EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signature validation, having the certificate and the hashes

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 12/04/2012 09:01:58
by Ivan Hristov (Standard support level)
Joined: 10/26/2012
Posts: 16

Hello all,

I would like to know if it is possible to validate a signature, having the certificate in DER format and two hashes - the MD5 hash of file being signed and the signature hash. It should be possible, but the thing that bothers me it's that I don't know neither the signature algorithm, nor the Root CA certificates.

Thanks in advance,
Ivan Hristov.
Posted: 12/04/2012 09:07:18
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

You should have a signature and a public part of the certificate used to produce it. Depending on the signature format it may contain algorithm identificators and CA certificates. Could you describe your task in more details. Then we'll be able to give you more detailed answer.
Posted: 12/04/2012 09:09:36
by Ken Ivanov (EldoS Corp.)


If the signature was made with the use of md5WithRSAEncryption algorithm, i.e. if the hash algorithm used within the signing operation was MD5, then your goal is achievable. In all other cases I am afraid it isn't.
Posted: 12/04/2012 09:58:17
by Ivan Hristov (Standard support level)
Joined: 10/26/2012
Posts: 16

Hello again and thank you for your quick answers.
The fact is, I don't have any clue what is the signature algorithm, used for signing the files.
The current setup is this:
In a DB table is stored the following data:
1. DER-encoded public part of a certificate in byte[]. I'm able to create TElX509Certificate from this byte array and it seems OK - Issuer, CommonName and so on.

2. MD5 hash of the file, which was signed with this certificate. (Of course, this is the hash of the file before it was signed).

3. The hash of the signature, which was calculated for this certificate (1) and the file hash (2).

The task is to verify if the calculated signature hash (3) corresponds with (1) and (2) for all the records in the table.

Unfortunately, there is no additional data present, except the file itself, but this would be helpful only if I would want to recalculate the MD5 hash again.
Is there a way to check if the signature was made using the md5WithRSA encryption?

Posted: 12/04/2012 10:07:38
by Vsevolod Ievgiienko (EldoS Corp.)

You can check if certificate includes RSA key in a certificate attributes. You can check this using TElX509Certificate.PublicKeyAlgorithm or simply dump a certificate to a file and open it using Windows built-in viewer. If its RSA then you can try md5WithRSA.
Posted: 12/04/2012 10:26:26
by Ivan Hristov (Standard support level)
Joined: 10/26/2012
Posts: 16

The property PublicKeyAlgorithm has value 0. Although, PublicKeyAlgorithmIndentifier is said to be TElRSAAlgorithmIdentifier.

I wrote the certificate bytes in a .cer file and Windows viewer says "Signature algorithm: sha1RSA".
Assuming the signature algorithm is RSA, can you point me to code sample I could use to make such verification?

Thanks in advance,
Posted: 12/04/2012 10:35:33
by Vsevolod Ievgiienko (EldoS Corp.)

Please try to use a sample that is located in \EldoS\SecureBlackbox.NET\Samples\C#\PKIBlackbox\Primitives\VerifyDetached folder.
Posted: 12/05/2012 06:51:40
by Ivan Hristov (Standard support level)
Joined: 10/26/2012
Posts: 16

Thank you for you answer.
I tested the VerifyDetached and it returns "invalid signature".
Then I made a small test project for signing files with attached signature (p7m), which writes the public part of certificate and signature in files and tried the sample again - still "invalid signature".
Maybe the way I get the signature is wrong. Can you take a look at this code and give your opinion?

                public static byte[] SignFile(byte[] inFileBytes, TElX509Certificate inX509Certificate)
            TElMemoryCertStorage _memoryCertStorage = new TElMemoryCertStorage();
            _memoryCertStorage.Add(inX509Certificate, true);

            TElMessageSigner _signer = new TElMessageSigner();
            _signer.CertStorage = _memoryCertStorage;
            _signer.RecipientCerts = _memoryCertStorage;
            _signer.SignatureType = TSBMessageSignatureType.mstPublicKey;
            _signer.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_MD5;
            _signer.MacAlgorithm = SBConstants.Unit.SB_ALGORITHM_MAC_HMACSHA1;
            byte[] _outBuffer = new byte[0];
            int _outSize = 0;
            int _resultCode = _signer.Sign(inFileBytes, ref _outBuffer, ref _outSize, false);
            _outBuffer = new byte[_outSize];
            _resultCode = _signer.Sign(inFileBytes, ref _outBuffer, ref _outSize, false);
//File output - just for test
            File.WriteAllBytes(@"c:\cert.cer", inX509Certificate.CertificateBinary);
            File.WriteAllBytes(@"c:\signature.sig", inX509Certificate.Signature); //I'm not sure if this is the calculated signature!
            if (_resultCode != 0)
                InvalidOperationException _ioex = new InvalidOperationException("Проблем при подписване на файл. Код на грешка: " + _resultCode);
                _ioex.Data.Add("errorcode", _resultCode);
                throw _ioex;

            return _outBuffer;

The produced file is a valid file with attached signature and passes verification with third-party applications. I guess the problem is in the signature - I'm not sure if TElX509Certificate.Signature contains the calculated signature, but I couldn't figure out where to get it from.

Thanks in advance,
Posted: 12/05/2012 06:58:33
by Vsevolod Ievgiienko (EldoS Corp.)

The signature is located in _outBuffer after _signer.Sign is called. But you should refer to our samples again because you are using Sign method incorrectly now.
Posted: 12/05/2012 07:58:09
by Ivan Hristov (Standard support level)
Joined: 10/26/2012
Posts: 16


_outBuffer contains the whole signed file with attached signature in it. My goal is to get only the signature (usually byte[256], as far as I know).
The code above is almost copy-pasted from PKIBlackbox\MessagesDemo sample, including the double call to Sign() method. It's very likely for me to get something wrong, but so far this code produces valid *.p7m files. Which part caught your attention?

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.



Topic viewed 2335 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!