5

I have two applications. One that signs a file and the other that verifies.

The signing application does the following:

X509Certificate2 certificate = new X509Certificate2(PROJECT_DIR_PATH + "cert.pfx", "password");

using (RSA rsa = certificate.GetRSAPrivateKey())
{
    signature = rsa.SignData(exeContent, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1);
}

cert.pfx is a self-signed certificate, generated with Openssl.

The verifying application:

X509Certificate2 certificate = new X509Certificate2(PROJECT_DIR_PATH + "cert.pfx", "password");

using (RSA rsa = certificate.GetRSAPublicKey())
{
    return rsa.VerifyData(exeContentWithoutSignature, signature, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1);
}

As I understand the .pfx file contains public and private key information, thus I should not make it available to anyone. As I know, only the public key is needed for the verification step. How can I use rsa.VerifyData or other functions to verify the signature without exposing my pfx file?

Improve this question
3
  • 2
    You need them in two separate files and only expose the public key file. Commented Mar 20, 2019 at 16:34
  • 1
    blog.lextudio.com/… Commented Mar 20, 2019 at 16:51
  • @LexLi Thank you for the link :) Commented Mar 21, 2019 at 10:16

1 Answer 1

Reset to default
5

I already had .pfx file that can be generated this way:

openssl req -x509 -days 365 -newkey rsa:2048 -keyout test-key.pem -out test-cert.pem
openssl pkcs12 -export -in test-cert.pem -inkey test-key.pem -out test-cert.pfx

In order to extract a certificate containing only public key following command can be used:

openssl pkcs12 -in test-cert.pfx -clcerts -nokeys -out cert.pem

-clcerts - Only output client certificates.
-nokeys - Don't output private keys.

Cert.pem can be used to create an instance of X509Certificate2:

X509Certificate2 certificate = new X509Certificate2(PROJECT_DIR_PATH + "test-cert.pem");

using (RSA rsa = certificate.GetRSAPublicKey())
{
    return rsa.VerifyData(exeContentWithoutSignature, signature, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1);
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.