Signature from my Signed OpenBadge won't validate

Question

I need to be able to issue Mozilla OpenBadges. However, the Validator at http://validator.openbadges.org says that my assertion is invalid and to verify the signature, even though I followed the documentation to the letter. The Mozilla OpenBadges method that performs the signature verification check is at http://github.com/brianloveswords/node-jws#jwsverifysignature-secretorkey

I've posted this question here and here with my code and resulting assertion.

While there is some documentation, a full-fledged example of a signed assertion seems to be lacking. For some documentation that they provide, please see the following two links: (1) http://github.com/mozilla/openbadges/wiki/Assertions#signed-badges and (2) http://self-issued.info/docs/draft-ietf-jose-json-web-signature.html#RS256Example

If you need anything more from me, please let me know. I've tried to be as detailed yet concise as possible here.

Thank you in advance! -- Freddie

Answer 1

The problem turned out to be that I didn't have my public key file in the .pem format. The public key must be 65 characters per line and the private key must be 64 characters per line with -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- for both keys as the headers and footers, respectively. With the payload correctly formatted, I was able to have it validate at the OpenBadges Validator so signing it with PHPSecLib was completely fine! Anyway, thank you neubert for your input.

Answer 2

The RS256Example link says this at the top: RSASSA-PKCS-v1_5 SHA-256

So do this with phpseclib:

$rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1);
$rsa->setHash('sha256');