I have to sign a string in node js, in the same way of a C# application, which uses RSACryptoServiceProvider. In fact it uses
X509Certificate2 certificate = new X509Certificate2("file.pfx", "aPassword",
X509KeyStorageFlags.Exportable);
RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)RSACryptoServiceProvider.Create();
rsa.FromXmlString(certificate.PrivateKey.ToXmlString(true));
signer = new RSAPKCS1SignatureFormatter(rsa);
signer.SetHashAlgorithm("SHA256");
byte[] signedData = signer.CreateSignature("a string");
string signedString = Convert.ToBase64String(signedData);
I've tried to do the same in node js, so far, using jsonwebtoken in this way
var kdrPrivateKey = fs.readFileSync('private_key.pem');
var authorizationSigned = jwt.sign("a string", kdrPrivateKey, { algorithm: 'RS256'});
var authorizationBase64 = Base64.encode(authorizationSigned);
I also got the private_key from file.pfx in this way
openssl pkcs12 -in file.pfx -nocerts -out private_key.pem -nodes
My question, finally is, is the node js code equivalent to the C# code? If not, how can I make the C# code in a node js way?
Thanks!
Use RSA XML Decrypter for Node. Decrypt a string by private RSA XML C# key in Node.js.
var RSAXML = require('rsa-xml'),
// base64 encoded private rsa xml key
var privateKey1 = 'PFJTQUtleVZhbHVlPjxNb2R1bHVzPjUxbCtyaHRzRmQvQ3NOb0U5VW9kdWorS0Vqd0F2YWZUZmI1N3Zldit3b3ZRbjdoVURrdzlCbVVMOTdSSC9zaC9udVN2Qkl3RGRlVVZTZzJDaXo4bE5McmY0WTVlMmI1NUtNZVBzR3lIV29abXhpbkdQUzd1cjRLSkhPZmVCYStHeGRDOC80cFdCSjZFK3BCajNkQ2JQRFBLWVZ6N0RRTUhkWGNRWjRCcTR2OD08L01vZHVsdXM+PEV4cG9uZW50PkFRQUI8L0V4cG9uZW50PjxQPitRdkdsTE14anZMaHJFZi9ab011VklBR05xMXh6YUptcGZCa2E0dDNsY0RZR2xoUVI1OXZzWWFORGwzVTQzaVVZZ3JYa0NtbFVnRXB5QXBUS05hL3RRPT08L1A+PFE+N2M4NDNFZXRrM0pqeEFRRDFKUGg0QzFONkNyeCtkWDVjSXk1Z2xkY2Q3ODlYenJFU2dTUDhEWDd5U2puT2VXZmxEdmlyR0h6YVNXdmZWaTNKNXZBWXc9PTwvUT48RFA+T1JEYXN1NFFtQW5OYmpXZEx6YzE0WVRvWjVUOHM3clh2SVJGN21LcHh6WEdEdHRYb2VIRnJTOEFtVjhremU2dVNYemtnaE1ZMzU2R25XRElSMTVWMVE9PTwvRFA+PERRPkh5VC9kbUh3eXBtMWxTdE5jUjY0KzBvVHBPOVM1M3h0Z1o3OGdLUitXTFIwRGkrOUcxQ0RwVnI4a2JqSXA1MTZDOGpZQSttRUhtWXdHSU53NFVBVnJ3PT08L0RRPjxJbnZlcnNlUT5SVXowVDA4eDZSaHg4U2RMQ2dQVXNNenJKb29qQjZDTmR2MkpOcHNaN2Nnc1k1MDhEQjAwd29kQlFrem90SGJ0QVhTa1VsN2d0QXI0TGlFejVORU56Zz09PC9JbnZlcnNlUT48RD5JVmVPRmluMTZyUjIwREIrVjNCVGxzODlKeGRHWkxtbWF0c1prQXZPTkhGSERoc3RqaFAzRlpBRVBnZXUrcGdnZ0hZUDNVQVA2RWdDODBzUzB6TzB1T2h0UGIzNDllOSs2WnhlMjJhaWV0WTFabFlQT201di9YbE5HZlhOZWQvbjhUYUJZRHB3YnZTVUw0T2M1eFJOeWFnU2x4Mi9GN1h3NHBkQmw0cG9LZ1U9PC9EPjwvUlNBS2V5VmFsdWU+';
var encBase64_1 = '4TkhLlVNK27LQXSRIftGCbwOI2qnBGD0eR61g53KAdw5J+BTpczLpdWGn/9v3I6xGPQYvTB1F2cmbcuBboNGa18b+8gigwbat9vTEuLjD/OKl2V+jpqKf3xxwYYuz1s05HyV8KWxbS01M/iwjWPrcNRWh3vWff9pRAu8Z6KQAQc=';
