menu

Blog

  • Using assumetric keys for signatures in Coldfusion

    Posted in May 10, 2011 - Folder: 2011 - Tags:

    Coldfusion does not support SSL functions, we need to reate CFML code that will generate signature per given Private key for use in payment gateway integration.

    Task: Create CFML code that will generate signature per given Private key for use in payment gateway integration. I have PEM-encoded private key.

    Problem: Coldfusion does not support SSL functions with features comparing to PHP's openssl-sign()

    Solution: Create Java class that can be loaded into CFML page and perform requested operation: read private key from PEM file, create signature with key.

    Resources:

    • no Java coding background: basic language knowledge and almost no experience;
    • some developer chutzpah and experience in AGEC (advanced Google-enabled coding).

     

    Solution:

    1. First I stumbled upon this great article by Jason Dean, but it used generated asymmetric keys and I had to work with PEM file provided.
    2. Need Java classes that provide asymmetric key features. Using AGEC I found this website and library: Bouncy Castle. At first glance I understood that it is huge encryption library that I never swallow;
    3. Googling to Stackoverflow question and answer "Using a PEM (X.509) private key to sign a message natively". There is nice piece of code by Kevin that used Bouncy Castle classes. I copy-pasted it to my Eclipse and modified a little: added variables to signMessage() method - as I'll need to use it in my Coldfusion code.
    4. Java code worked great, but returned HEX-encoded string. I was needed Base64-encoded string for my purpose. Some googling lead me to this project: Base64Coder. I took code to my project 'as is' with no changes. I used it's methods and controlled output by PHP's base64_encode function.
    5. Eclipse compiled .class files both for my class ColdSignature and Base64Coder into /bin folder where I picked them and packed into ZIP archive. I renamed ZIP to rodionbykov.jar and put into Coldfusion /Coldfusion9/lib folder (or Railo's /railo/lib folder). Also, Bouncy Castle's code JARs should be put there. If I had no access to Coldfusion/Railo server to add JARs into, I'd make use of JavaLoader.
    6. When I was satisfied with results, I plugged the object into my Coldfusion page and called it's static method:
      <cfset signer = createObject("java", "com.rodionbykov.ColdSignature") /> <cfset msg = signer.signMessage("Hello World!", "C:\private.pem", "", "SHA1WithRSAEncryption") />
    7. Signature options (MD5, SHA1) can be found here - and use that accepted by gateway/server.

    Conclusion: Java is Coldfusion developer's best friend, do not afraid of it, learn and use. In doubt: Google for solution !

    Source code: if you want to see the result, here's source code - you may use for free and at your own risk.