EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Error in "Cert.Keymaterial"

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#21086
Posted: 08/21/2012 04:47:18
by Ken Ivanov (EldoS Corp.)

Just to make sure that we understand each other correctly - is it the run-time Cert.KeyMaterial.ClassName value that says that the KeyMaterial is of TElPublicKeyMaterial type? I.e. does the following call

ShowMessage(Cert.KeyMaterial.ClassName);

reports it's TElPublicKeyMaterial?

If it is, may I please ask you to send us a public part of your certificate so that we could check it locally (you can do this securely through the Help Desk). Sometimes CAs incorrectly specify public key algorithms, causing processing software to consider the public keys as unsupported.
#21088
Posted: 08/21/2012 06:05:15
by Bremen Sistemas (Basic support level)
Joined: 08/20/2012
Posts: 17

I do not know if I need to use it.
I mounted this code based on the examples and some of the forum posts here.
What I need is to sign a string with rsa-sha1.
Would otherwise do?
#21095
Posted: 08/21/2012 10:14:40
by Eugene Mayevski (EldoS Corp.)

Let's have a *dialog*, please. In order to help you we need to figure out certain things about your environment and we need to ask you questions which we expect to be answered. Please answer Innokentiy's questions and probably please provide a certificate via the HelpDesk (when you export the public certificate without a private key, there's no security risk in disclosing the certificate).


Sincerely yours
Eugene Mayevski
#21098
Posted: 08/21/2012 11:03:12
by Bremen Sistemas (Basic support level)
Joined: 08/20/2012
Posts: 17

I'm using A3 certificate. It is a certificate token, I can not export it.

PS.: Posted in HelpDesk. Tickect [21299]
#21103
Posted: 08/21/2012 12:01:23
by Ken Ivanov (EldoS Corp.)

Thanks for the certificate. It is OK, so we now have to figure out what's wrong with your code. Could you please confirm that the 'TElPublicKeyMaterial' value is returned by the following call:

ShowMessage(Cert.KeyMaterial.ClassName);
#21105
Posted: 08/21/2012 12:07:30
by Ken Ivanov (EldoS Corp.)

And a different flank check - could you please take any of the samples that are capable of signing with system certificates (PDFBlackbox\TinySigner will do) and check if they succeed with signing with your certificate?
#21106
Posted: 08/21/2012 12:10:12
by Bremen Sistemas (Basic support level)
Joined: 08/20/2012
Posts: 17

Put in:

Code
  KeyMaterial := TELRSAKeyMaterial.Create;

  ShowMessage(Cert.KeyMaterial.ClassName);

  KeyMaterial.Assign(Cert.Keymaterial);


Resp: "Inaccessible value"

I saw several examples of how to sign a "String" using RSAPublicKey.
In manual is asked to sign the certificate with privatekey.
It would be the same thing?
#21107
Posted: 08/21/2012 12:25:54
by Bremen Sistemas (Basic support level)
Joined: 08/20/2012
Posts: 17

Quote
Innokentiy Ivanov wrote:
And a different flank check - could you please take any of the samples that are capable of signing with system certificates (PDFBlackbox\TinySigner will do) and check if they succeed with signing with your certificate?


Yes, I could usually sign a PDF with that example.
#21123
Posted: 08/22/2012 08:51:10
by Bremen Sistemas (Basic support level)
Joined: 08/20/2012
Posts: 17

I have a question.

Cert.Keymaterial is a PrivateKey or Publickey ?

I managed to make a signature, but it returns me is invalid.
The Correct would be:
ywI+haRzzx47iXwXbYJYS+P4KC...WK5i/+iVPVLAFsw6lGuOVI1A=

and the function returns:
CFej...mzej+WTi0pqcYIL9KJtf3ceNWg7CkFoQO3F6Hb6hl10=

My code:

Code
        S := CalcHashStr(aString, haSHA1);  //sha1hash(AString, false);

        // Step 2 : Doe RSA met private key van Cert op AString;
        InputBuffer := TMemoryStream.Create;
        InputBuffer.Write(S[1], Length(S));
        InputBuffer.Position := 0;

        SignBuffer := TMemoryStream.Create;
        Crypto := TElRSAPublicKeyCrypto.Create();
        Crypto.InputEncoding  := pkeBinary;
        Crypto.OutputEncoding := pkeBase64;

        KeyMaterial := TELRSAKeyMaterial.Create;
        KeyMaterial.Assign(Cert.Keymaterial);

        Crypto.InputIsHash   := True;
        Crypto.HashAlgorithm := SB_ALGORITHM_DGST_SHA1;
        Crypto.KeyMaterial   := KeyMaterial;

        // Assinatura
        Crypto.SignDetached(InputBuffer, SignBuffer);

        SetLength(S, SignBuffer.Size);
        SignBuffer.Position := 0;
        SignBuffer.Read(S[1], SignBuffer.Size);

        Result := S;


Code of dll in C#

Code
System.Text.ASCIIEncoding enc = new System.Text.ASCIIEncoding();
            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();

            rsa = cert.PrivateKey as RSACryptoServiceProvider;

            byte[] sAssinaturaByte = enc.GetBytes(sAssinatura);

            RSAPKCS1SignatureFormatter rsaf = new RSAPKCS1SignatureFormatter(rsa);
            SHA1CryptoServiceProvider sha1 = new SHA1CryptoServiceProvider();

            byte[] hash;
            hash = sha1.ComputeHash(sAssinaturaByte);

            rsaf.SetHashAlgorithm("SHA1");
            sAssinaturaByte = rsaf.CreateSignature(hash);

            string convertido;
            convertido = Convert.ToBase64String(sAssinaturaByte);
            return convertido;


But I need to work in delphi, the VCL.

Steps of Manual:

2 - Convert the string to ASCII to bytes.
3 - Generate HASH (byte array) using SHA1.
4 - Get the HASH (byte array) using RSA-SHA1.
#21126
Posted: 08/22/2012 10:24:19
by Ken Ivanov (EldoS Corp.)

TElX509Certificate.KeyMaterial can reference both public and private keys, depending on where the certificate has been loaded from. Normally the availability of the private key can be checked via the TElX509Certificate.PrivateKeyExists property.

Quote
I managed to make a signature, but it returns me is invalid.
The Correct would be:

Note that two signatures made over the same data by different implementations might differ. There are a couple of points where implementation have certain level of freedom of how to encode the data, so you can get several different valid signatures over the same data.

Still, the first thing for you to try would be setting InputIsHash to false and checking if it results in creation of a valid signature.

BTW, how exactly do you check if a signature is valid or not? Do you use some validating tool?
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 3989 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!