var privateKey2 = 'PFJTQUtleVZhbHVlPjxNb2R1bHVzPjUxbCtyaHRzRmQvQ3NOb0U5VW9kdWorS0Vqd0F2YWZUZmI1N3Zldit3b3ZRbjdoVURrdzlCbVVMOTdSSC9zaC9udVN2Qkl3RGRlVVZTZzJDaXo4bE5McmY0WTVlMmI1NUtNZVBzR3lIV29abXhpbkdQUzd1cjRLSkhPZmVCYStHeGRDOC80cFdCSjZFK3BCajNkQ2JQRFBLWVZ6N0RRTUhkWGNRWjRCcTR2OD08L01vZHVsdXM+PEV4cG9uZW50PkFRQUI8L0V4cG9uZW50PjxQPitRdkdsTE14anZMaHJFZi9ab011VklBR05xMXh6YUptcGZCa2E0dDNsY0RZR2xoUVI1OXZzWWFORGwzVTQzaVVZZ3JYa0NtbFVnRXB5QXBUS05hL3RRPT08L1A+PFE+N2M4NDNFZXRrM0pqeEFRRDFKUGg0QzFONkNyeCtkWDVjSXk1Z2xkY2Q3ODlYenJFU2dTUDhEWDd5U2puT2VXZmxEdmlyR0h6YVNXdmZWaTNKNXZBWXc9PTwvUT48RFA+T1JEYXN1NFFtQW5OYmpXZEx6YzE0WVRvWjVUOHM3clh2SVJGN21LcHh6WEdEdHRYb2VIRnJTOEFtVjhremU2dVNYemtnaE1ZMzU2R25XRElSMTVWMVE9PTwvRFA+PERRPkh5VC9kbUh3eXBtMWxTdE5jUjY0KzBvVHBPOVM1M3h0Z1o3OGdLUitXTFIwRGkrOUcxQ0RwVnI4a2JqSXA1MTZDOGpZQSttRUhtWXdHSU53NFVBVnJ3PT08L0RRPjxJbnZlcnNlUT5SVXowVDA4eDZSaHg4U2RMQ2dQVXNNenJKb29qQjZDTmR2MkpOcHNaN2Nnc1k1MDhEQjAwd29kQlFrem90SGJ0QVhTa1VsN2d0QXI0TGlFejVORU56Zz09PC9JbnZlcnNlUT48RD5JVmVPRmluMTZyUjIwREIrVjNCVGxzODlKeGRHWkxtbWF0c1prQXZPTkhGSERoc3RqaFAzRlpBRVBnZXUrcGdnZ0hZUDNVQVA2RWdDODBzUzB6TzB1T2h0UGIzNDllOSs2WnhlMjJhaWV0WTFabFlQT201di9YbE5HZlhOZWQvbjhUYUJZRHB3YnZTVUw0T2M1eFJOeWFnU2x4Mi9GN1h3NHBkQmw0cG9LZ1U9PC9EPjwvUlNBS2V5VmFsdWU+';
var encBase64_2 = '4TkhLlVNK27LQXSRIftGCbwOI2qnBGD0eR61g53KAdw5J+BTpczLpdWGn/9v3I6xGPQYvTB1F2cmbcuBboNGa18b+8gigwbat9vTEuLjD/OKl2V+jpqKf3xxwYYuz1s05HyV8KWxbS01M/iwjWPrcNRWh3vWff9pRAu8Z6KQAQc=';
var rsa = new RSAXML();
// a private key
rsa.importKey(privateKey1, 'pKey1');
var decrypted1 = rsa.decrypt(encBase64_1, 'pKey1');
console.log('decrypted:', decrypted1);
// another private key
rsa.importKey(privateKey2, 'pKey2');
var decrypted2 = rsa.decrypt(encBase64_2, 'pKey2');
console.log('decrypted:', decrypted2);
Related
This is a bit related to the answer to X509Certificate2 from store with private key.
It seems that when I want to use SHA256withRSA I can't use service provider directly from the certificate's PrivateKey - I need to create new crypto service provider:
var bytes = new byte[] { 0, 1, 2, 3 };
//_cert - X509Certificate2 with private key
//csp1 is of type I need, but it won't work
var csp1 = _cert.PrivateKey as RSACryptoServiceProvider;
var cspParameters = new CspParameters
{
KeyContainerName = csp1.CspKeyContainerInfo.KeyContainerName,
KeyNumber = csp1.CspKeyContainerInfo.KeyNumber == KeyNumber.Exchange ? 1 : 2,
};
var csp2 = new RSACryptoServiceProvider(cspParameters);
//I can't use csp1 here - will throw "CryptographicException : Invalid algorithm specified."
//I can use csp1 with "SHA1" though
var signature = csp2.SignData(bytes, CryptoConfig.MapNameToOID("SHA256"));
I've found some information about this here:
https://blogs.msdn.microsoft.com/shawnfa/2008/08/25/using-rsacryptoserviceprovider-for-rsa-sha256-signatures/
But the above solution is taken from comments section and I don't really understand why I need to jump through hoops to use one of the common algorithms. So what I want to ask is:
Why csp1 does not work with SHA256 exactly?
