1

I have read round all the articles on StackOverflow and while a lot of them come close to the solution I want, none appear to work.

I simply want to take an existing private key to create a signature of a piece of data. This then becomes part of a data file which includes a header describing the parameters used. Next comes the signed version of a datafile, lastly the datafile itself (a hex file). Concatentation of files is not the issue, generating a certificate using the private and public key pairs I have is. The keys are of the format ("-----BEGIN PRIVATE KEY-----") I can generate signature files easily enough from scratch, but the software that will read the final file is expecting a 256 bye signature, whereas mine (using RSA-256) is only producing 32 byte signatures. It only has access to the public key for decryption and validation of the file signature.

I have come up across a number of errors such as keysets not being valid, not existing, the ComputeHash function not working and causing a crash. I suspect I need to provide more information to my RSACryptographicService through CSPParameters but am not sure what is necessary and sufficient to do so. I would like to avoid digging into the mathematics behind the algorithm such as manually setting/reading the modulus / P/Q values etc. Can anyone propose a simple way to do this or tell me where I am going wrong? Code is available on request.

Alex K.
  • 171,639
  • 30
  • 264
  • 288
JTM
  • 33
  • 4
  • 1
    Can you add some code? A quick search gives me a [RSA signing method](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsacryptoserviceprovider.signdata?redirectedfrom=MSDN&view=netframework-4.7.2#System_Security_Cryptography_RSACryptoServiceProvider_SignData_System_Byte___System_Object_) – Cleptus Sep 19 '18 at 10:57
  • //some snippets here:if (header.pubkeyType_code == (uint)GE_RSA_DATA.PK_TYPE.PK_RSA) { if (header.RSAAlgo == (UInt16)GE_RSA_DATA.RSA_ALGO.MD_SHA512)// jl debug { alg = HashAlgorithmName.SHA512; privatekeybytes = new byte[512]; alghash = new HMACSHA512(privatekeybytes); HashDirectory.hashValue = alghash.ComputeHash(HashDirectory.imgbytes); – JTM Sep 19 '18 at 12:23
  • Checking your code, you are hashing, not using existing functions. You should consider using existing signing methods or check how the BCL does the hashing and the signing. https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/rsacryptoserviceprovider.cs,4c07b5b58c3699be – Cleptus Sep 19 '18 at 12:49
  • Looks like [you can import your private key](https://stackoverflow.com/questions/1528928/using-a-previously-generated-rsa-public-private-key-with-the-net-framework) and use it to [sign the data](https://learn.microsoft.com/es-es/dotnet/api/system.security.cryptography.rsacryptoserviceprovider.signdata?view=netframework-4.7.2) not sure if fits the question needs tho. – Cleptus Sep 19 '18 at 13:07

1 Answers1

3

The comments you are getting saying 256-byte signature is too long are absurd. Ignore those.

256 bit (32 bytes) would be a very small signature, that cannot be correct. I believe what you're actually looking for is 2048-bit (256-byte) RSA signatures. Those are more sensible by today's standards (though a step larger doesn't hurt).

In terms of importing your key, and not setting key components manually, you should look into "PEM" format RSA keys. There are several nuget packages out there to handle them. Otherwise you can strip the header/footer and decode the base64 yourself and import the key components with some of the built in X509 classes.

.NET does not natively support PEM format keys, and as such, I recommend using a reputable crypto library such as BouncyCastle, as they support PEM key parsing in their RSA algorithms.

This existing stackoverflow link describes how to import keys in BouncyCastle: Reading PEM RSA Public Key Only using Bouncy Castle

DS7
  • 130
  • 9
  • I'll look into using X509 - I had started by using this but abandoned that approach. I didn't want to use any third party libraries even though BouncyCastle seems to come highly recommended. I can strip and parse the keys myself easily enough so will try the first approach and let you know how that goes. – JTM Sep 19 '18 at 12:30
  • Yeah that's likely the best route. It's a bit of extra work, but searching around can yield some examples people made of their PEM parsers that strip, decode base64, and parse the underlying components. Sorry, it seems there's no easier way to do this natively. – DS7 Sep 19 '18 at 21:00