I've written a license file generator in C# that generates a signed XML
file for use in another program. I need to give this generator to a
third party (ShareIt.com) so they can generate license files when a
purchase is made. I can to do this with a keys stored in a container,
but on their system, I won't be able to store the public/private key
pair needed for signing. So I assume I have to store the key pair in my
program. Given a key pair generated with SN.EXE, how do I store and use
it in my program?

P.S.

I tried generating an XML file to embed as a resource but I could not
figure out how to generate an XML file with both the public and private
key in it.

Regards,

Mike

Storing  asymmetric keypairs in applications is unwise.
Your third party should consider storing these important signature
credentials on a smart-card or token.  If they generate the signatures on a
Win32 platform, they should store them in CryptoAPI protected
storage (which you seem to indicate is not possible).
A portable way of storing an RSA (and other) keypairs is using
the encrypted keycontainer format  PKCS#12, discussed here:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/html/pkcs12.asp

Such a keypair file is supported as a readable/writeable keycontainer
by many implementation .. e.g. Java supports PKCS#12 keystores.

The keypairs generated by .net sn.exe are rather vulnerable, as the
file is an unencrypted  PRIVATEKEYBLOB format:
   http://www.jensign.com/JavaScience/dotnet/keyinfo

I recommend importing that sn.exe generated blob into a capi keycontainer, e.g.
  http://www.jensign.com/JavaScience/feature/ImportSNK.txt
and then exporting to protected (encrypted) PKCS#12 if you need to
generated the keypair and port (by sneaker-net?) to the 3rd party.
Or assist them with generating their OWN credentials .. which is
typically how RSA keypairs for certificates are generated.

Cheers,
- Mitch Gallant

Show quoteHide quote

Mitch,

Thanks for the pointers. I'm not wild about storing the keys in the app
either. I just don't know of another option at the moment. I'm going to
start a conversation with ShareIt to see if I can knudge them into
storing the keys as you suggest.

Mike

One other thing. How do I export my key pair into PKCS#12?

I don't think that capi supports storing asymmetric keypairs alone within
a PKCS#12 file (although the pkcs standard does support that).
If you have just the RSA keypair (without any associated encapsulating
certificate) and you have imported it into an exportable key container
on your system, you can securely export the keypair into an encrypted
PRIVATEKEYBLOB using CryptExportKey() with hExpKey as a secret
symmetric key (which you need to obviously securely share with your 3rd party):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptexportkey.asp
This makes sense if your 3rd party plans to import that keypair into
protected capi storage.

Or you could simply encrypt your sn generated PRIVATEKEYBLOB using
some *trusted* encryption application.
What you do will depend on how your 3rd party intends to use the RSA keypair
in their .net signature-generation.

- Mitch Gallant

Show quoteHide quote

Hello!
You wrote  on 19 Mar 2005 16:53:06 -0800:

mmw> Thanks for the pointers. I'm not wild about storing the keys in the
mmw> app either. I just don't know of another option at the moment. I'm
mmw> going to start a conversation with ShareIt to see if I can knudge them
mmw> into storing the keys as you suggest.

Or generate the keys for users yourself.

With best regards,
Eugene Mayevski

Re: RSA Encrypt/Decrypt Problems
SecurityCritical, SecurityTreatAsSafe and SecurityTransparent Attributes?
ildasm