Is it correct to create the csp2 like I did?
Is there a better/newer way I can do it in .NET?
If needed the cert with private key can be generated as follows:
openssl req -x509 -sha256 -newkey rsa:2048 -keyout ./temp/key.key -out ./temp/crt.crt -days 10 โnodes
openssl pkcs12 -export -out .\temp\cert.pfx -inkey .\temp\key.key โin .\temp\crt.crt
It all depends on where your certificate is coming from. Like the MSDN comment says, if it's coming from Microsoft Base Cryptographic Provider, then it will not work with SHA256. This CSP came out with the first version of CryptoAPI back in 1996, and does not understand SHA256 because SHA256 was not around back then.
The way to check and handle this gracefully would be:
public byte[] SignData(RSACryptoServiceProvider csp, byte[] bytes)
{
byte[] sig = null;
if ((csp.CspKeyContainerInfo.ProviderType == PROV_RSA_FULL || csp.CspKeyContainerInfo.ProviderType == PROV_RSA_SCHANNEL) && !csp.CspKeyContainerInfo.HardwareDevice)
{
var cspParameters = new CspParameters
{
KeyContainerName = csp.CspKeyContainerInfo.KeyContainerName,
KeyNumber = csp.CspKeyContainerInfo.KeyNumber == KeyNumber.Exchange ? 1 : 2,
};
using (var csp2 = new RSACryptoServiceProvider(cspParameters))
{
sig = csp2.SignData(bytes, CryptoConfig.MapNameToOID("SHA256"));
}
}
else {
sig = csp.SignData(bytes, CryptoConfig.MapNameToOID("SHA256"));
}
return sig;
}
FYI the CryptoAPI is being deprecated in favor of Cryptography API: Next Generation. One way to do what you want with CNG in C# would be with System.Security.Cryptography.Cng:
...
using (RSA rsa = new RSACng())
{
byte[] signature = rsa.SignData(message, hashAlgorithm, paddingMode);
...
}
I'm trying to decode the HelloWorks callback signature to add security to an endpoint. As it stays in the documentation I need to generate a private key using the following openssl command:
openssl genrsa -des3 -out helloworks.pem 4096
and then make the public key:
openssl rsa -in helloworks.pem -outform PEM -pubout -out public.pem
I have created both keys and configured it. Now I need to decode base64 the X-Helloworks-Signature sent by them, then decrypt the result using the private key.
I have been trying several ways to do this in C# but with no luck. One approach that I have done using BouncyCastle library is:
var signature = mvcContext.HttpContext.Request.Headers["X-Helloworks-Signature"];
var url = mvcContext.HttpContext.Request.Path.Value;
var bytesToDecrypt = Convert.FromBase64String(signature);
AsymmetricCipherKeyPair keyPair;
var pemPath = Path.Combine(env.ContentRootPath, "./helloworks.pem");
using (var reader = File.OpenText(pemPath))
keyPair = (AsymmetricCipherKeyPair)new PemReader(reader, new PasswordFinder("password")).ReadObject();
var decryptEngine = new Pkcs1Encoding(new RsaEngine());
decryptEngine.Init(false, keyPair.Private);
var decryptedToken = Encoding.UTF8.GetString(decryptEngine.ProcessBlock(bytesToDecrypt, 0, bytesToDecrypt.Length));
But it always throws the same exception message:
Org.BouncyCastle.Crypto.DataLengthException: 'input too large for RSA cipher.'
I have been trying other approaches that I have found here in SO and the web but no luck.
How can I use the private key pem file to decrypt the signature in C#, specifically .Net Core 2?
