I have written a class that is meant to sign and base64 a string of text using a private key on the server and then return the signature. It is generating a different signature every time it is run for the same text. Why would it do that? I have checked that it is the signature that is changing and not an issue with the base64 conversion by disabling the conversion temporarily on my test machine.
My code:
public class SigningPIP implements SigningPIPInterface {
private static final String SIGNING_ALGORITHM = "SHA1withDSA";
/**
* Provides a signature for a stringified JSON license
* @param license stringified JSON license to be used for signature generation
* @param keystoreFilePath The file path where the keystore can be found
* @param keystorePassword The password to the keystore
* @param privateKeyAlias The alias of the private key in the keystore to be used for signing
* @param privateKeyPassword The password for the private key to be used for signing
* @return Properties object containing the base64 encoded signature, algorithm used and certificate DN
*/
@Override
public Properties getLicenseSignature(String license, String keystoreFilePath, String keystorePassword, String privateKeyAlias, String privateKeyPassword) {
PrivateKey privateKey = getPrivateKey(keystoreFilePath, keystorePassword, privateKeyAlias, privateKeyPassword);
Properties licenseSignature = new Properties();
licenseSignature.setProperty("sig_algorithm", SIGNING_ALGORITHM);
licenseSignature.setProperty("cert_DN", getCertificateIssuerDN(keystoreFilePath, keystorePassword, privateKeyAlias));
byte[] licenseByteArray = license.getBytes();
System.out.println(new String(licenseByteArray));
try {
Signature dsa = Signature.getInstance(SIGNING_ALGORITHM);
dsa.initSign(privateKey);
dsa.update(licenseByteArray);
byte[] signature = dsa.sign();
licenseSignature.setProperty("signature_base64", DatatypeConverter.printBase64Binary(signature));
}
catch (NoSuchAlgorithmException | SignatureException | InvalidKeyException e) {
//TODO: Add logging
}
return licenseSignature;
}
/**
* Pulls the private key from the specified keystore
* @param keystoreFilePath The file path where the keystore can be found
* @param keystorePassword The password to the keystore
* @param privateKeyAlias The alias of the private key in the keystore
* @param privateKeyPassword The password for the private key in the keystore
* @return The specified private key from the keystore
*/
private PrivateKey getPrivateKey(String keystoreFilePath, String keystorePassword, String privateKeyAlias, String privateKeyPassword) {
try {
FileInputStream keyStoreFile = new FileInputStream(keystoreFilePath);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(keyStoreFile, keystorePassword.toCharArray());
return (PrivateKey)keyStore.getKey(privateKeyAlias, privateKeyPassword.toCharArray());
}
catch(KeyStoreException | NoSuchAlgorithmException | IOException | CertificateException | UnrecoverableKeyException e) {
//TODO: Add logging;
}
return null;
}
/**
* Pulls the Issuer DN from a keystore for the specified private key
* @param keystoreFilePath The file path where the keystore can be found
* @param keystorePassword The password to the keystore
* @param privateKeyAlias The alias of the private key in the keystore
* @return The Issuer DN for the private key
*/
private String getCertificateIssuerDN(String keystoreFilePath, String keystorePassword, String privateKeyAlias) {
try {
FileInputStream keyStoreFile = new FileInputStream(keystoreFilePath);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(keyStoreFile, keystorePassword.toCharArray());
X509Certificate certificate = (X509Certificate)keyStore.getCertificate(privateKeyAlias);
return certificate.getIssuerDN().getName();
} catch (IOException | NoSuchAlgorithmException | CertificateException | KeyStoreException e) {
//TODO: Add logging
}
return null;
}
}
Looking at the wikipedia article I'm guessing it's because it implements RFC 6979,
This ensures that k is different for each H(m) and unpredictable for attackers who do not know the private key x.
This is to prevent attacks on the secret key.