-
Using assumetric keys for signatures in Coldfusion
Posted in May 10, 2011
- Folder:
2011
- Tags:
Coldfusion does not support SSL functions, we need to reate CFML code that will generate signature per given Private key for use in payment gateway integration.
Task: Create CFML code that will generate signature per given Private key for use in payment gateway integration. I have PEM-encoded private key.
Problem: Coldfusion does not support SSL functions with features comparing to PHP's openssl-sign()
Solution: Create Java class that can be loaded into CFML page and perform requested operation: read private key from PEM file, create signature with key.
Resources:
- no Java coding background: basic language knowledge and almost no experience;
- some developer chutzpah and experience in AGEC (advanced Google-enabled coding).
Solution:
- First I stumbled upon this great article by Jason Dean, but it used generated asymmetric keys and I had to work with PEM file provided.
- Need Java classes that provide asymmetric key features. Using AGEC I found this website and library: Bouncy Castle. At first glance I understood that it is huge encryption library that I never swallow;
- Googling to Stackoverflow question and answer "Using a PEM (X.509) private key to sign a message natively". There is nice piece of code by Kevin that used Bouncy Castle classes. I copy-pasted it to my Eclipse and modified a little: added variables to signMessage() method - as I'll need to use it in my Coldfusion code.
- Java code worked great, but returned HEX-encoded string. I was needed Base64-encoded string for my purpose. Some googling lead me to this project: Base64Coder. I took code to my project 'as is' with no changes. I used it's methods and controlled output by PHP's base64_encode function.
- Eclipse compiled .class files both for my class ColdSignature and Base64Coder into /bin folder where I picked them and packed into ZIP archive. I renamed ZIP to rodionbykov.jar and put into Coldfusion /Coldfusion9/lib folder (or Railo's /railo/lib folder). Also, Bouncy Castle's code JARs should be put there. If I had no access to Coldfusion/Railo server to add JARs into, I'd make use of JavaLoader.
- When I was satisfied with results, I plugged the object into my Coldfusion page and called it's static method:
<cfset signer = createObject("java", "com.rodionbykov.ColdSignature") /> <cfset msg = signer.signMessage("Hello World!", "C:\private.pem", "", "SHA1WithRSAEncryption") />
- Signature options (MD5, SHA1) can be found here - and use that accepted by gateway/server.
Conclusion: Java is Coldfusion developer's best friend, do not afraid of it, learn and use. In doubt: Google for solution !
Source code: if you want to see the result, here's source code - you may use for free and at your own risk.