Update 1
An example of the signature is:
X-Helloworks-Signature: bGNTNUVOZ0w5akx4U1VXUTFrcHQ0ZmZSZU1KQnNpbDhwVDFGVllSMzF5aVdtQkZOcTRMTFNrY2FmV3o5aFZJVk5rbmVRUEdydTZLZ1BHQ1dCdkFYVVRMWUs1bUYxSXplam5mZVEwVFZvMjFZRS1rM0l4SDBkNU45clJDX1RYOVZPcThwUzI5V2pTd1k2d0kxaGQ0VXpiSkU2NERJaVljaWxCWkJwVVJhN0NRcGphbkxlZV8tZFMxQWtUbTdRUHdEVTZtVDNnc2ZPQkNiMFZMeUR2TGVtdmVTZldXZnVUOXg0NTRYSU1rZjE3elRvR0xHT29YeEpKWjk5LUcyc3VjWkk5NWpmRldvaGo0S2Z0dXV1SHMtMmpZajZuNXhpMFI5S0hmT2xNRkRwRlFtbEpUbG9TTURGREVPeDE3RjNoX1NXMk1RSUR2b2hGazBtTkstMk9OVHhHQ05tQXhuS1c5Nm9SN0N4QlJnQ2xyLXlvOXJTWXp2anNlVVhGZ0hqakYzZE8ybGhUdXFPV1A0NU9TaUVoY21zSHVMRnV0Zy10a0J5QTJLYTB2Yk1sNi1wMVlLR09QZVdMVm9QN0k5ellyWFdNRFl0S2dPaXZkSldEa1B0SmdvbVMwbU1DdWMyblBFUHFxUTEtQkdJMHNFdjNNWVFfYVNjeGJsZ2p2VHVZZzRmZy1VXzk3R0pON1ZsM1IwWllZSF9QU2syQll6LTN3Vjc3QjMxbGFjT3lWSU15WDVJdktKWXIwTXZMQ190cjIwZk9hZkx5c011eWpsSXV6Tl96Q2VHbkpfbkJiQnJYNXNyNmktZDB4UW9rc0JKSUtUZUNMR3dVWWEtVEJVUE5FeWplM09RT0NOYW02R242OEdLeDRZdTlzZDVNa1BCQ1B6NTI3aUhoYm9aLTg9
Thanks to James K Polk comment I ended doing the following method:
private static byte[] Base64Decode(StringValues signature)
{
string incoming = signature.ToString().Replace('_', '/').Replace('-', '+');
switch (signature.ToString().Length % 4)
{
case 2:
incoming += "==";
break;
case 3:
incoming += "=";
break;
}
return Convert.FromBase64String(incoming);
}
and modifying my code from:
var bytesToDecrypt = Convert.FromBase64String(signature);
to:
var decoded = Base64Decode(signature);
var text = Encoding.ASCII.GetString(decoded);
var bytesToDecrypt = Base64Decode(text);
I needed to decode two times the signature using the URL-safe version of base64 decoding.
I'm playing around with encrypting. I have got stucked on loading the keys with BouncyCastle. The keys have been generated by PuTTYgen (SSH-2 RSA 4096 bit). Is there maybe some other way to load it?
PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: rsa-key-20160508
Public-Lines: 12
I get:
An unhandled exception of type 'System.IO.IOException' occurred in BouncyCastle.Crypto.dll
Additional information: unexpected end-of-contents marker*"
const string pubkey = #"AAAAB3NzaC1yc2EAAAABJQAAAgEAlX+AsmDF7FoR7D2jWYJTKLD6ZH6FAY9v2vPa
5+ICSQCydphiUbiJwsb3sl4yJIB6uOw4fM+22F0U/P1pxdGqUabqixNOC5X9xBzI
KbMt2xcYof/JCaNskHE2teguxdCeLlQ30QIxTRD76y6TqISS+anTtpMiGFs/LNOX
yDp7H3S5OuvRjoTRLoocEwIFNbpnkq8D+RVSdV1kkqVSMwzwRgBRRCkBfZAYW9VY
qlWNwbLCiGw3qi5mu2qorxqqF0tO2l0gLFNYdbnf9+bKavqiV7wMn3mVbcFtRhe/
29klqxos6V8Of71Q7IShFz9IXq5KdRdJoGyNJrNXKoF87UCPppa4lmOlfY40E/c5
w/LMjf63c/xx8ji7v6hY0sHt7XdWUB3V1XBPScypk7PxNS13/RtdzjeOn/8W9tcV
tqX6b7XFU/AwIrkBDa47JGnuOJnmzmMzHDPKeZwaEQT4BZRzUa6yKq3EZCLymkBB
W9lRQkKY3qg8OJX+FhAQ7c5pCOl3PFmFjuDMbRWTaF/nJj/qPfvND+w7a86fxUUC
HPokcYGLVZUBWTfnx3q/StbjaQBQDPMxogLh/yCZywHFqO0xGaA8SQAM2Vyd7r7l
waPQhFIJhVrXuaz0Ok+TE5jqe5yTB0gZ8pcVDq/GWRXBAUwXu50UeZBurcGHEXk5
HhFdFlk=";
const string prikey = #"...";
var publickey = Convert.FromBase64String(pubkey);
//var privatekey = Convert.FromBase64String(prikey);
