my iOS app, written in swift, generates a key pair using SecKeyCreateRandomKey for private key (with kSecAttrKeyTypeRSA and 2048 bits attributes), and SecKeyCopyPublicKey to retrieve the public key. I use SecKeyCreateSignature to sign my data, using the private key.
I convert the signature into a string: signature?.base64EncodedString()
I convert the public key SecKey structure to string, using SecKeyCopyExternalRepresentation and convert that to key.base64EncodedString().
I send (using HTTP POST and JSON) the data, the public key and the signature to my server. Server stores this info in a database.
Later, some other instance of my app queries the server, and the server responds with the relevant data, signature and the public key.
On the trip back from server, I restore the public key SecKey structure with SecKeyCreateWithData, and then the App verifies the data, using the signature and the public key using SecKeyVerifySignature (with .rsaSignatureMessagePKCS1v15SHA512 algo)
This works flawlessly. Sign, send, store ... request, retrieve, verify. I know, therefore, I have no issues shipping data back and forth, no issues in having the core Apple security functions work ... on the app side. However:
I'm having difficulty verifying the signature on the PHP side. Ideally, I'd like to verify the signature, data, public key, at various points in my PHP server logic. My attempts at using openssl_verify have failed. I tried (reading from a db):
$signature = base64_decode($row["signature"]);
$publicKey = $row["publicKey"];
$tA = $row["colA"];
$tB = $row["colB"];
$data = $tA . $tB;
$key = "-----BEGIN PUBLIC KEY----- " . $publicKey . " -----END PUBLIC KEY-----";
$ok = openssl_verify($data, $signature, $key, OPENSSL_ALGO_SHA512);
I'm not sure I'm doing this right, and I can't get past the "coerce" error message, openssl_verify(): supplied key param cannot be coerced into a public key...
While the documentation claims _verify function specifically allows the $key to be also passed as string of the key, there are no examples provided. All examples deal with files and certs, etc. I have the key loaded into the string, I am providing the "armor" iOS did not generate -- what am I missing? Help is appreciated.