|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Parsing X.509 Digital Certificate newbie questionI'm trying to parse a Digital Certificate in .Net v1.1 to get the signature of it. What I mean is I need to verify the Digital Certificate. Thus, the process is 1. Get Root Certificate Authority's certificate. RootCert. 2. Get certificate I want to verify (ie. CA issued this certificate). Lets call it UserCert. 3. Compute hash(data) of UserCert. 4. Use public key in RootCert to decryp the signature of UserCert. The signature being Encrypted by Root CA of the Hash(data) when generating the UserCert. I seem to have a few issues. 1. The root CA's certificate uses 4096bit Public Key. How do I parse out the Exponent and Modulus. Currently I am using the X509PublicKeyParser but it keeps throwing an error at if(i1 < 256 || i1 > 2048) throw new X509ParserException("Invalid RSA modulus size."); If I comment out the above lines, I get some modulus and exponent but I have no way to verify if this is correct. 2. Parsing the signature out of the byte[] of the UserCert is proving to be difficult. According to Michel Gallant at http://www.jensign.com/JavaScience/GetTBSCert/index.html, "the actual PKCS #1 v1.5 signature blob (128 bytes, same size as the public key modulus corresponding to the private key used to sign this certificate)". So I tried to create a byte[] of 128 length with the last 128 bytes of the UserCert. However, when I try to do, // Verify the signature if(RSADeformatter.VerifySignature(HashValue, SignedHashValue)) { Console.WriteLine("The signature is valid"); } else { Console.WriteLine("The signature is not valid"); } I always get "The signature is not valid". I'm totally clueless as to why? I know java can do all this. Java actually has a java.security.Signature library that parses the signature out of the UserCert file. They also have libraries that will get the modulus and exponent out from the public keys. However, I don't want to use java. I like .Net and need to use that. Please HELP! I'm going bonkers with this problem! Cheers. Sushant Bhatia I know you probably want to do all the parsing in managed code, but
you save a lot of work (in .net 1.1) to use pinvoke to do the asn.1 parsing and therefore reduce chances of implementation error. Here is an example using that approach to recover modulus and exp from a cert: http://www.jensign.com/JavaScience/dotnet/DecodeCertKey At least, you can use it as a benchmark to display what the cert and key is. - Mitch Show quoteHide quote <sushant.bha***@gmail.com> wrote in message news:1113303185.809051.180490@o13g2000cwo.googlegroups.com... > Hi all. > > I'm trying to parse a Digital Certificate in .Net v1.1 to get the > signature of it. What I mean is I need to verify the Digital > Certificate. Thus, the process is > > 1. Get Root Certificate Authority's certificate. RootCert. > 2. Get certificate I want to verify (ie. CA issued this certificate). > Lets call it UserCert. > 3. Compute hash(data) of UserCert. > 4. Use public key in RootCert to decryp the signature of UserCert. The > signature being Encrypted by Root CA of the Hash(data) when generating > the UserCert. > > > > I seem to have a few issues. > > 1. The root CA's certificate uses 4096bit Public Key. How do I parse > out the Exponent and Modulus. Currently I am using the > X509PublicKeyParser but it keeps throwing an error at > if(i1 < 256 || i1 > 2048) > throw new X509ParserException("Invalid RSA modulus size."); > If I comment out the above lines, I get some modulus and exponent but I > have no way to verify if this is correct. > > > 2. Parsing the signature out of the byte[] of the UserCert is proving > to be difficult. According to Michel Gallant at > http://www.jensign.com/JavaScience/GetTBSCert/index.html, "the actual > PKCS #1 v1.5 signature blob (128 bytes, same size as the public key > modulus corresponding to the private key used to sign this > certificate)". So I tried to create a byte[] of 128 length with the > last 128 bytes of the UserCert. However, when I try to do, > > // Verify the signature > if(RSADeformatter.VerifySignature(HashValue, SignedHashValue)) > { > Console.WriteLine("The signature is valid"); > } > else > { > Console.WriteLine("The signature is not valid"); > } > > I always get "The signature is not valid". I'm totally clueless as to > why? > > > I know java can do all this. Java actually has a > java.security.Signature library that parses the signature out of the > UserCert file. They also have libraries that will get the modulus and > exponent out from the public keys. However, I don't want to use java. I > like .Net and need to use that. > > > > Please HELP! I'm going bonkers with this problem! > > > Cheers. > Sushant Bhatia > I know you probably want to do all the parsing in managed code, but
you save a lot of work (in .net 1.1) to use pinvoke to do the asn.1 parsing and therefore reduce chances of implementation error. Here is an example using that approach to recover modulus and exp from a cert: http://www.jensign.com/JavaScience/dotnet/DecodeCertKey At least, you can use it as a benchmark to display what the cert and key is. - Mitch Show quoteHide quote <sushant.bha***@gmail.com> wrote in message news:1113303185.809051.180490@o13g2000cwo.googlegroups.com... > Hi all. > > I'm trying to parse a Digital Certificate in .Net v1.1 to get the > signature of it. What I mean is I need to verify the Digital > Certificate. Thus, the process is > > 1. Get Root Certificate Authority's certificate. RootCert. > 2. Get certificate I want to verify (ie. CA issued this certificate). > Lets call it UserCert. > 3. Compute hash(data) of UserCert. > 4. Use public key in RootCert to decryp the signature of UserCert. The > signature being Encrypted by Root CA of the Hash(data) when generating > the UserCert. > > > > I seem to have a few issues. > > 1. The root CA's certificate uses 4096bit Public Key. How do I parse > out the Exponent and Modulus. Currently I am using the > X509PublicKeyParser but it keeps throwing an error at > if(i1 < 256 || i1 > 2048) > throw new X509ParserException("Invalid RSA modulus size."); > If I comment out the above lines, I get some modulus and exponent but I > have no way to verify if this is correct. > > > 2. Parsing the signature out of the byte[] of the UserCert is proving > to be difficult. According to Michel Gallant at > http://www.jensign.com/JavaScience/GetTBSCert/index.html, "the actual > PKCS #1 v1.5 signature blob (128 bytes, same size as the public key > modulus corresponding to the private key used to sign this > certificate)". So I tried to create a byte[] of 128 length with the > last 128 bytes of the UserCert. However, when I try to do, > > // Verify the signature > if(RSADeformatter.VerifySignature(HashValue, SignedHashValue)) > { > Console.WriteLine("The signature is valid"); > } > else > { > Console.WriteLine("The signature is not valid"); > } > > I always get "The signature is not valid". I'm totally clueless as to > why? > > > I know java can do all this. Java actually has a > java.security.Signature library that parses the signature out of the > UserCert file. They also have libraries that will get the modulus and > exponent out from the public keys. However, I don't want to use java. I > like .Net and need to use that. > > > > Please HELP! I'm going bonkers with this problem! > > > Cheers. > Sushant Bhatia > I'll have a look at that. Thanks Michel. Do you happen to have an
example for the parsing of the signature too? I'll have a look at that. Thanks Michel. Do you happen to have an
example for the parsing of the signature too? 
Other interesting topics
Running a program with elevated priveleges
Cannot open log for source {0}. You may not have write access. (Access right wanish after a while) local admin security question AzMan threading problems How to run aspnet with system account web application can not access event log Difference between VS2003 / VS20005 causes CRYPTO BAD DATA excepti Rijndael decryption succeeds SOMETIMES Help How to add publisher condition ?? Question regarding in Forms authentication |
|||||||||||||||||||||||
