Recently I had the joy of busting open the cryptographic documentation to figure out how to sign a file, and verify that signature.
There are a lot of documentations for .NET Framework - but it's pretty damn sparse for working in UWP, and I assume .NET Core.
This is serving as my external brain on how to sign and verify for UWP.
We're just signing a file to be able to prove it came from ourselves. Some on-prem and cloud based communication verification.
The Signing Code
byte[] certificateBytes = File.ReadAllBytes(pathToCertificate));
X509Certificate2 x509Certificate = new X509Certificate2(certificateBytes, certificatePassword);
RSA rsaPrivateKey = x509Cert.GetRSAPrivateKey();
byte[] signatureData = rsaPrivateKey.SignData(byteArrayToSign, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
Pretty straigt forward. It's just finding the order of doing things when it's not documented that becomes a PIA.
The Verify Code
IBuffer certBytes = await FileIO.ReadBufferAsync(await StorageFile.GetFileFromApplicationUriAsync(_certificateLocationUri));
X509Certificate2 publicKeyCert = new X509Certificate2(certBytes.ToArray());
AsymmetricKeyAlgorithmProvider asymmetricKeyAlgorithmProvider = AsymmetricKeyAlgorithmProvider.OpenAlgorithm(AsymmetricAlgorithmNames.RsaSignPkcs1Sha256);
CryptographicKey cryptoKey asymmetricKeyAlgorithmProvider.ImportPublicKey(publicKeyCert.PublicKey.EncodedKeyValue.RawData.AsBuffer(), CryptographicPublicKeyBlobType.Pkcs1RsaPublicKey);
bool verified = CryptographicEngine.VerifySignature(cryptoKey, byteArrayOfSigned, signatureData);
The byteArrayOfSigned
is the same data as byteArrayToSign
and the signatureData
is the same data in signing and verifying.
Again - This is all really simple - unless you don't know how to do it. Then it's a giant pain.
I managed to figure it out by a few "shot in the dark" attempts.
That's all for this quick shot.