views:

648

answers:

3

How can I verify a DSA signature in C#?

Given:

  • the message text,
  • a signed digest (typically ASN.1 DER format),
  • the public key (in a signed X.509 certificate, PEM or DER format)

I've tried a number of approaches, but haven't had any success:

  • OpenSSL.NET: various strange errors with the library; I've got an open thread running with the author over on SourceForge but haven't been able to resolve this yet.

  • Microsoft .NET API: can't unpack the DER signature for comparison. A DSA signature is 40 bytes (two 20-byte integers), but is presented as an DER-encoded sequence of two integers, so the total length can range from 46 to 48 bytes (see this post for a quick overview.) While .NET includes code to parse ASN.1/DER (because it can read certificates in DER format), it's buried deep, and there's no way to access it so that you can correctly retrieve the 40 bytes from the ASN.1/DER encoded sig. This issue led me to the next option...

  • BouncyCastle: through the use of the Org.BouncyCastle.Asn1 functions, I can parse the ASN.1 signature and pull it into it's component R and S integer values. But when I pass these to the signature verification routines, it's failing with no explanation given. I'm not sure if I'm doing anything wrong, because the C# API is completely undocumented, and the Java version is barely documented (but there's no example or HOWTO information that I can find.)

I've been throwing myself at this problem for about a week now. I know someone must have done it before, but I haven't found any complete/working examples.

I've got three C# projects sitting here, each 95% complete but with one critical flaw that causes it to fail. Any working example code would be tremendously appreciated.

edit: here's an example of a signature I'm trying to verify, converted to Base64 and ASCII hex to make it postable. This particular one is 47 bytes but a proper parser must still accept it, read up on the DER spec for more info (BER/DER adds a leading 00 to confirm the sign if the MSB is 1)

Base64: MC0CFQCUgq2DEHWzp3O4nOdo38mDu8mStwIUadZmbin7BvXxpeoJh7dhquD2CTM=

ASCII Hex: 302d0215009482ad831075b3a773b89ce768dfc983bbc992b7021469d6666e29fb06f5f1a5ea0987b761aae0f60933

Structure is per the DER spec; it parses as follows:

30 2d: sequence, length 45 (may vary from 44 to 46)
 02 15: integer, length 21 (first byte is 00 to confirm sign)
  009482ad831075b3a773b89ce768dfc983bbc992b7
 02 14: integer, length 20 (leading 00 not necessary for this one)
  69d6666e29fb06f5f1a5ea0987b761aae0f60933

Writing my own DER parser is really not an option, too much room for error and there's got to be a way to do this properly.

+1  A: 

A piece of code that verifies a DSA signature can be found in the NSsh project. It doesn't suit your exact needs since the public key is not pulled from an X.509 certificate but it may give you a starting point.

sipwiz
As far as I can see, it's generating the signature internally: SignatureOfH = hostKey.Sign(H);I need to read an externally generated signature, which leads to the ASN.1 problem (described a bit more in updated post.)
andersop
A: 

Another good example is the DotNetAutoUpdate code. It uses RSA but it should be quite simple to switch over to DSA. In particular have a look at this file:

http://code.google.com/p/dotnetautoupdate/source/browse/trunk/source/DotNetAutoUpdate/UpdateKeys.cs


Edit: basically you want something similar to this:

var sha1 = new SHA1Managed();
var hash = sha1.ComputeHash(inputStream);

var signatureFormatter = new DSASignatureDeformatter(dsa);
signatureFormatter.SetHashAlgorithm("SHA1");
bool valid = signatureFormatter.VerifySignature(hash, signature);

More details on MSDN.


Edit: Another option is the Mono.Security libraries:

  • There is a class for reading ASN1
  • There is also an assembly for reading X.509 cerficiates.

I'm not sure if that helps...

Luke Quinane
The issue with the .NET implementation is that it can't parse the ASN.1 format of the signatures - I can't generate the "signature" object in the example above.
andersop
@andersop can you post an example of the ASN.1 signature?
Luke Quinane
@Luke Quinane: Sure, I edited it into the OP since comments don't support formatting.
andersop
@Luke: thanks, but Mono is just too huge to pull in for this purpose. I'll take a look at the source and see if it gives me any ideas, though.
andersop
@andersop the Mono.Security.dll is only 285KB and doesn't depend on any other Mono resources. You can find it here: C:\Program Files (x86)\Mono-2.4.2.3\lib\mono\gac\Mono.Security\2.0.0.0__0738eb9f132ed756
Luke Quinane
A: 

Take a look at this: http://www.codeproject.com/KB/security/CryptoInteropSign.aspx which resolved the problem I was having that seems very similar to your's.

jimbojones