EldoS | Feel safer!

Software components for data protection, secure storage and transfer


Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 12/03/2012 02:36:27
by Sergio Rossi (Basic support level)
Joined: 12/03/2012
Posts: 2

Hello everyone!

We are considering your well-made components using them in our project. Unfortunately, our knowledge of the world of cryptography is very poor and this is the reason for our post, which is to ask you, kindly, if we are correctly using your components.
Before we formulate our question to you, we have to explain to you the task.
We want to establish a connection with Google services through the OAuth2 authentication protocol (https://developers.google.com/accounts/docs/OAuth2ServiceAccount).
At some point in the specification, there is the following directive, that we report verbatim:

"The signing algorithm in the JWT header must be used when computing the signature. The only signing algorithm supported by the Google OAuth 2.0 Authorization Server is RSA using SHA-256 hashing algorithm. This is expressed as ‘RS256’ in the ‘alg’ field in the JWT header. Sign the UTF-8 representation of the input using SHA256withRSA (also known as RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function) with the private key obtained from the API console. The output will be a byte array."

To do the core of that, we have written the following code:

function Sign(CertificateFileName,Password,DataToSign:string):string;
var Crypto:TElRSAPublicKeyCrypto;
        Create(CertificateFileName,fmOpenRead or fmShareDenyWrite);
      case CertType of
            if (R<>0) then
              raise Exception.Create('PEM read error: '+IntToStr®);
            if (R<>0) then
              raise Exception.Create('PFX read error: '+IntToStr®);
            if (R<>0) then
              raise Exception.Create('SPC read error: ' +IntToStr®);

At this point we want to address to you the following question: is the code that we wrote to properly sign the input text using the private key contained in the certificate X509 that we have available?
Or we made a wrong use of the components?

Thank you in advance for your kind attention and we hope to receive soon from you a very welcomed response.

Posted: 12/03/2012 10:19:01
by Ken Ivanov (EldoS Corp.)

Hello Sergio,

Your code is generally correct. Depending on what kind of data you have in the DataToSign parameter, you might need to set TElRSAPublicKeyCrypto.InputIsHash property to true (if DataToSign contains hash that has already been calculated).

You can assign Cert.KeyMaterial directly to Crypto.KeyMaterial property to omit redundant key cloning.
Posted: 12/03/2012 10:42:57
by Sergio Rossi (Basic support level)
Joined: 12/03/2012
Posts: 2

Hi Ivanov!

Thank you for your kindly reply.
In "DataToSign" there is a string (not a hash) that we have to sign with the private key.
So do you confirm to us that the code written by us is correct (apart the repeated use of key component) and that the text contained in "DataToSign" will signed with the private key of the certificate? (the use of the private key, not the public one, is the crucial point).
Please forgive us if we insist on this point, but we must be sure that the code is correct, because we did not have a deep knowledge of general encryption stuff.

Thank you very much in advance.
Posted: 12/03/2012 11:09:54
by Ken Ivanov (EldoS Corp.)

Yes, the code is correct, and it will use a private key to sign the data. If there's no private key associated with the certificate, the SignDetached() method will throw an exception, as you can't sign data with public keys.



Topic viewed 1215 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!