I'd like to generate RSA-SHA1 signatures with the RSA-Sign JavaScript Library. Specifically, I'd like to use this for signing OAuth requests.
However, the signature generated by the JavaScript library looks different to the one I can generate e.g. with
$ echo -n "x" | openssl dgst -sha1 -sign priv.key -binary | openssl base64 | xargs echo -n
eV0ZrD7ZrTsuzHHYSwLfUJhXuM96D6ZyIzD5FFphzHbKRaO4TMeTR7bJjkuPib+l
EccM7t6YNDvRgOHyXJDVZZQTg5G4D4jnGVmOgeuti1etCCpLsb1Rl3sfJF/rIlgA
AmejvBbrEG+n8L+GeD6Vd3cneW7k2Rksnh+/BWnnR3c=
In contrast: This is what the library generates (base64 encoded):
Nzk1ZDE5YWMzZWQ5YWQzYjJlY2M3MWQ4NGIwMmRmNTA5ODU3YjhjZjdhMGZhNjcy
MjMzMGY5MTQ1YTYxY2M3Ng0KY2E0NWEzYjg0Y2M3OTM0N2I2Yzk4ZTRiOGY4OWJm
YTUxMWM3MGNlZWRlOTgzNDNiZDE4MGUxZjI1YzkwZDU2NQ0KOTQxMzgzOTFiODBm
ODhlNzE5NTk4ZTgxZWJhZDhiNTdhZDA4MmE0YmIxYmQ1MTk3N2IxZjI0NWZlYjIy
NTgwMA0KMDI2N2EzYmMxNmViMTA2ZmE3ZjBiZjg2NzgzZTk1Nzc3NzI3Nzk2ZWU0
ZDkxOTJjOWUxZmJmMDU2OWU3NDc3Nw==
(assuming the same input & key, of course)
Is it possible that this is because of the SHA1 implementation being used? In that case, I could try to use another one.
I'm no expert of cryptography, but the OAuth RFC 5849 is saying that RSASSA-PKCS1-V1_5-SIGN needs to be used, which seems to be the case for the library.
Thank you very much.
I'd like to generate RSA-SHA1 signatures with the RSA-Sign JavaScript Library. Specifically, I'd like to use this for signing OAuth requests.
However, the signature generated by the JavaScript library looks different to the one I can generate e.g. with
$ echo -n "x" | openssl dgst -sha1 -sign priv.key -binary | openssl base64 | xargs echo -n
eV0ZrD7ZrTsuzHHYSwLfUJhXuM96D6ZyIzD5FFphzHbKRaO4TMeTR7bJjkuPib+l
EccM7t6YNDvRgOHyXJDVZZQTg5G4D4jnGVmOgeuti1etCCpLsb1Rl3sfJF/rIlgA
AmejvBbrEG+n8L+GeD6Vd3cneW7k2Rksnh+/BWnnR3c=
In contrast: This is what the library generates (base64 encoded):
Nzk1ZDE5YWMzZWQ5YWQzYjJlY2M3MWQ4NGIwMmRmNTA5ODU3YjhjZjdhMGZhNjcy
MjMzMGY5MTQ1YTYxY2M3Ng0KY2E0NWEzYjg0Y2M3OTM0N2I2Yzk4ZTRiOGY4OWJm
YTUxMWM3MGNlZWRlOTgzNDNiZDE4MGUxZjI1YzkwZDU2NQ0KOTQxMzgzOTFiODBm
ODhlNzE5NTk4ZTgxZWJhZDhiNTdhZDA4MmE0YmIxYmQ1MTk3N2IxZjI0NWZlYjIy
NTgwMA0KMDI2N2EzYmMxNmViMTA2ZmE3ZjBiZjg2NzgzZTk1Nzc3NzI3Nzk2ZWU0
ZDkxOTJjOWUxZmJmMDU2OWU3NDc3Nw==
(assuming the same input & key, of course)
Is it possible that this is because of the SHA1 implementation being used? In that case, I could try to use another one.
I'm no expert of cryptography, but the OAuth RFC 5849 is saying that RSASSA-PKCS1-V1_5-SIGN needs to be used, which seems to be the case for the library.
Thank you very much.
Share edited Oct 7, 2021 at 5:54 CommunityBot 11 silver badge asked Jan 25, 2012 at 8:54 SimonSimon 1,6532 gold badges18 silver badges23 bronze badges1 Answer
Reset to default 4I tried both the openssl mand and the JS library you mentioned above, and the results are consistent. The signatures that I get from both ways are the same.
One thing I noticed from your post is that, the base64 encoded result generated from the library is way too long and looks wrong. Is it possible that you are not base64-encoding the binary signature?
Could you try this code for getting the base64 encoded string of the signature?
function doSign() {
var rsa = new RSAKey();
rsa.readPrivateKeyFromPEMString(document.form1.prvkey1.value); //replace with your private key
var hSig = rsa.signString("x", "sha1");
var base64_encoded_signature = hex2b64(hSig);
}
If you pare the value of "base64_encoded_signature" with what you get from the openssl mand, they should be the same.