Org.BouncyCastle.Crypto.AsymmetricKeyParameter publicAsymmetricKey = Org.BouncyCastle.Security.PublicKeyFactory.CreateKey(publickey);
//Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateAsymmetricKey = Org.BouncyCastle.Security.PrivateKeyFactory.CreateKey(privatekey);
ADDED:
I generated a new key with "ssh-keygen -t rsa -b 4096" and tryed to load it with pemreader:
const string pubkey = #"AAAAB3NzaC1yc2EAAAADAQABAAACAQDGzR88DIxKRUvEJDAa0zcRq0O39M5i9vwkb9r+mPi56eYPEZJfMcZZmrtMoBoCJM3g0CmdHHktanRnjwXI+Gw6zRIbe3Lnz8rq+IyCDQnJQzHMlFJkwt7tuFzLWwNoWL5bWN0+Y6h8pB6KudPxsutQfNVTAyI00JhhhMk1T0FSF82BHP+HKI+lsGrTaBhDHnbZryk5Bf00sAJLVvS5kE7LOthVAWHGKZbV/PJnDcXQN8Hxto9mWy0iELTsUYzwf1VfIvB1Ugyv/rs3Vn5A98p2BaXidwYrgc3NhKliESQyl9KYggF3ody99zlMzWQfdmpfJEBzjxjNIMaD/NFBgTLHSbEzyXDVLcvCocmNaJeEQ4uGcqqw2Oe7d9RDZikllttLCtPQSQ49N/1JI5CRHEn9bz7RNX4aZWPbzw1l5y6fcsTXcPsVHb+bGmhcobSbWZvAnLMrHA0FI+47yNrBlp+qXBXfxO3/sSK3yU1lJEUosmfb3nPvvt0bt0TlwLYC12gMLk1Z0ZAoHxR7qw7la/HoZXhQqqi57RdDWbHiX6zxFPDVMd48fc8m9Wnwv2+AIcBRsErnL4YWT/4Pb57+ehg+HbKy5cCgo6wsHYB9IjoXIfNQAz2dAbXHr2C4zo0BKlabZSqv+ZoTBP5NwSZItMeRv1eCreg7ejJ5HR8NIJaAZQ==";
var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(new StringReader(pubkey));
// KeyParameter is still null
var KeyParameter = (Org.BouncyCastle.Crypto.AsymmetricKeyParameter)pemReader.ReadObject();
ADDED:
I was able to generate a public key and also load a unencrypted private key
(https://rietta.com/blog/2012/01/27/openssl-generating-rsa-key-from-command/)
openssl genrsa -des3 -out private.pem 4096
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM
var publickey = Convert.FromBase64String(pubkey);
var privatekey = Convert.FromBase64String(prikey);
var asnprivate = Org.BouncyCastle.Asn1.Asn1Object.FromStream(new MemoryStream(privatekey));
var privStruct = new Org.BouncyCastle.Asn1.Pkcs.RsaPrivateKeyStructure((Org.BouncyCastle.Asn1.Asn1Sequence)asnprivate);
AsymmetricKeyParameter publicAsymmetricKey = PublicKeyFactory.CreateKey(publickey);
But I was not able to load the encrypted private key...
The PuTTY .ppk key format is proprietary to PuTTY.
I'm pretty sure there's no support for .ppk files in Bouncy castle.
You need to convert your keys to OpenSSH format. For that see How to convert SSH keypairs generated using PuttyGen(Windows) into key-pairs used by ssh-agent and KeyChain(Linux).
With the openssl PEM I was able to make it to work. I continue to find out how to load load the protected private key.
Thanks for all the input.
using System;
using System.IO;
using System.Text;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Asn1.Pkcs;
using Org.BouncyCastle.Asn1;
namespace EncryptTest1
{
class Program
{
static void Main(string[] args)
{
const string pubkey = #"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQhcZKNnIC2bvJhI5Yzq
oH9uGAHuiAt9bOXdIrsaeEwsIUMuyNfXkLozwlcJb0YLgqhpP3gNLb58WCb1AvkV
ZHgzLQbay93HwmBiEPW6LZIKGsHwh1awBmJpeWhU8h3oNP+KpNq44H+jAeM9G9En
W0y7+AUbe3pnisOWVZHmM72A2mLq1piCOjmvjegzgB8/rU7ZkRrNadeFO7DBP0Ew
