• Using assumetric keys for signatures in Coldfusion

    Coldfusion does not support SSL functions, we need to reate CFML code that will generate signature per given Private key for use in payment gateway integration.

    Task: Create CFML code that will generate signature per given Private key for use in payment gateway integration. I have PEM-encoded private key.

    Problem: Coldfusion does not support SSL functions with features comparing to PHP's openssl-sign()

    Solution: Create Java class that can be loaded into CFML page and perform requested operation: read private key from PEM file, create signature with key.


    • no Java coding background: basic language knowledge and almost no experience;
    • some developer chutzpah and experience in AGEC (advanced Google-enabled coding).



    1. First I stumbled upon this great article by Jason Dean, but it used generated asymmetric keys and I had to work with PEM file provided.
    2. Need Java classes that provide asymmetric key features. Using AGEC I found this website and library: Bouncy Castle. At first glance I understood that it is huge encryption library that I never swallow;
    3. Googling to Stackoverflow question and answer "Using a PEM (X.509) private key to sign a message natively". There is nice piece of code by Kevin that used Bouncy Castle classes. I copy-pasted it to my Eclipse and modified a little: added variables to signMessage() method - as I'll need to use it in my Coldfusion code.
    4. Java code worked great, but returned HEX-encoded string. I was needed Base64-encoded string for my purpose. Some googling lead me to this project: Base64Coder. I took code to my project 'as is' with no changes. I used it's methods and controlled output by PHP's base64_encode function.
    5. Eclipse compiled .class files both for my class ColdSignature and Base64Coder into /bin folder where I picked them and packed into ZIP archive. I renamed ZIP to rodionbykov.jar and put into Coldfusion /Coldfusion9/lib folder (or Railo's /railo/lib folder). Also, Bouncy Castle's code JARs should be put there. If I had no access to Coldfusion/Railo server to add JARs into, I'd make use of JavaLoader.
    6. When I was satisfied with results, I plugged the object into my Coldfusion page and called it's static method:
      <cfset signer = createObject("java", "com.rodionbykov.ColdSignature") /> <cfset msg = signer.signMessage("Hello World!", "C:\private.pem", "", "SHA1WithRSAEncryption") />
    7. Signature options (MD5, SHA1) can be found here - and use that accepted by gateway/server.

    Conclusion: Java is Coldfusion developer's best friend, do not afraid of it, learn and use. In doubt: Google for solution !

    Source code: if you want to see the result, here's source code - you may use for free and at your own risk.