1

I cannot get the C# ECDsaCng VerifyData method to return true no matter what I do. Similar code works with RSA signatures and data coming from Windows Hello but EC encryption from Android/Samsung has me baffled.

assertion.Signature : - MEYCIQDi0OGHK2CRFpel6RWq26IjyWmJCfJnnaYvGWL/NBC6awIhANzNweSdj5uzFxDkvHeNgYcKaEuzgjEykiVJGfF/SNyd

assertion.ClientDataJSON :- {"type":"webauthn.get","challenge":"ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmxlSEFpT2pFMk1UVTVOak14TWpBc0ltbHpjeUk2SWxSbGMzUXVZMjl0SWl3aVlYVmtJam9pVkdWemRDNWpiMjBpZlEuNXRLR3RlR1dBcEpjNFZpYjRHdGNHS01mS1VPUkFXWFl0bDBRd1BkQUxJVQ","origin":"https://localhost:3000","androidPackageName":"com.android.chrome"}

pubKey.x :- CeE16bdD0ga/oiy/zFL1c70Cp/9me+HZzggzlTooWzU=

pubKey.y :- N5l+MynIqzxgut+phBUNIOcI7DIv2uRXHkLCesK90Cg=

Here is the code segment: -

        byte[] data = new byte[authData.Length + hashValClientData.Length];
        Buffer.BlockCopy(authData, 0, data, 0, authData.Length);
        Buffer.BlockCopy(hashValClientData, 0, data, authData.Length, hashValClientData.Length);

        byte[] sig = Convert.FromBase64String(assertion.Signature);

        if (pubKey.kty == "EC")
        {
            byte[] ECDsaSig = convertFromASN1(sig);
            var keyType = new byte[] { 0x45, 0x43, 0x53, 0x31 }; // BCRYPT_ECDSA_PUBLIC_P256_MAGIC {E, C, S, 1}
            var keyLength = new byte[] { 0x20, 0x00, 0x00, 0x00 }; // Key length 32
            byte[] keyImport = new byte [72];
            Buffer.BlockCopy(keyType, 0, keyImport, 0, keyType.Length);
            Buffer.BlockCopy(keyLength, 0, keyImport, keyType.Length, keyLength.Length);
            Buffer.BlockCopy(Convert.FromBase64String(pubKey.x), 0, keyImport, 8, 32);
            Buffer.BlockCopy(Convert.FromBase64String(pubKey.y), 0, keyImport, 40, 32);

            try
            {
                using (ECDsaCng dsa = new ECDsaCng(CngKey.Import(keyImport, CngKeyBlobFormat.EccPublicBlob)))
                {
                    dsa.HashAlgorithm = CngAlgorithm.Sha256;
                    if (dsa.VerifyData(data, ECDsaSig))
                    {
                        Console.WriteLine("The signature is valid.");
                    }
                    else
                    {
                        Console.WriteLine("The signature is not valid.");
                        return FAIL_STATUS;
                    }
                }
            }
            catch (Exception e)
            {
                return FAIL_STATUS;
            }
        }

After reading StackOverflow I realized I had to convert the ASN.1 Signature to a ECDsa friendly format so I did this: -

    internal byte[] convertFromASN1(byte[] sig)
    {
        const int DER = 48;
        const int LENGTH_MARKER = 2;

        if (sig.Length < 6 || sig[0] != DER || sig[1] != sig.Length - 2 || sig[2] != LENGTH_MARKER || sig[sig[3] + 4] != LENGTH_MARKER)
            throw new ArgumentException("Invalid signature format.", "sig");

        int rLen = sig[3];
        int sLen = sig[rLen + 5];

        byte[] newSig = new byte[rLen + sLen];
        Buffer.BlockCopy(sig, 4, newSig, 0, rLen);
        Buffer.BlockCopy(sig, 6 + rLen, newSig, rLen, sLen);

        return newSig;
    }

But still no joy :-( What am I doing wrong? Please help. (ClientData hashed with SHA256)

McMurphy
  • 1,235
  • 1
  • 15
  • 39

1 Answers1

3

Something like this should work:

if (pubKey.kty == "EC")
{
    byte[] ecDsaSig = convertFromASN1(sig);

    var point = new ECPoint
    {
        X = Convert.FromBase64String(pubKey.x),
        Y = Convert.FromBase64String(pubKey.y),
    };

    var ecparams = new ECParameters
    {
        Q = point,
        Curve = ECCurve.NamedCurves.nistP256
    };

    try
    {
        using (ECDsa ecdsa = ECDsa.Create(ecparams))
        {
            if (ecdsa.VerifyData(data, ecDsaSig, HashAlgorithmName.SHA256)
            {
                Console.WriteLine("The signature is valid.");
            }
            else
            {
                Console.WriteLine("The signature is not valid.");
                return FAIL_STATUS;
            }
        }
    }
    catch (Exception e)
    {
        return FAIL_STATUS;
    }
}

Converting ASN.1 to the IEEE P-1363 format that .NET wants can be pretty tricky. Some guidance here and here.

If you take your sample sig here, you can visualize the breakdown a little better, your X starts with 1025 and ends with 3227 and your Y starts with 9987 and ends with 1469.

Here is how I am currently doing the same.

aseigler
  • 504
  • 3
  • 7