6eElS3iXfFHJmbK+L5lL0pFxvUMRfGVC33NQkuSoWiQJZsYyUgIk6WSOQm3t5fw6
VESMTfd1xKlaBGp7IrWksthEF+XAu5ziAcSdjBwJLEFzJ2830cQ4GhFS3JtU/Iao
6MbJkUuaHoI3Xx9C7d6RiKbK1uZrOHjyVsUhqpYwyAUdrViraj0pybxbE2GwbRC4
/NyHuPKG3gBULiGYbl8wwlhl71nRVdkPQtGw36kmGWHRk3ERM6JgLWsDZjED4ak2
Na6VzIvnqVs0HROl/4Rd4rHZvl9t39tfVBtofEkD4C0B5BdgW/B2XQM7Fd4celn3
q/+FKmvaVydoFGG0s4YZL6hsqOISfhdT10jGrwNKe+zupnrXZO66mtX8rvPtY4x2
WXcHrbp1cgSr+2r8Mteh8Eff+6rqArU1i1ezDm3SrKs1WMFKu1hRKDYudfOaB/L7
gvEvD+lUE9qnjlYUBGSXKMUCAwEAAQ==";
const string prikey = #"MIIJKQIBAAKCAgEAuQhcZKNnIC2bvJhI5YzqoH9uGAHuiAt9bOXdIrsaeEwsIUMu
yNfXkLozwlcJb0YLgqhpP3gNLb58WCb1AvkVZHgzLQbay93HwmBiEPW6LZIKGsHw
h1awBmJpeWhU8h3oNP+KpNq44H+jAeM9G9EnW0y7+AUbe3pnisOWVZHmM72A2mLq
1piCOjmvjegzgB8/rU7ZkRrNadeFO7DBP0Ew6eElS3iXfFHJmbK+L5lL0pFxvUMR
fGVC33NQkuSoWiQJZsYyUgIk6WSOQm3t5fw6VESMTfd1xKlaBGp7IrWksthEF+XA
u5ziAcSdjBwJLEFzJ2830cQ4GhFS3JtU/Iao6MbJkUuaHoI3Xx9C7d6RiKbK1uZr
OHjyVsUhqpYwyAUdrViraj0pybxbE2GwbRC4/NyHuPKG3gBULiGYbl8wwlhl71nR
VdkPQtGw36kmGWHRk3ERM6JgLWsDZjED4ak2Na6VzIvnqVs0HROl/4Rd4rHZvl9t
39tfVBtofEkD4C0B5BdgW/B2XQM7Fd4celn3q/+FKmvaVydoFGG0s4YZL6hsqOIS
fhdT10jGrwNKe+zupnrXZO66mtX8rvPtY4x2WXcHrbp1cgSr+2r8Mteh8Eff+6rq
ArU1i1ezDm3SrKs1WMFKu1hRKDYudfOaB/L7gvEvD+lUE9qnjlYUBGSXKMUCAwEA
AQKCAgBdi6GSa54egZBjx6XLD/Qq0mHpl0ht1UlC/e9PuMJIIVKKOnnzplPgYpL6
ZKBrdkEpfFVBdkNLZitdMczbBOzQz4gn8ng5a1WrqqjJpEHM+jFLl9MvyR7TC3wB
mkKf6YjVCoCgmcewEDdsI+NoJdS87s11NbfQNHEWkY12k32LmPoE7s+FULM+Fp3v
o34t/x5lUyDhoGhLY1+Dbvg0L5Q4GdCOGFiVzI+cueY3EExqF4gmRDsZ5ePqLlWE
/j8y21c5c2hLV7Qrnt/hK8yDYoJmygUZAcuzcl8FLoQ0ZxruJDJA1rIa59THSgzQ
offtPOWoAS16SraGT03SJGHSDY5kzCZkEx7MJv8dn5hydLzJ5bzbiJ1rheNdZNzp
yjT/X61jtjQnX2gmev/bN4Q54qqc2YbVfh7BwvyBAL2c7oHxFP3xmJgCZt6OS6S1
HUR8/QDrcLJVwNNsTL7uvToSiRBrTWjFUuc0k6m2h8takD9sONHH7+hZu9TEL2a9
/bjowuPIrmrrYbgYN9DospmJZrDfEby79+t8aDsycAzK3uHIn1GfdhDVNFayJjPR
VP593GRhY/B6CwM7lCFxzTqOU4e9ITLpkLV//CpK77g9xGVUGQk1X0NieBbzUtHY
DzSnsC2k9dOwootlrMvJYTUv3+BdzG3jEleCP6qoYxd43iKtAQKCAQEA61HUaI9v
dlxIK/oG5RWYSFZHCc0oOeTMw1MJ+rOQ5c3RUbIrn/fj+i2zGknt5b+5LH6i5jXw
YEY4o1bJJCjT51AhdV6HxlljAfUeX98T2uaVVZxQJio/uqJg9N63s9bIhdq94NJg
MWIRKsip76gV76qXhFRyRXfEjQvy9PZHC/A2Qs+azrcD97jnzf/XzOpnot+W8Ul1
b2fOHk0RqdQs2ZJ/ajZrVnK40WX3AZlSVYZuwPKaW90BtifxjZUESGAIsAzh7Eve
tX3lgpsDP7JaBZZYdP6AzDEkjPKDFH4P/KmEHl9eWHfcuVu+T+Er3xFe94PUbW9P
f52XbXox4OrYQQKCAQEAyUsvez7ri7/bXcUcrfjHHQuSs5Mw+R0yyg77yT8o6nkB
6cDWT4BmIc/+IoTIAXySOczftVxjL1bXrsYQSYLkoTKOuYAQRi0zN3/alTFW2A3P
7ec8hANTuxAXCwuNd1jjEtVaOEuNdVYg4gsEmHEvejJsBIDJkT/VzbYJVB+Y1k3J
Sd0R6h0KAROsJ4lefK9kh7MzN8B/SUDeuiaPkxBzrMzGFeDifieWiyxWTqoGPHUV
eO5NfJSYHfn7VmEvB3cNmqcc56i9Thie6a0iDUbKmkwPfDmEABu3ex9HctpnYOCk
gzR/huwPiWP1IGYznilwIOvt/mdyiAPmGQn6xakPhQKCAQEAlDfLgTxvKW8Aqmpm
c16Bt3ZYckz9fFGnw5OHIph9uLFFmZ6OqciamNa2C+Xq6R40hVkSQ8xPpmQ0gnVE
ZfktV3H6URIElSNyICaDRkGdIPDBuNWnChLsZyKlzTaHIMg1L1JS7Mu1eQVa6MbR
erk1b+rUWq5R931zmJ+hHTgOEe/wTW60BGX0ItEdeHwgMdqnAkiwqzPouw34Hs/O
Q1j4EuaaSI0UWLQTwxjlVuV6nZH6Kp/kJ95xmIlaNSJaOzf54OGMX6h+E3TD3drD
VhiBaSmEd9RhzbtaWUja1Up9yVgAdpz9MN32ce3eVjPuzScE2QP5BiDpQulBGtyv
