1

I've not found an answer with Google, unfortunately, so I figured I may as well ask.

A service I'm trying to write a library for sends clients messages, a timestamp, and a signature, where the signature is supposed to be sign(privkey, timestamp + message) and the message is the raw JSON. My attempt at validation looks like:

public boolean validate(String pubkey, String signature, String timestamp, String message) throws Exception {
    final var provider = new BouncyCastleProvider();
    Security.addProvider(provider);
    final var byteKey = Hex.decodeHex(pubkey);
    final var pki = new SubjectPublicKeyInfo(new AlgorithmIdentifier(EdECObjectIdentifiers.id_Ed25519), byteKey);
    final var pkSpec = new X509EncodedKeySpec(pki.getEncoded());
    final var kf = KeyFactory.getInstance("ed25519", provider);
    final var publicKey = kf.generatePublic(pkSpec);
    final var signedData = Signature.getInstance("ed25519", provider);
    signedData.initVerify(publicKey);
    signedData.update(timestamp.getBytes());
    signedData.update(message.getBytes());
    return signedData.verify(Hex.decodeHex(signature));
}

I've tried my validation method with ex. the sample code from this issue, and it works fine; it's specifically only with the "real" data that it fails. I'm bamboozled as to why this happens and would appreciate any advice.

user7876637
  • 124
  • 4
  • 11
  • If the code works in principle, then signing may work differently than you suspect. Can you post the code used for signing, and sample data: private key, public key, timestamp, message and signature? – Topaco Dec 12 '20 at 13:25

1 Answers1

0

It turned out that the service I was using was just sending me malformed data; my code was actually correct but the service was just sending me invalid data most of the time.

user7876637
  • 124
  • 4
  • 11