Creating digital signatures with ORA_RSA

The ORA_RSA package creates RSA digital signatures as well.

In order to create a signature for a data field we need an RSA private key (of course if the key is located in a password protected .pfx/.p12 (PKCS12) file, we will need also the private key password).

The package supports the following Hash functions:

ORA_RSA.HASH_SHA1 for SHA1withRSA
ORA_RSA.HASH_SHA224 for SHA224withRSA
ORA_RSA.HASH_SHA256 for SHA256withRSA
ORA_RSA.HASH_SHA384 for SHA384withRSA
ORA_RSA.HASH_SHA512 for SHA512withRSA

specified as the last parameter of the ORA_RSA.SIGN method.

There are no input data length restrictions for creating RSA digital signatures in contrast to the core RSA encryption.

Table of examples

1. Create RSA digital signature with private key loaded from file
2. Create RSA digital signature with inline private key

1. Create RSA digital signature with private key loaded from file

This sample shows how to create an RSA digital signature. The signature is returned as a RAW data field.
Please note that the example code below doesn’t provide a private key parameter as the key is in a non-password protected format. For keys protected with a password an overloaded version of the ORA_RSA.SIGN method is available with a third parameter for the private key password.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
DECLARE
  private_key_file_handle  BFILE;
  private_key  BLOB;
 
  message VARCHAR(500);
  signature raw(32000);
BEGIN
    -- load a private key from the filesystem
    -- the direcory name must be created upfront with CREATE DIRECTORY
    -- for example: CREATE DIRECTORY KEYS_DIR AS '/demo/schema/my_keys_folder';
    private_key_file_handle := BFILENAME('KEYS_DIR', 'didisoft_private_no.der'); -- Note: directory name must be Upper case 
 
    -- initialize the private key BLOB storage
    DBMS_LOB.createtemporary(private_key, TRUE);
 
    -- load the private key into a BLOB
    DBMS_LOB.OPEN(private_key_file_handle, DBMS_LOB.LOB_READONLY);
    DBMS_LOB.LoadFromFile( DEST_LOB => private_key,
                         SRC_LOB  => private_key_file_handle,
                         AMOUNT   => DBMS_LOB.GETLENGTH(private_key_file_handle) );
    DBMS_LOB.CLOSE(private_key_file_handle);
 
    message := 'Hello World';
    --
    -- RSA SIGN
    --
    signature := ORA_RSA.SIGN(message => UTL_I18N.STRING_TO_RAW(message, 'AL32UTF8'),
                              private_key => DBMS_LOB.substr(private_key),
                              private_key_password => '',
                              hash => ORA_RSA.HASH_SHA256);  
END;

 

2. Create RSA digital signature with an inline private key

In this example, the private key is hardcoded inside the PL/SQL code in PEM (text-based) format. Of course code block can easily be modified to load the key data from a database table:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
DECLARE
  private_key CLOB := '-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMJOVHMWQpGWTiR7
F5z3WQIIvJYUDubZAPUxzj2NgriomhnowjgiK40Q2UPNxgBq3wlMhMpAp01+Or6R
2mkOctOZ55Qjgm2VzTovW4MuOLWGB43fXm3qDe05/SIdV3K3h2KVwcNqecJTR25T
RNeGHo4r8cce3BnuVzEKjk2DNQOXAgMBAAECgYEAuqIMQaL+++IYWrgU/UMkLmz/
31OS4K9NWTamt77F8eKYagyFCO/hTxUA6zyqU9pTMxZZcf9Z83gsqsFjvYcQSHy6
mRXFuORzh0r/wXKJtyFF0B26KC7WipqtPAuzn7SNGNeMh8g3H1qH8neEjir15Uai
6lR/sDIOZlO9sUJoZBECQQDkLXnXl/YXGoQDdupUQMzrF+ZK/od2U9YjdSOi+k/j
x23usurtzRhYGW/73vJd9Sw6Qc6ijPr+ItSpnl+qaxzvAkEA2f+OVzn1HwmYbc2a
Booo32aT96TJrwN8V4gC7m5hseHoXDDoXmwLZwNm7+w0vu3lk1p9tSqs8oc/nR0E
fHhT2QJAOQslasCSxTPbzQHtkyKgGCXhbN40/1/2KOcgAZ6SWl+BHCuej9S2QVAa
rt0Num+Qnv/UqM6V8PLEN6NgRzqAAQJBALeQYrp+WjKNcOYc97LECdC73qLsBswx
QjWumNFO70LLOE7Q/AnuLtfKXJZwrqWLSwJ+c1XnHoSGcIGK2qk45VkCQA6b1qCv
jGFksgcQ8vff5lwOWfJ2ZxA8Zpgeq5w7EaDTWS/WhtVUYg3bBsadgXb3LxpZScxq
U4Ad7pAZrI6H6Tc=
-----END PRIVATE KEY-----';
 
  message VARCHAR(500);
  signature raw(32000);
BEGIN
    message := 'Hello World';
    --
    -- RSA SIGN
    --
    signature := ORA_RSA.SIGN(message => UTL_I18N.STRING_TO_RAW(message, 'AL32UTF8'),
                              private_key => UTL_RAW.cast_to_raw(private_key),
                              private_key_password => '',
                              hash => ORA_RSA.HASH_SHA256);
END;

Summary

This tutorial chapter illustrated how to create RSA digital signatures using Oracle ® database PL/SQL.

You may also be interested in how to verify the created this way digital signatures and how to add exception handling to your code.