lAp3wQKCAQAyf2sc9w7uUyY8Iuvr9QI2liWqaR2bESkhqZqexPqFv++r7ZWWAjcc
+mndzQPD47VnTK8+dzvmr1mSXdvOJUkn62AEx0zN3h8AKFH0pZkMwIJOQ3laAN+r
iQDO44oMy77DhcSJZOLK8d1z96GigJqRhD627nwitSn03lr+wKJ9+KurnQsWeUx+
Mqo4jOyoSPPmWx1ZOjB0dxKpDm1sTm9GhWSYLn+DeHj61xebymmgFxtY6CeGPlzf
AEx+QgkjTUmbZ5sHvrwm8GRFaQqm3ACNrtEfr+oegNWJzLIG7SWMFy8OP0hS17ua
Evp2s0z1u52GlMlyzg7ccmXyGB/SIHRlAoIBAQCqF/P8D+T8uEiiQron39NAGgSM
FFyi1uj3IeDrDPgdsLT5TtpFOnHpUMjhxVEhdIQm2K4MH44/aBW40CgS+OGHclay
SzwdtfHyPuK1H8TwaJqgA5NYu/xTyiR8QqRE+qwwh5wMH4f4ErhKglnQJVNxHeo7
ZlRul6vFgS3uaaEyaPXrG5pFRPeLlqllJxQ5Z1mQtqaK9U0dSCykxW6zaz3d8YXE
BIe/0Vc1/0d80lkJk/3SnLGIAiC2C9dpmA6RmgkGa0cyD5QPmXmYXHFT+tA7S/lV
W+5C6ZO0aaOmO+F+W82ZJ92FRd8CITasoPO9zxalJBEGD/s5ehnRhhizLqjY";
var publickey = Convert.FromBase64String(pubkey);
var privatekey = Convert.FromBase64String(prikey);
var asnprivate = Asn1Object.FromStream(new MemoryStream(privatekey));
var privStruct = new RsaPrivateKeyStructure((Asn1Sequence)asnprivate);
RsaKeyParameters privateAsymmetricKey = new RsaKeyParameters(true, privStruct.Modulus, privStruct.PrivateExponent);
RsaKeyParameters publicAsymmetricKey = (RsaKeyParameters)PublicKeyFactory.CreateKey(publickey);
var inputBytes = Encoding.UTF8.GetBytes("the message");
Console.WriteLine("--- Message: ----");
Console.WriteLine(Encoding.UTF8.GetString(inputBytes));
IAsymmetricBlockCipher cipher = new RsaEngine();
cipher.Init(true, publicAsymmetricKey);
var cipheredBytes = cipher.ProcessBlock(inputBytes, 0, inputBytes.Length);
Console.WriteLine("--- Enc utf8: ----");
Console.WriteLine(Encoding.UTF8.GetString(cipheredBytes));
Console.WriteLine("--- Enc Base64: ----");
Console.WriteLine(Convert.ToBase64String(cipheredBytes));
cipher.Init(false, privateAsymmetricKey);
var deciphered = cipher.ProcessBlock(cipheredBytes, 0, cipheredBytes.Length);
Console.WriteLine("--- Dec: ----");
Console.WriteLine(Encoding.UTF8.GetString(deciphered));
Console.ReadLine();
}
}
}
I'm starting to cryptography.
I need to generate a PKCS # 7 file with XML, an RSA private key (which is not included in the certificate is a file extension .key) and a certificate .cer extension.
For this i'm using a BouncyCastle.
Edit:
Thanks #khlr for your help but I can not solve my problem. When sending the data to the AC returns me "Invalid CMS".
I have this code:
public static byte[] FirmaBytesMensaje(byte[] argBytesMsg, X509Certificate2 argCertFirmante)
{
try
{
//Add message in object ContentInfo
ContentInfo infoContenido = new ContentInfo(argBytesMsg);
SignedCms cmsFirmado = new SignedCms(infoContenido);
CmsSigner cmsFirmante = new CmsSigner(argCertFirmante);
cmsFirmante.IncludeOption = X509IncludeOption.EndCertOnly;
// Sign message PKCS #7
cmsFirmado.ComputeSignature(cmsFirmante);
// Encodeo el mensaje PKCS #7.
return cmsFirmado.Encode();
}
catch (Exception excepcionAlFirmar)
{
throw new Exception("***Error: " + excepcionAlFirmar.Message);
}
}
Signing on PKCS # 7 but this makes with a "PFX" certificate, that is, that contains the private key in a ".pfx" file.
