AnsweredAssumed Answered

Cannot get MIFARE SAM AV2 PKI_VerifySignature to accept a valid RSA PSS Signature

Question asked by Arthur Morrison on Jan 12, 2019

I am having a problem getting SAM AV2 to verify my PKI signature PKI _VerifySignature. Keeps returning a 901E response (Encryption error).


However when I verify the same signature/hash in OPenSSL I get Verified OK (see below).


Note: I loaded my Public Key used for signing in the SAM successfully using the PKI_ImportKey command.


I have managed to verify successfully a  SAM PKI_SendSignature  output test signature with OPenSSL the output of the SAM PKI_SendSignature command. So strangely I can verify the SAM signature but the SAM refuses to verify my signature (a file that OpenSLL can  verify).


The signed data I am using are as follows:

data.txt contains the string "0123456789ABCDEF" (16 bytes)



The following command verified the output from the SAM which according to the spec uses RSAPSS.

OpenSSL> dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -verify sam-041f378a4a4f80_PK.pem -signature testSigfromSam.hex.bin data.txt
Verified OK



The following command verified the output I created (in python) for the same data signed with my public key and is currently being rejected by the SAM.
OpenSSL> dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -verify unuTestPublic.pem -signature TestHostSignedData.bin data.txt
Verified OK



Question: can NXP or community give me a python, java script or OpenSSL command line/code snippet that will generate a signature file that the SAM AV2 will accept. I am certain I am complying with RSA PSS padding as mentioned in Spec.



// Python used to create the signature crypto file

def signMessage(message):
   key = RSA.importKey(open('unuTestPrivate.pem').read(), passphrase='AGgull404')
   h =
   signature =,mgf1,32).sign(h)
   print "Input data hash="+binascii.hexlify(h.digest())
   return signature