How do i verify the png file with publickey using cryptopp?

Question

My teacher gives me PublicKey, hello.png(original file) and five md5.png file(image+signature). And ask me which md5.png file has the signature correct with the original file.

And this is the code c++ my teacher use crptopp libabry to load the png file to base64 and then sign them. After that sum image and signature to the new file name md5.png:

int main(int argc, char* argv[])
{
    // Scratch result
    bool result = false;   
    string signature;
    
    // Private and Public keys
    ECDSA<ECP, SHA256>::PrivateKey privateKey;
    ECDSA<ECP, SHA256>::PublicKey publicKey;
    /////////////////////////////////////////////
    // Load key in PKCS#9 and X.509 format     
    LoadPrivateKey( "ec.private.key", privateKey );
    LoadPublicKey( "ec.public.key", publicKey );
    /////////////////////////////////////////////
    // Sign and Verify a message   
    string message ;
    loadFile2base64("hello.png", message);
    result = SignMessage( privateKey, message, signature );
    assert( true == result );

    string image;
    StringSource (message,true,new Base64Decoder(new StringSink(image)));
    
    StringSource (image+signature,true , new FileSink( "md5.png", true /*binary*/ ));

    return 0;
}

void loadFile2base64(const std::string& filename, string& mess) {
    
    FileSource file(filename.c_str(), true, new Base64Encoder(new StringSink(mess)));
    file.PumpAll();
    
}

bool SignMessage( const ECDSA<ECP, SHA1>::PrivateKey& key, const string& message, string& signature )
{
    AutoSeededRandomPool prng;
    
    signature.erase();    

    StringSource( message, true,
        new SignerFilter( prng,
            ECDSA<ECP,SHA1>::Signer(key),
            new StringSink( signature )
        ) // SignerFilter
    ); // StringSource
    
    return !signature.empty();
}

bool VerifyMessage( const ECDSA<ECP, SHA1>::PublicKey& key, const string& message, const string& signature )
{
    bool result = false;

    StringSource( signature+message, true,
        new SignatureVerificationFilter(
            ECDSA<ECP,SHA1>::Verifier(key),
            new ArraySink( (byte*)&result, sizeof(result) )
        ) // SignatureVerificationFilter
    );

    return result;
}

I have try to load the md5.png and the orginal file hello.png to base 64 to check what different between 2 files:

hello.png: [a lot thing here]=

md5.png: [a lot thing here]ATeFuHi2CQaZXGpXM s2L2M7UMaAoAdsID8O301sI8hDWJbR2IsQ5DjM4=

Because the md5.png was make with hello.png+signature so i think the string after [a lot thing here] is the base64 of signature but it doesn't.

Anyway else to get the signature from md5.png or any way to verify that md5.png file.

Answer 1

The PNG format consists of a header plus a number of chunks. Each chunk has a type tag, a size, and data. Your signature can be found right after the IEND chunk.

You can thus read the file from start to finish, skip over the header, and then read just enough of a chunk to know how many bytes to skip.

Alternatively, you could seek backwards from the end of the file until you see an IEND marker (the byte sequence 00 00 00 00 73 69 78 68 ?? ?? ?? ??) with a slight possibility that your signature also happens to contain such a byte sequence.