When I use the OpenSSL command:
openssl smime -sign -signer cert.crt -inkey private.key -out file.xml.cms -in file.xml -outform PEM -nodetach
The AC responds well.
How I can do this with BouncyCastle and cer and key files? I am going crazy! :-(
Unfortunately there seems to be no bouncycastle API documentation for C#. Never the less there's a Java reference which is said to be quite similar to the C# API.
Hence the getEncoded()-method (look for a C# equivalent, e.g. GetEncoded()) yields a ASN.1 encoded byte[].
You could then go ahead and get a string from that (note that I'm not familiar with ASN.1 encoding. This is just a guess ๐):
byte[] buffer = datosFirmados.GetEncoded();
string signedDataString = System.Text.Encoding.UTF8.GetString(buffer, 0, buffer.Length);
Edit:
Maybe the AsnEncodedData-class would be more appropriate for that task:
byte[] buffer = datosFirmados.GetEncoded();
var asndata = new AsnEncodedData(buffer);
const bool multiline = true;
string signedDataString = asndata.Format(multiline);
It's been a quite time, but still no answer.
You will need to merge cert and key file together as below.
using (System.Security.Cryptography.X509Certificates.X509Certificate2 _pub = this.PublicKey.X509Certificate2)
{
using (X509Certificate2 _pri = _pub.CopyWithPrivateKey(_rsa))
{
var _infoContenido = new System.Security.Cryptography.Pkcs.ContentInfo(Message);
SignedCms _signedCms = new SignedCms(_infoContenido);
CmsSigner _cmsSigner = new CmsSigner(_pri);
if (IncludeSignDate)
{
_cmsSigner.SignedAttributes.Add(new Pkcs9SigningTime(DateTime.Now)); // [2020-05-02] ์๋ช
ํ ๋ ์ง ์์ฑ ์ถ๊ฐ
}
_cmsSigner.IncludeOption = X509IncludeOption.EndCertOnly;
// Sign message PKCS #7
_signedCms.ComputeSignature(_cmsSigner);
var _signedMessage = _signedCms.Encode();
}
}
Normally when I grab an X509Certificate2 out of my keystore I can call .PrivateKey to retrieve the cert's private key as an AsymmetricAlgorithm. However I have decided to use Bouncy Castle and its instance of X509Certificate only has a getPublicKey(); I cannot see a way to get the private key out of the cert. Any ideas?
I get the an X509Certificate2 from my Windows-MY keystore then use:
//mycert is an X509Certificate2 retrieved from Windows-MY Keystore
X509CertificateParser certParser = new X509CertificateParser();
X509Certificate privateCertBouncy = certParser.ReadCertificate(mycert.GetRawCertData());
AsymmetricKeyParameter pubKey = privateCertBouncy.GetPublicKey();
//how do i now get the private key to make a keypair?
Is there anyway to convert a AsymmetricAlgorithm(C# private key) to a AsymmetricKeyParameter(bouncycastle private key)?
Akp = Org.BouncyCastle.Security.DotNetUtilities.GetKeyPair(this.Certificate.PrivateKey).Private;
Don't know BouncyCastle that much but it seems to me that the simple thing to do is to recreate the key based on the key parameters.
public static AsymmetricKeyParameter TransformRSAPrivateKey(
AsymmetricAlgorithm privateKey)
{
RSACryptoServiceProvider prov = privateKey as RSACryptoServiceProvider;
RSAParameters parameters = prov.ExportParameters(true);
return new RsaPrivateCrtKeyParameters(
new BigInteger(1,parameters.Modulus),
new BigInteger(1,parameters.Exponent),
new BigInteger(1,parameters.D),
new BigInteger(1,parameters.P),
new BigInteger(1,parameters.Q),
new BigInteger(1,parameters.DP),
new BigInteger(1,parameters.DQ),
new BigInteger(1,parameters.InverseQ));
}
You can call the code by using
AsymmetricKeyParameter bouncyCastlePrivateKey =
TransformRSAPrivateKey(mycert.PrivateKey);
Obviously this assumes that the certificate includes a RSA Key but the same result can be achieved for DSA with DSACryptoServiceProvider and DSAParameters.
Find .NET X509Certificate2:
X509Certificate2 cert = this.FindCertificate(certificateFriendlyName);
Parse it to BouncyCastle certificate and use X509Certificate2Signature to get signature:
var parser = new X509CertificateParser();
var bouncyCertificate = parser.ReadCertificate(cert.RawData);
var algorithm = DigestAlgorithms.GetDigest(bouncyCertificate.SigAlgOid);
var signature = new X509Certificate2Signature(cert, algorithm);