Post

Simple Public/Private Key Signing Sample Code

This post is about a simple sample for public/private key signing.

I want to sign a file and generate a signature for it. Then next time I can verify the signature to see if this file has been modified. How can I achieve this goal in C# using public/private keys? I searched but found no good guide on it. Therefore, I think I may write a simple sample for beginners to start with.

Prepare the Keys

It is not safe to keep the keys in simple text file, so here we use a CER file to store the public key, and a PFX file to store both (private+public). There are other common file formats for key storage, but loading them into C#/.NET will be problematic.

As this is a demo, I use makecert to create the keys, (at Visual Studio command prompt)

1
makecert.exe -sv MyKey.pvk -n "CN=LeXtudio" MyKey.cer

This command will ask you for a password to protect the private key. After executing, you will have a private key file MyKey.pvk and a public key file MyKey.cer available. Now execute this to create the PFX file,

1
pvk2pfx.exe -pvk MyKey.pvk -spc MyKey.cer -pfx MyPFX.pfx -po test

This command will ask you for the password you set above to decrypt the private key. Then it will use the new password you provided after -po (here I use “test”) to protect the PFX file.

At this moment, we have the CER file which contains the public key, and the PFX file which contains both keys.

Note that Windows SDK 8 shipped with Visual Studio 11 Developer Preview may not be able to generate the keys correctly.

Sign and Verify the Data

Now we can sign and verify the data using the following code,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
private static byte[] Sign(byte[] data, X509Certificate2 privateKey)
{
  if (data == null)
  {
    throw new ArgumentNullException("data");
  }
  if (privateKey == null)
  {
    throw new ArgumentNullException("privateKey");
  }
  if (!privateKey.HasPrivateKey)
  {
    throw new ArgumentException("invalid certificate", "privateKey");
  }
  var provider = (RSACryptoServiceProvider)privateKey.PrivateKey;
  return provider.SignData(data, new SHA1CryptoServiceProvider());
}

private static bool Verify(byte[] data, X509Certificate2 publicKey, byte[] signature)
{
  if (data == null)
  {
    throw new ArgumentNullException("data");
  }
  if (publicKey == null)
  {
    throw new ArgumentNullException("publicKey");
  }
  if (signature == null)
  {
    throw new ArgumentNullException("signature");
  }
  var provider = (RSACryptoServiceProvider)publicKey.PublicKey.Key;
  return provider.VerifyData(data, new SHA1CryptoServiceProvider(), signature);
}

Load the Keys

1
2
3
4
5
6
7
8
private static X509Certificate2 LoadPrivateKey()
{
  return new X509Certificate2(@"d:\temp\test\MyPFX.pfx", "test");
}
private static X509Certificate2 LoadPublicKey()
{
  return new X509Certificate2(@"d:\temp\test\MyKey.cer");
}

Final Test

1
2
3
var test = new byte[] {0x84, 0x73};
var sig = Sign(test, LoadPrivateKey());
Console.WriteLine(Verify(test, LoadPublicKey(), sig));

Notes

You may explore the following fields,

  • How should the PFX file be deployed? Typically it should be installed to certificate store. Then how to query the keys from certificate store in C#/.NET?
  • How is the signature generated in the sample? Can you use other algorithm to generate the hash instead of SHA-1?
  • Can you use other methods of RSACryptoServiceProvider instead of SignData and VerifyData?

References

  • http://blogs.msdn.com/b/maximelamure/archive/2007/01/24/create-your-own-pfx-file-for-clickonce.aspx
  • http://www.fryan0911.com/2009/04/c-how-to-sign-and-verify-digital.html
© Lex Li. All rights reserved. The code included is licensed under CC BY 4.0 unless otherwise noted.
Advertisement

© - Lex Li. All rights reserved.

Using the Chirpy theme for Jekyll.

Last updated on October 30, 2024