phpseclib fails with verifying signature

StackOverflow https://stackoverflow.com/questions/12924911

  •  07-07-2021
  •  | 
  •  

Question

I don't know what I am doing wrong or maybe I just haven't thought it through. I want to sign some text and verify it immediately after that. I am using the RSA signature algorithm from phpseclib. It works but now I want to test if the verfication fails if I change the text I signed before. It shouldn't verify the text because it differs from the original one. So I wrote some code and tested it 10 times. 4 times the algorithm verifies the signature and 6 times it fails. Isn't that weird? Here is my code. Basically I created a public/private key pair and just used the functions from phpseclib.

<?php
include('Crypt/RSA.php');

$private_key = <<<EOD
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCmGJj20JA2taFPLjnxSuD8sUFwWnVQU7iECgdmmmKy5IDGx4Hv
P4ZxHOVVlqxVnz7lbvxhJahWVmBrHV9vj6w+9khaxo6j4Q7dZvDHt9VhgFyODy8M
V97X8Le2WZuRzINhNziYptGIX9hPbSxl5IEFY7Mcev3NF0IswVtn8+Oy+QIDAQAB
AoGASzST/h1NTxhKY7nAjpqi6Iex45dxyt89irunwjNhQTLphBfNo3CWBR1aUbiZ
a2NhbS0lpS8R25XcrmNsVO0uxdCpVnHwzuQLI61kv9Bu8i1/TpCG8yGGSU4+gi7x
12y943RkNYMqg8X0esupMTx4xhaHlTBt/dhAe7yB9nK1haECQQDQ/P2XcCXkO+lH
cImjhx9BjL8TdXUeZmbsMEmHJM7pqtYEybdjf2zTBqOOmehkczCTeWQD074xFqrW
K707lRLlAkEAy3WTTKFSwjGy2JC+iym+Yp5biYGwsAL3zXj6y0k1BHIWOoc59GrO
tpbUBMXmX7g6g/KZ8VkboW0xtnoyVPU6hQJBALYDgQGBxR6QJ03274kix9AZOtlB
tS0y1nTiYUd4gVT1Wsx0umnHswnfgFdUKBhEUow+byL+KWkrasJ4+aiI3xkCQEPp
K9BxLIF7OzoEHkWvGkgqmV0td79YTkQ8NGH0PokMV5UTm+mUWQkjEQPC1qFuicGP
EYk4d/uKygQhh3lKHU0CQHUmD9ch6POTOnBIt67EhQ8Dt/nIQqnjYOWi+x5xLT0T
zORMLod6pO16USOk1nNk6FtCxlsbQTsaaEZ6xw3WsMQ=
-----END RSA PRIVATE KEY-----
EOD;
$public_key = <<<EOD
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmGJj20JA2taFPLjnxSuD8sUFw
WnVQU7iECgdmmmKy5IDGx4HvP4ZxHOVVlqxVnz7lbvxhJahWVmBrHV9vj6w+9kha
xo6j4Q7dZvDHt9VhgFyODy8MV97X8Le2WZuRzINhNziYptGIX9hPbSxl5IEFY7Mc
ev3NF0IswVtn8+Oy+QIDAQAB
-----END PUBLIC KEY-----
EOD;

$rsa = new Crypt_RSA();
$rsa->loadKey($private_key);
$plaintext = 'Beer';
$signature = $rsa->sign($plaintext);
$rsa->loadKey($public_key);
$plaintext = '';
var_dump($rsa->verify($plaintext, $signature)); //should always fail but doesn't
?>
Was it helpful?

Solution

Try the latest Git version. It's probably this bug:

https://github.com/phpseclib/phpseclib/commit/ee25c73a448d24f8658e074e90d8811774678d93

Quoting the log,

"- Fix signature verification (thanks Richard Odekerken!)".

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top