0

I have an android program that writes data and signs ECDSA to NFC Tag, and another program that reads that data and verifies the signature from the NFC Tag.
I managed to write and sign the data to the NFC Tag, but whenever I try to verify the signature, the program always returns true, even though I deliberately changed the signature.
Can someone tell me what's wrong?

Here is the code I used to sign: 

public static String Generate(String x) throws Exception{
    KeyPairGenerator kpg;
    kpg = KeyPairGenerator.getInstance("EC","BC");
    ECGenParameterSpec ecsp;
    ecsp = new ECGenParameterSpec("prime192v1");
    kpg.initialize(ecsp); 

    KeyPair kp = kpg.genKeyPair();
    PrivateKey privKey = kp.getPrivate();

    Signature ecdsaSign;
    ecdsaSign = Signature.getInstance("SHA256withECDSA");
    ecdsaSign.initSign(privKey);
    byte[] baText = x.getBytes("UTF-8");

    ecdsaSign.update(baText);
    byte[] baSignature = ecdsaSign.sign();
    String signature = (new BigInteger(1,baSignature).toString(16)).toUpperCase();
    return signature;
}

And here is the code I used to verify: 

public static boolean Verify(String x) throws Exception{
    KeyPairGenerator kpg;
    kpg = KeyPairGenerator.getInstance("EC","BC");
    ECGenParameterSpec ecsp;
    ecsp = new ECGenParameterSpec("prime192v1");
    kpg.initialize(ecsp);

    KeyPair kp = kpg.genKeyPair();
    PrivateKey privKey = kp.getPrivate();
    PublicKey pubKey = kp.getPublic();

    Signature ecdsaSign;
    ecdsaSign = Signature.getInstance("SHA256withECDSA");
    ecdsaSign.initSign(privKey);

    byte[] baText = x.getBytes("UTF-8");
    ecdsaSign.update(baText);
    byte[] baSignature = ecdsaSign.sign();

    Signature ecdsaVerify;
    ecdsaVerify = Signature.getInstance("SHA256withECDSA");
    ecdsaVerify.initVerify(pubKey);
    ecdsaVerify.update(baText);
    boolean result = ecdsaVerify.verify(baSignature);
    return result;
}
RedCrimson
  • 25
  • 6
  • Your verify method doesn't really make any sense. It generates its own keypair, then creates its own signature, and then immediately verifies it. It just looks you copied an example out there without trying to understand it. – President James K. Polk May 11 '14 at 14:53
  • @GregS yes, i noticed that my code is really flawed and I'm trying to figure out what do I have to do to make it work normally. I understand that to verify the signature, you need the public key, but how do I use the public key in the signing android activity in the verifying android activity? – RedCrimson May 11 '14 at 19:37

0 Answers0