H Tink Verify an ECDSA signature with Tink

This article belongs to H Verify external signature in Tink and is the final part 4.

Lets see how to manage the verification of an external generated (Elliptic curve) signature with a (as well) external generated Public Key. As Tink looks like a „closed shop“ I first analysed the public keyfile in JSON-format. When other programs use an byte-array of the encoded Public Key Tink is using another and more rare format – the „RAW“ or X- and Y-Format. There are only a few articles and stackoverflow-questions that deal with this format.

The second question was: how is the key stored in the value-field (beneath the fact that it is a Base64-coding)? As mentioned before – my solution does not work with Tink-own protobuf-formats but instead uses a hard coded header that differs for the 3 possible Elliptic Curves (P256, P384 and P521).

I know that there is a way to hold the self created Public Key-file completely in memory but I’m opting for „save and reload“ of the keyfile.

The last problem regards to the signature – what is the structure of a Tink signature. After analysing some signatures and the Tink sourcecode I found that the signature is assigned to the Tink Public Key with the „primaryKeyId“, because the KeyId is part of the signature-„value“.

To get the external signature to run with Tink I’m recoding the byte array with a header that names the „creating“ Public Key by the primaryKeyId.

Putting all 3 part-solutions together in one program brings us to the final solution. The program reads the 3 external created datafiles (see H Tink Generate an ECDSA signature), generates 3 new Public Key files, generates a new signature an then verifiese the messages with the Public Key against the signature file.

To work with this solution you need 3 libraries in your classpath (tink, protobuf and JSON), the links to the maven repositories are part of the sourcecode header.

Here is the complete sourcecode:

The console output is „short and dirty“ but most important: it works:

All sourcecodes to this solution are available in my Github-Archive with this link: https://github.com/java-crypto/H-Google-Tink. All programs run with Java 8 and Java 11.

The licence (or better unlicence) to my solution is available here: Lizenz-Seite.

Last edit: 18.11.2019