Verify digital signatures with ORA_RSA

The ORA_RSA PL/SQL package offers additional methods for verifying RSA digital signatures.

In order to verify a digital signature as correct for given initial input data for which it was created, we need three things: the initial input data, the digital signature and the RSA public key corresponding to the RSA private key used for creating the digital signature.

Verify an RSA signature with public key loaded from file

In the sample PL/SQL code block below we are going to verify a previously created digital signature by loading the verification public key from a file located on the server file system.

For the sake of the example the input data for which the signature belongs, is a plain string. In a real world scenario probably it will be located in a database table along with the signature.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
DECLARE
  public_key_file_handle  BFILE;
  public_key  BLOB;
 
  message VARCHAR(500);
  signature raw(32000);
  signature_check_result PLS_INTEGER;
BEGIN
    -- FBI_Agents.Fingerprint is of type VARCHAR2(500)
    SELECT Fingerprint INTO message FROM FBI_Agents WHERE Agent_Id = '007';  
	SELECT FingerprintSignature INTO signature FROM FBI_Agents WHERE Agent_Id = '007';  
 
    -- initialize the public key BLOB storage
    DBMS_LOB.createtemporary(public_key, TRUE);
 
    -- load a key from the flesystem
    -- the direcory name must be created upfront with CREATE DIRECTORY
    -- for example: CREATE DIRECTORY KEYS_DIR AS '/demo/schema/my_keys_folder';
    public_key_file_handle := BFILENAME('KEYS_DIR', 'didisoft_public.der'); -- Note: directory name must be Upper case 
 
    -- load the key into a BLOB
    DBMS_LOB.OPEN(public_key_file_handle, DBMS_LOB.LOB_READONLY);
    DBMS_LOB.LoadFromFile( DEST_LOB => public_key,
                         SRC_LOB  => public_key_file_handle,
                         AMOUNT   => DBMS_LOB.GETLENGTH(public_key_file_handle) );
    DBMS_LOB.CLOSE(public_key_file_handle);
 
    --
    -- RSA VERIFY
    --
    signature_check_result := ORA_RSA.VERIFY(message => UTL_I18N.STRING_TO_RAW(message, 'AL32UTF8'), 
                                             signature => signature, 
                                             public_key => DBMS_LOB.substr(public_key),
                                             hash => ORA_RSA.HASH_SHA1);
 
    IF signature_check_result = 1 THEN
       DBMS_OUTPUT.put_line('Signature verification passed.'); 
    ELSE
       DBMS_OUTPUT.put_line('Signature cannot be verified!'); 
    END IF;   
END;

Summary

This sample demonstrated how to verify an RSA digital signature in the Oracle ® PL/SQL programming language. You may also like to check how to create RSA digital signatures with PL/SQL and how to add an exception handling strategy for this code block.