What does "verify-signature" mean?

[Agile-Dev]

I'm getting the following output from the validator:
{
"status": "invalid",
"reason": "verify-signature",
"error": {
"message": "verify-signature",
"code": "verify-signature"
},
"info": {
"version": "1.0.0",
"signature": "eyJhbGciOiJSUzI1NiJ9.ewoJInVpZCI6ImgyYTIwIiwKCSJyZWNpcGllbnQiOgoJewoJCSJ0eXBlIjoiZW1haWwiLAoJCSJoYXNoZWQiOnRydWUsCgkJInNhbHQiOiJkZWFkc2VhIiwKCQkiaWRlbnRpdHkiOiJzaGEyNTYkYzdjMjUzNjU0YTZhNzc4YWE2ZTUzOGU5NmMxNWM3NGJlNDgyMDg4MmRmNWNkODU1YzBmYWJjMzliNzUzNjNmMyIKCX0sCgkiaXNzdWVkT24iOjEzODA4MzM5NjcsCgkiYmFkZ2UiOiAiaHR0cDovL29wZW5iYWRnZXMtenpsLm9yZy9vcGVuYmFkZ2VzL2JhZGdlX3NpbXBsZS5qc29uIiwKCSJ2ZXJpZnkiOgoJewoJCSJ0eXBlIjoic2lnbmVkIiwKCQkidXJsIjoiaHR0cDovL29wZW5iYWRnZXMtenpsLm9yZy9vcGVuYmFkZ2VzL3B1YmtleS50eHQiCgl9Cn0.YK-QbFc7bkwYSmJlC32GSSooCRrT3HdU5-2d1u75-TRXohP3Zmzu0zrJd_AiLcKnQuVllzMLNeQvMe3rNij_gnBizr487_z_OZW6yvboyyexeCc-5vZFEyvR_d6PHKGviZgSYobUXKSMrGbuh8WPgrvGt1OLY_0TaX8QB9XLX3q3Rcc2GtwCKrqWtbG-xW73YPUeJq3pZCMvn_UdaZsQjnOy0wrrqKZ5wUTiWU6TIN9xXqk0c6wDj9YB3CJ2nx5vKtvohHBdOuGc2uAb8coRe0KVC5uK7djSLqrYZa9HsCYC0nwe0LrmjXs9jvp_oF4k6fMcc9tyR67D4Epkufc7dg",
"structures": {
"assertion": {
"uid": "h2a20",
"recipient": {
"type": "email",
"hashed": true,
"salt": "deadsea",
"identity": "sha256$c7c253654a6a778aa6e538e96c15c74be4820882df5cd855c0fabc39b75363f3"
},
"issuedOn": 1380833967,
"badge": "http://openbadges-zzl.org/openbadges/badge_simple.json",
"verify": {
"type": "signed",
"url": "http://openbadges-zzl.org/openbadges/pubkey.txt"
}
},
"badge": {
"name": "Lightning caricaturist",
"description": "Has attained rank of Thor",
"image": "http://openbadges-zzl.org/openbadges/badge.png",
"criteria": "http://drawing.wonderhowto.com/how-to/draw-lightning-with-different-drawing-techniques-264782/",
"issuer": "http://openbadges-zzl.org/openbadges/issuer_simple.json"
},
"issuer": {
"name": "Zig Zag Lightning Openbadges Issuer",
"url": "http://openbadges-zzl.org/"
}
}
}
}

Any ideas?
Thank you,
Freddie

[Agile-Dev]

This was the payload I used:
{
"uid":"h2a20",
"recipient":
{
"type":"email",
"hashed":true,
"salt":"deadsea",
"identity":"$identity"
},
"issuedOn":1380833967,
"badge": "http://openbadges-zzl.org/openbadges/badge_simple.json",
"verify":
{
"type":"signed",
"url":"http://openbadges-zzl.org/openbadges/pubkey.txt"
}
}

[Agile-Dev]

This is how I'm creating my signature in PHP (private key is abridged here, please see attached file):

function makeSignature($signingInput)
{
$rsa = new Crypt_RSA();
$rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1);
$rsa->setHash('sha256');
$rsa->setMGFHash('sha256');
$privatekey =
<<<PRIVKEY
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsq0/EQlV55nZIMhdSZemq6IMThsQcktXbCWWOODymKL1g86n0pqxLzoIGviv81oqVj+mVRE
EGqIhU9LQ3Xt8itnu4UuQz/gTRfPotOVCsgk2ZJmM2jm5+1aM7M8RZWnoUUvZ4vbJup+4LhJGHiV0Zy3Wod3lViwId6VgwyZUM0G7IIMRNuGe+duQwRIwctq4eGsLFiaYW8oWnWIlXy9D4IXjutC0AlA==
-----END RSA PRIVATE KEY-----
PRIVKEY;
$rsa->loadKey($privatekey, CRYPT_RSA_PRIVATE_FORMAT_PKCS1);
$signature = $rsa->sign($signingInput);
return base64url_encode($signature);
$assertionPlaintext =
<<<JSON
{
"uid":"h2a20",
"recipient":
{
"type":"email",
"hashed":true,
"salt":"deadsea",
"identity":"$identity"
},
"issuedOn":1380833967,
"badge": "http://openbadges-zzl.org/openbadges/badge_simple.json",
"verify":
{
"type":"signed",
"url":"http://openbadges-zzl.org/openbadges/pubkey.txt"
}
}
JSON;
$assertionPlaintext = base64url_encode(str_replace('$identity', $identity, $assertionPlaintext));
$signingInput = makeHeader().'.'.$assertionPlaintext;
$signature = makeSignature($signingInput);
$assertion = $signingInput.'.'.$signature;
echo $assertion;
?>

[stenington]

Hi @Agile-Dev, "verify-signature" means the attempt to verify that the signature matches your public key failed. This method is what's doing that computation under the hood. I haven't had a chance to dig any deeper yet into where exactly things are going wrong, but hopefully that helps.

[Agile-Dev]

Thank you very much. I'll be looking into it.

-- Agile-Dev

On Fri, Oct 18, 2013 at 10:33 AM, Mike Larsson notifications@github.comwrote:

Hi @Agile-Dev https://github.com/Agile-Dev, "verify-signature" means
the attempt to verify that the signature matches your public key failed. This
methodhttps://github.com/brianloveswords/node-jws#jwsverifysignature-secretorkeyis what's doing that computation under the hood. I haven't had a chance to
dig any deeper yet into where exactly things are going wrong, but hopefully
that helps.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/23#issuecomment-26600324
.

[LouisStAmour]

Make sure you have structural validity as well as signature validity: https://github.com/mozilla/openbadges/wiki/Assertions

Haven't done this in PHP yet, so I can't comment on your code otherwise.

[Agile-Dev]

I've managed to fix it. What I did was change the public key link to be in ".pem" format instead of a php or text file.(perhaps this requirement can be made more explicit?) Take note that the public key must contain exactly 65 characters per line (except the header, footer, and last line of the key) and that the private key must be exactly 64 characters per line (same exceptions). ....So using PHPSecLib turned out not to be the problem at all as I had thought before.

[eGavr]

I have the problem with private key!
Can you give an example of a valid key, please?

A real example which I could paste and it pass.

[SueSmith]

@eGavr this page includes a short guide to creating keys https://github.com/mozilla/openbadges/wiki/Creating-Signed-Assertions#prepare-your-keys

[eGavr]

Thank you!