Discuss this help topic in SecureBlackbox Forum

Verify asymmetric signature

With asymmetric, or public key, cryptography, the sender can sign data using his secret key. Upon receipt of the signed data the recipient can verify signature's authenticity with the corresponding public key. Often a public key of an entity is contained in its public X.509 certificates. The private key is typically contained in a separate file, or even on a hardware device.

Typical low-level signature is essentially a cryptographic value that does not contain any identifier of the signing key. Therefore some identifier has to be conveyed with the signature, unless the key is known by the verifying party beforehand. To verify a digital signature with SecureBlackbox:

  1. Get your verifying (public) key in the form of TElRSAKeyMaterial object (SBPublicKeyCrypto namespace). You can create the object yourself if the key is to be loaded from file. If the key is contained in a certificate, you can access it via TElX509Certificate.KeyMaterial property: TElRSAKeyMaterial km = (TElRSAKeyMaterial)cert.KeyMaterial; Note the explicit cast to TElRSAKeyMaterial type, the certificate's KeyMaterial property returns an instance of the parent TElPublicKeyMaterial class.
  2. Create an instance of TElRSAPublicKeyCrypto class (SBPublicKeyCrypto namespace): TElRSAPublicKeyCrypto crypto = new TElRSAPublicKeyCrypto();
  3. Assign the key to the crypto object: crypto.KeyMaterial = km;
  4. Set InputIsHash to true if the signature has been produced over the digest value of the data, or to false if the whole load of the original data has been used. crypto.InputIsHash = false;
  5. Set HashAlgorithm to indicate which algorithm was used to digest the data: crypto.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
  6. Verify the signature. Note that VerifyDetached() method is used here, not Verify(). The latter is used when the data itself is included in the body of the signature. You can choose between array-based and stream-based overloads: TSBPublicKeyVerificationResult vr = crypto.VerifyDetached(inputStream, sigStream); The inputStream parameter shall contain the hash of the signed data if InputIsHash is true, or the data itself if InputIsHash is true.

The result (vr) will have one of the following values:

  • pkvrSuccess — the signature is valid.
  • pkvrInvalidSignature — the signature is invalid, or does not correspond to the data claimed to be signed.
  • pkvrKeyNotFound — the key does not match the signature.
  • pkvrFailure — internal failure.

How To articles related to low-level cryptography

Discuss this help topic in SecureBlackbox Forum