Different RSA signatures when using OpenSSL and Android

Question

After looking through SO at similar questions, i have yet to find the answer.

I am singing a document using both openssl rsautl -sign ... and openssl dgst -sign ... Both options obviously provide different outputs.

My problem is, when i sign my file on the android application using :

public byte[] signData(byte[] data, PrivateKey privateKey) {
    Signature signature = null;
    try {
        signature = Signature.getInstance("SHA256withRSA");
        signature.initSign(privateKey);
        signature.update(data);
        return signature.sign();
    } catch (Exception e) {
        e.printStackTrace();
        return null;
    }
}

This function returns a completely different HEX string. And the verification method on android :

byte[] sigBytes = hexStringToByteArray(signature);    
X509EncodedKeySpec spec = new X509EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(spec);
Signature signCheck = Signature.getInstance("android ");
signCheck.initVerify(publicKey);
signCheck.update(data.getBytes("UTF-8"));
boolean isVerified = signCheck.verify(sigBytes);

Only verifies the HEX string generated by the android application.

Using the openssl commands (have tried using most of the available parameters) i cannot seem to generate the same HEX string.

FYI: i sign on both android and command line with RSA and with SHA256.

From android i get the following hex string : 0A241F28C2C4CF8A71879FAFB9F16CF4908560B76BF2DDDB7757B7C5B150C4C5EE76E86D50CC237552E08F4C4154EB83BC9CEFF0E3540B515D131E711E8CE46E4EF8DFC941E0BAE1945FDB348D66839721D27F626E9869118A7EA0D181E367A19AF4335E44256F6DAB35B23871DC95CB47CDFC489852A093F9F25FCBC451FE90EEAD5D033C65FEE1CBF67D77581BF79F27A38574879A5B903D48D0C5705E1F8F0263F262D76B08A523A27AD4D8394050CEAC2EDD92021CCDB34038699AAA49B1BFDF6823ADEFA185B036A6DF30955A152D51B64BCAF83AF79B6F7EEE783AC4217D6CE6604AF7E016C53B0D86E70AEDD4178AE039B12ED2731AD45321DEF9E394

and from openssl (openssl dgst -sha256 -binary -sign private.pem data.txt | hexdump), i get : 818DB0A4F8AE1A1374643E61CD835C38B9C78275E97F7D29CBB739E912C94F5B625FF3F9F916BE5A5D6BB6BBBA5B55D14C93CF5E53525471E135B92B8D30ED501F72429A5792CBA2B07EEF780515BD70226038E5A7567914EFA4D676685777C96AB1067BFBB2B95B2FCCBACB5BD6D9E6723D22DB715DE1EF4284509620E0C540C8D08B367FA966245671C16D35ECA52CC0640C2C0C733989B7703922AC07D0817D2440A0C4640508FEE6CBC62221847D2893716A712292B701A5C65901D05636855D9D31253C1F53EF3E7B1741A460A0F7DEDCEF4CA4039AA5385B49BE486A6380488FB5A0DEEF8BDD0F70874866EF6FC2EC4CFFC6BDD71271F1AE30112F8BD0

Please help, cheers.

Possible duplicate of [Why are the RSA-SHA256 signatures I generate with OpenSSL and Java different?](http://stackoverflow.com/q/13419201) and [Signed message using openssl. Can't verify on Android](http://stackoverflow.com/q/31004847) — jww, Dec 07 '15 at 14:41
The signature is not large enough for RSA block size therefore it is padded. Some padding algorithms use random data, therefore different results does not have to mean that something is wrong. — Robert, Dec 07 '15 at 17:12
How will i be able to validate it on the android side if it is not the same hexadecimal value? — Noxymon, Dec 07 '15 at 19:58
I tried signing the data "asdasd" on both ends, still provide different strings for the same input.+ — Noxymon, Dec 08 '15 at 09:35

score 1 · Accepted Answer · answered Dec 28 '18 at 09:30

I had different output signing String with command "openssl pkeyutl -sign ..." and java code:

Signature sig = Signature.getInstance("SHA256withRSA");

changing to this fingerprint finally I got the same output:

Signature sig = Signature.getInstance("NONEwithRSA");

Different RSA signatures when using OpenSSL and Android

1 Answers1

Linked