H Verify external signature in Tink

Google Tink is an easy to implement cryptographic library that tries to avoid some typical user-errors while handling with cryptographic material. For that reason all cryptographic data is encapsulated in Tink-own formats and it is totally OK to do so when all data are communicated with partner that use Tink as well.

In an article on stackoverflow.com (https://stackoverflow.com/questions/53228475/google-tink-how-use-public-key-to-verify-signature/) a user asked for support in the case, that an externally generated ECDSA-Public Key and -signature needs to get verified with Tink. The answer of one of the developer was : „… I’m afraid that you’ll have to write the code yourself (and contribute!)“.

This article shows how to verify an „classic“ ECDSA-signature within Google Tink. Please keep in mind that my solution is a „proof of concept“ and my source code sometimes could get optimized, but… it’s working. If you can optimize the code then please let me know.

All parts of the solution are published here and on my Github-Archive (https://github.com/java-crypto/H-Google-Tink).

  1. Lets start with the generation of a an ECDSA-signature. The code in H Tink Generate an ECDSA signature generates three files in den classpath „ecdsa_classic_data_xxx.txt“, where xxx ist the keylength of the ECDSA-key (256, 384 and 521 Bits). The data included are Base64-coded strings with the Public Key, the message and the signature.
  2. Just for the purpose of self verification the signature in the datafiles can get checked with H Tink Verify an ECDSA signature with JCE. The program loads the 3 datafiles, decodes the data and verfies the signature.
  3. To get an external Public Key into the Tink-universum I’m doing this in a very rough but effective way – I’m writing a „hand made“ Public Key-file in JSON-format to the classpath (again in 3 version for different keylengths. This class is decribed in H Tink Save JSON File.
  4. The verification is done in several steps that were described in H Tink Verify an ECDSA signature with Tink. All 3 datafiles were loaded, 3 Public Key files were writen (see nr. 3) and reloaded and the verfication is done.

Here I’m showing just the end of all – the console shows a positive verification of all 3 datafiles. The mission is completed !

All sourcecodes to this solution are available in my Github-Archive with this link: https://github.com/java-crypto/H-Google-Tink. All programs run with Java 8 and Java 11.

The licence (or better unlicence) to my solution is available here: Lizenz-Seite.

Last edit: 18.11.2019