==</DQ><InverseQ>w8PvW8srrPCuOcphBKXSyoZxCZn81+rovBxuE8AB95m5X+URE8SunK7f+g7hBBin6nUOaVGohBP8jzkQEsdx1Q==</InverseQ>  <D>AsVPDypxOJHkLJQLffeFv8JVqt1WNG72j/nj90JC7KEVpBhRU3inw+ZpO4Y1odtB0vQ7pAaFVJKhOlEH2Va48hNUEQujML8rE+LZXgI3lu0TlqOCIqTHIljeJry0ca30XFtFDp9kh0Kr/0CgGMqgIed+hDUjAad8ke9D2YicDok=</D></RSAKeyValue>";


            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
            rsa.FromXmlString(private_xml);
            string Text = "O";
            byte[] Data = Encoding.ASCII.GetBytes(Text);

            byte[] signature = rsa.SignData(Data, new SHA1CryptoServiceProvider());
            string o = Convert.ToBase64String(signature);

PHP does not have the rsa.FromXMLString interface I assume. Try the values normalized. — hakre, Mar 09 '12 at 11:27
Right, just seeing, you're using `CRYPT_RSA_PRIVATE_FORMAT_XML`. — hakre, Mar 09 '12 at 11:55

score 0 · Answer 1 · answered Mar 09 '12 at 11:28

Perhaps this extension method will be of help:

    /// <summary>
    /// Generates a (SHA1) hashed string, by using the passphrase as a poor man's salt.
    /// </summary>
    public static string RenderHash(this string value, string passPhrase)
    {
        // Append the passphrase to the value
        value += passPhrase;

        // Convert the string value to a byte array 
        // Note: I've used the UTF8 encoding here
        byte[] buffer = Encoding.UTF8.GetBytes(value);

        // And automagically convert it to a hashed string
        SHA1CryptoServiceProvider cryptoTransformSHA1 = new SHA1CryptoServiceProvider();
        string hash = BitConverter.ToString(cryptoTransformSHA1.ComputeHash(buffer)).Replace("-", "");

        return hash;
    }

(Source: https://gist.github.com/1959763)

The passPharse parameter in this case is optional. This is if you want to append some kind of salt to it. Also, be sure to watch out for spaces and linebreaks (CRLF).

I want to verify on client using public key. – user437298 Mar 09 '12 at 11:48 — user437298, Mar 09 '12 at 11:48

score 0 · Accepted Answer · answered Mar 13 '12 at 07:02

It seems there is something wrong with SignData Compatablity of PhpSecLib & C# RSA Please do visit http://www.dustinhorne.com/post/Asymmetric-Encryption-and-Signing-with-RSA-in-Silverlight.aspx

I used this to decypt at client i.e. Public Decrypt and PHPSecLib for private Encyption.

score 0 · Answer 3 · answered Mar 15 '12 at 19:11

0

They'll never match. Run the C# code and it won't match even with itself. Same with the PHP code. The "problem" is that OAEP and PKCS#1 padding methods have a random component to them so two ciphertext's will never be the same.

answered Mar 15 '12 at 19:11

neubert

15,947
24
120
212

RSA Signing with PHP and verifying with C#

3 Answers3