Discuss this help topic in SecureBlackbox Forum

Signing data with public key algorithm

There are many ways to sign data by using a public key algorithm. This article concerns low-level signing, i.e., a cryptographic transformation which takes a message or its hash on input, and produces a digital signature on output. If you need to find out about higher-level signing (such as CMS, CAdES or XML-SIG), please refer to the relevant section of the knowledge base.

The examples below are given for an RSA signature. Similar code can be used for other public key algorithms such as DSA, ECDSA, and Elgamal.

A pair of public and private keys is needed to produce and verify a signature. Specifically, you need a private key to create a signature, and the corresponding public key to verify it. With SecureBlackbox, you can either load pre-generated keys from, e.g., files and X.509 certificates, or generate them from scratch.

When the keys are found, you can proceed with signing.

1. Get your signing (private) key in the form of TElRSAKeyMaterial object (SBPublicKeyCrypto namespace). You can create the object yourself if the key is to be loaded from file. If the key is contained in a certificate, you can access it via TElX509Certificate.KeyMaterial property: TElRSAKeyMaterial km = (TElRSAKeyMaterial)cert.KeyMaterial; Note the explicit cast to TElRSAKeyMaterial type, the certificate's KeyMaterial property returns an instance of the parent TElPublicKeyMaterial class.
2. Create an instance of TElRSAPublicKeyCrypto class (SBPublicKeyCrypto namespace): TElRSAPublicKeyCrypto crypto = new TElRSAPublicKeyCrypto();
3. Assign the key to the crypto object: crypto.KeyMaterial = km;
4. Set InputIsHash to true if you are going to sign only the hash of the data, or to false if you plan to pass the whole load of the original data. crypto.InputIsHash = false;
5. Set HashAlgorithm to indicate which algorithm is to be (or was) used for digesting the data: crypto.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
6. Sign the data. Note, that here the SignDetached() method is used, not Sign(). This method is applied, when the data itself is not included in the body of the signature. The majority of low-level signing schemes (e.g. PKCS#1/RSA) work with detached signatures, so it is not always possible to use Sign() method (and the attempt to call Sign() will lead to an exception).
   You can choose between array-based and stream-based overloads: crypto.SignDetached(inputStream, sigStream); When the operation is completed, sigStream will contain the signature of the input data. Find out how to verify the signature in the corresponding article.

How To articles related to low-level cryptography

Discuss this help topic in SecureBlackbox Forum