Reputation: 9354
Check .NET Framework generated signature using .NET Core
I have some legacy .NET Framework code for signing and checking signatures which I need to port to .NET Core.
This is the existing .NET Framework code:
public static bool CheckSignature_NetFramework(string payload, string signature, string publicKey)
{
try
{
using (var rsa = RSA.Create())
using (var shaHash = SHA256.Create())
{
rsa.FromXmlString(publicKey);
var hash = shaHash.ComputeHash(Encoding.UTF8.GetBytes(payload));
var rsaDeformatter = new RSAPKCS1SignatureDeformatter(rsa);
rsaDeformatter.SetHashAlgorithm("SHA256");
return rsaDeformatter.VerifySignature(hash, Convert.FromBase64String(signature));
}
}
catch
{
return false;
}
}
public static string CreateSignature_NetFramework(string payload, string privateKey)
{
using (var rsa = RSA.Create())
using (var shaHash = SHA256.Create())
{
rsa.FromXmlString(privateKey);
var hash = shaHash.ComputeHash(Encoding.UTF8.GetBytes(payload));
var rsaFormatter = new RSAPKCS1SignatureFormatter(rsa);
rsaFormatter.SetHashAlgorithm("SHA256");
return Convert.ToBase64String(rsaFormatter.CreateSignature(hash));
}
}
And this is what I came up with for the equivalent .NET Core implementation:
public static bool CheckSignature_NetCore(string payload, string signature, string publicKey)
{
try
{
using (var rsa = RSA.Create())
using (var shaHash = SHA256.Create())
{
rsa.FromXmlString(publicKey);
var hash = shaHash.ComputeHash(Encoding.UTF8.GetBytes(payload));
return rsa.VerifyData(hash, Convert.FromBase64String(signature), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
}
}
catch
{
return false;
}
}
public static string CreateSignature_NetCore(string payload, string privateKey)
{
using (var rsa = RSA.Create())
using (var shaHash = SHA256.Create())
{
rsa.FromXmlString(privateKey);
var hash = shaHash.ComputeHash(Encoding.UTF8.GetBytes(payload));
return Convert.ToBase64String(rsa.SignData(hash, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
}
}
public static void FromXmlString(this RSA rsa, string xmlString)
{
RSAParameters parameters = new RSAParameters();
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(xmlString);
if (xmlDoc.DocumentElement.Name.Equals("RSAKeyValue"))
{
foreach (XmlNode node in xmlDoc.DocumentElement.ChildNodes)
{
switch (node.Name)
{
case "Modulus": parameters.Modulus = Convert.FromBase64String(node.InnerText); break;
case "Exponent": parameters.Exponent = Convert.FromBase64String(node.InnerText); break;
case "P": parameters.P = Convert.FromBase64String(node.InnerText); break;
case "Q": parameters.Q = Convert.FromBase64String(node.InnerText); break;
case "DP": parameters.DP = Convert.FromBase64String(node.InnerText); break;
case "DQ": parameters.DQ = Convert.FromBase64String(node.InnerText); break;
case "InverseQ": parameters.InverseQ = Convert.FromBase64String(node.InnerText); break;
case "D": parameters.D = Convert.FromBase64String(node.InnerText); break;
}
}
}
else
{
throw new Exception("Invalid XML RSA key.");
}
rsa.ImportParameters(parameters);
}
I can successfully verify a signature which was created using the same environment. But verifying a signature created with CreateSignature_NetFramework using CheckSignature_NetCore fails.
So it looks like my .NET Core implementation is not the exact equivalent to the .NET Framework implementation.
How can I verify a signature created using CreateSignature_NetFramework in .NET Core?
Upvotes: 1
Views: 2332
Answers (2)
Reputation: 880
I ran into the same issue today. I had to port over some legacy code to .NET CORE 2.
Here is what I did.
//<TargetFramework>net46</TargetFramework>
private bool hasValidSignature(string accessToken)
{
JwtParts jwt = new JwtParts(accessToken);
var bytesToSign = Encoding.UTF8.GetBytes(string.Concat(jwt.Header, ".", jwt.Payload));
byte[] signature = (new JwtBase64UrlEncoder()).Decode(jwt.Signature);
X509Certificate2 cert = publicCertService.GetPublicCertificate();
RSACryptoServiceProvider pub = (RSACryptoServiceProvider)cert.PublicKey.Key;
bool res = pub.VerifyData(bytesToSign, "2.16.840.1.101.3.4.2.1", signature);
return res;
}
Thanks to bartonjs in this post for pointing me to the correct solution. ( https://github.com/dotnet/corefx/issues/26682)
I used JWT (https://github.com/jwt-dotnet/jwt) to split appart the accessToken and get the Header and Payload.
private bool HasValidSignature(string accessToken)
{
JwtParts jwt = new JwtParts(accessToken);
var bytesToSign = Encoding.UTF8.GetBytes(string.Concat(jwt.Header, ".", jwt.Payload));
byte[] signature = (new JwtBase64UrlEncoder()).Decode(jwt.Signature);
X509Certificate2 cert = new X509Certificate2(publicCertService.GetPublicCertificate());
RSA rsa = cert.GetRSAPublicKey();
bool res = rsa.VerifyData(bytesToSign, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
return res;
}
Upvotes: 0
Reputation: 33088
You used VerifyData, but you have precomputed the hash value, so you should use VerifyHash, or let VerifyData do the hashing for you.
That is, you want either:
rsa.FromXmlString(privateKey);
var sig = rsa.SignData(
Encoding.UTF8.GetBytes(payload),
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1));
Or
rsa.FromXmlString(privateKey);
var hash = shaHash.ComputeHash(Encoding.UTF8.GetBytes(payload));
var sig = rsa.SignHash(hash, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
Upvotes: 2
Related Questions
- Checking digital signature on EXE
- Rsa Signature Header Verification
- RSA Signature verification works on .Net core but not on .Net 4.8
- How to verify digital signature in C#
- How do I read the digital signature information from a signed .Net assembly?
- Verifying An RSA Signature In .NET
- RSA Signing with .Net and verifying with OpenSSL command
- verifying digital signature in c#
- C# Validate Signature
- Problems checking .net signature in java