EldoS | Feel safer!

Software components for data protection, secure storage and transfer

RSAPublicKeyCrypto SHA256 signature Issue [.NET]

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#30880
Posted: 10/03/2014 13:42:11
by Peter Smith (Basic support level)
Joined: 09/17/2014
Posts: 4

I'm trying to create and verify detached signatures and I'm not getting the result I was expecting.

Here's the code I'm using:
Code
var signCert = new TElX509Certificate();
signCert.LoadFromStreamAuto(new FileStream(@"C:\Users\psmith\Desktop\ADFS2SignAndEncrypt\ADFS2Sign.pfx",
    FileMode.Open),"**********",0);
var crypto = new TElRSAPublicKeyCrypto();
var keyMaterial = new TElRSAKeyMaterial();
keyMaterial.Assign(signCert.KeyMaterial);
crypto.KeyMaterial = keyMaterial;
crypto.HashFuncOID = SBConstants.__Global.SB_OID_SHA256_RSAENCRYPTION;
var inputString = File.ReadAllText(@"C:\Users\psmith\Desktop\LogoutRequest.txt");
var inputStream = new MemoryStream(Encoding.UTF8.GetBytes(inputString));
inputStream.Position = 0;
var signatureStream = new MemoryStream();
crypto.SignDetached(inputStream,signatureStream,0);
Console.WriteLine(Convert.ToBase64String(signatureStream.ToArray()));


Here's the code the Microsoft way:

Code
var cert = new X509Certificate2(@"C:\Users\psmith\Desktop\ADFS2SignAndEncrypt\ADFS2Sign.pfx",
    "**********",X509KeyStorageFlags.Exportable);
var privateKey = cert.PrivateKey as RSACryptoServiceProvider;
var pk = new RSACryptoServiceProvider();
pk.ImportParameters(privateKey.ExportParameters(true));
var inputString = File.ReadAllText(@"C:\Users\psmith\Desktop\LogoutRequest.txt");
var inputStream = Encoding.UTF8.GetBytes(inputString);
var signatureBytes = pk.SignData(inputStream, "SHA256");
Console.WriteLine(Convert.ToBase64String(signatureBytes));


I would expect these two code fragments to produce the same results, but their not.

The code is related to generating and validating detached SAML signatures.

I'm not sure what I'm doing wrong.

Thanks,
Pete
#30881
Posted: 10/04/2014 02:20:21
by Eugene Mayevski (EldoS Corp.)

The result should not be identical. It must be correct (i.e. must be standard-compliant and accepted by the recipient). Did you try to validate the code produced data on the recipient side?


Sincerely yours
Eugene Mayevski
#30882
Posted: 10/04/2014 05:34:43
by Peter Smith (Basic support level)
Joined: 09/17/2014
Posts: 4

After doing more testing I find that everything works as I expected when using SHA1. The signatures generated using SBB validate successfully using SBB and the .Net Framework classes. Signatures generated with the .Net Framework classes validate successfully using SBB and the .Net Framework classes.

When I generate signatures with the .Net Framework classes using MD5 or SHA256. Those Signatures Validate successfully using SBB and the .Net Framework classes.

When I generate signatures with SBB using MD5 or SHA256. Those signatures
do NOT validate using either SBB or the .Net Framework classes.

This tells me there is something wrong with SBB signatures created using MD5 or SHA256.

I haven't seen the same issue generating XML signatures using SBB.

using this code the signatures are invalid

Code
var signCert = new TElX509Certificate();
signCert.LoadFromStreamPFX(new FileStream(@"C:\DSigTests\TestCertificate.pfx",
       FileMode.Open),"",0);

var crypto = new TElRSAPublicKeyCrypto();
var keyMaterial = new TElRSAKeyMaterial();
keyMaterial.Assign(signCert.KeyMaterial);
crypto.KeyMaterial = keyMaterial;
crypto.HashFuncOID = SBConstants.Unit.SB_OID_SHA256;
var inputString = File.ReadAllText(@"C:\DSigTests\Test1.txt");
var inputStream = new MemoryStream(Encoding.UTF8.GetBytes(inputString));
inputStream.Position = 0;
var signatureStream = new MemoryStream();
crypto.SignDetached(inputStream,signatureStream,0);
inputStream.Position = 0;
signatureStream.Position = 0;
Console.WriteLine(crypto.VerifyDetached(inputStream,signatureStream,0,0));
File.WriteAllText(@"C:\DSigTests\Test1Sig.txt",Convert.ToBase64String(signatureStream.ToArray()));
Console.WriteLine(Convert.ToBase64String(signatureStream.ToArray()));


What am I doing wrong?

Thanks,
Pete
#30887
Posted: 10/06/2014 04:17:36
by Ken Ivanov (EldoS Corp.)

Hi Pete,

Please remember to set the HashAlgorithm property of the crypto object before signing and validating the signature:

crypto.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256; // or _MD5

Ken
#30892
Posted: 10/06/2014 10:36:52
by Peter Smith (Basic support level)
Joined: 09/17/2014
Posts: 4

That makes it all better.

Should I also be setting the crypto.HashFuncOID? Under what conditions should that be set?


Thanks,
Pete
#30893
Posted: 10/06/2014 11:10:58
by Ken Ivanov (EldoS Corp.)

Hi Pete,

Normally you do not need to set the HashFuncOID property, as the components will pick the proper OID automatically. This property should only be used to override default OID values, typically to make your code compatible with some non-standard-compliant or old third-party software.

Ken
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 802 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!