Digital Signature created in C# doesn't match in Java verification

Question

I need to verify the signature created from C# using "SHA1" algorithm in my JAVA program which uses "SHA1withRSA".Signature bytes are not matching. I am using Public key generated by C# program to verify signature which is stored in a file. I am new to cryptography. Below is C# code to create signature :

        RSACryptoServiceProvider RSA = new RSACryptoServiceProvider();

        RSA.FromXmlString(privateKey);

        var encoder = new UTF8Encoding();
        byte[] originalData = encoder.GetBytes(message);
        SHA1 sha1 = SHA1.Create();

        byte[] signedBytes = RSA.SignData(originalData, sha1);

        return signedBytes;

I am trying to verify signature in Java program as below :

   //read xml file to get modulus and exponent bytes
            File publicKeyFileQA = new File(PUBLIC_KEY_FILE_QA);

            Map<String, BigInteger> publicKeyModulusExponentValues = DSXCRM_3YBP_Global_WebServicesUtil.readXMLFile(publicKeyFileQA);

            BigInteger publicKeyModulus = publicKeyModulusExponentValues.get("modulus");
            BigInteger publicKeyExponent = publicKeyModulusExponentValues.get("exponent");

            System.out.println("BigInteger Modulus : "+ publicKeyModulus + "BigInteger Exponent : " + publicKeyExponent);

            String messageWithSignature = (String) mapDataToPost.get("SignedMessage");
            String encryptedMessage = (String) mapDataToPost.get("EncryptedMessage");

            byte[] signatureBytes = DatatypeConverter.parseBase64Binary(messageWithSignature);

            System.out.println("Signature bytes : "+ new String(signatureBytes));


            byte[] cipherMessage = DatatypeConverter.parseBase64Binary(encryptedMessage);

            System.out.println("Cipher Message : "+ new String(cipherMessage));

            KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
            RSAPublicKeySpec publicKeySpec = new RSAPublicKeySpec(publicKeyModulus, publicKeyExponent);
            PublicKey publicKey = keyFactory.generatePublic(publicKeySpec);
            Signature sig = Signature.getInstance("SHA1withRSA");
            sig.initVerify(publicKey); //public key of sender
            sig.update(cipherMessage);

            boolean isRightSender = sig.verify(signatureBytes);
            System.out.println("isRightSender : "+isRightSender);

but result to match signature is false. I am not getting what is wrong. Can you please provide any suggestions. Is there any other algorithm which is compatible to both C# and JAVA to have same Signatures? Thanks!

Answer 1

You are reading a field called "SignedMessage", storing that in a variable called "messageWithSignature" and then treating it as if it were just the signature. What data is actually present in that blob?

You're further printing binary data as if it were text (via new String(byte[]) ). You should print Base64 or hex on both sides to see if they match, for both the message bytes (which appear to be called cipherMessage in your verifier) and the signature.

If you switch to static data (to avoid things like counting newlines on read) then it should be valid to do

byte[] originalData = Encoding.UTF8.GetBytes("This is a static message test.");
Console.WriteLine(Convert.ToBase64String(rsa.SignData(originalData), "SHA1"));

then take that output, put it into your Java program and verify

byte[] originalData = "This is a static message test.".getBytes("UTF-8");
byte[] signature = Base64.getDecoder().decode(theOutputFromTheCSharpProgram);
Signature verifier = new Signature("SHA1withRSA");
verifier.initVerify(publicKey);
verifier.update(originalData);
System.out.println(verifier.verify(signature));

If that part doesn't work, then you must not be faithfully representing the same key on both sides.

The binary format of the signatures for RSA are the same in C# and Java; so once you get data transport lined up well everything should work.