Sign an array of bytes with X509 Certificate in .Net Core

1
votes

I want sign an array of bytes with X509Certificate2,

Here are a sample for .Net Framework 4.7, but I need the same for .Net Core:

 var argCertFirmante = new X509Certificate2(file, pass);
 var infoContenido = new ContentInfo(argBytesMsg);
 var cmsFirmado = new SignedCms(infoContenido);
 var cmsFirmante = new CmsSigner(argCertFirmante)
  { IncludeOption = X509IncludeOption.EndCertOnly };
 cmsFirmado.ComputeSignature(cmsFirmante, true);
 return cmsFirmado.Encode();

I want the equivalent to this:

  • openssl smime -sign -signer ebookingv4.crt -inkey ebookingv4.key -out ticket.xml.cms -in ticket.xml -outform DER -nodetach
  • openssl base64 -in ticket.xml.cms -out ticket.xml.cms.base64

Cryptographic Message Syntax (CMS) With Net Core 2.0 and this nuget package i was worked fine for me:

<PackageReference Include="System.Security.Cryptography.Algorithms"
Version="4.4.0-beta-24913-01" /> <PackageReference
Include="System.Security.Cryptography.Pkcs"
Version="4.5.0-preview1-26119-06" /> <PackageReference
Include="System.Security.Cryptography.X509Certificates"
Version="4.4.0-beta-24913-01" />
2
c#cryptography.net-coresignpkcs#12
Do you want to have it with .net-core for cross-platform or for Windows only?Simon Mourier
yes in .net-core for cross-platformMarcelo Oliveto

2 Answers

4
votes

SignedCms is not available in .NET Core 1.0 or 1.1; nor will it be in 2.0. (Edit: it will be available in the upcoming 2.1 release).

If you only care about writing data (which is much easier than reading it) you could implement a limited form of it using just RSA.SignData.

SignedCms produces a DER encoded CMS signed-data value (RFC 5652, section 5), which is

SignedData ::= SEQUENCE {
    version CMSVersion,
    digestAlgorithms DigestAlgorithmIdentifiers,
    encapContentInfo EncapsulatedContentInfo,
    certificates [0] IMPLICIT CertificateSet OPTIONAL,
    crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
    signerInfos SignerInfos
}

DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
SignerInfos ::= SET OF SignerInfo

In order to write one you'll need to understand how to write data according to the Distinguished Encoding Rules (DER), which is ITU-T X.690 (though it builds a lot on ASN.1, and makes references to ASN.1, which is ITU-T X.680).

Imagine you wanted to sign "Hello" with SHA-2-256 / RSA+SHA-2-256. Of course, we don't have strings in cryptography, so this is the byte sequence 48 65 6C 6C 6F.

// SEQUENCE (SignedData)
30 xa [ya [za]]
   // INTEGER (Version=1)
   02 01 01
   // SET (OF DigestAlgorithmIdentifier (digestAlgorithms))
   31 xb [yb [zb]]
      // SEQUENCE (DigestAlgorithmIdentifier ::= AlgorithmIdentifier)
      30 xc [yc [zc]]
         // OBJECT IDENTIFIER (2.16.840.1.101.3.4.2.1 == SHA-2-256)
         06 09 60 86 48 01 65 03 04 02 01
   // SEQUENCE (EncapsulatedContentInfo)
   30 xd [yd [zd]]
      // OBJECT IDENTIFIER (1.2.840.113549.1.7.1 == pkcs7-data)
      06 09 2A 86 48 86 F7 0D 01 07 01
      // CONTEXT SPECIFIC 0 - CONSTRUCTED
      A0 xe [ye [ze]]
         // OCTET STRING (the data goes here)
         04 05 48 65 6C 6C 6F // "Hello"
   // CONTEXT SPECIFIC 0 - CONSTRUCTED (CertificateSet (certificates))
   A0 xf [yf [zf]]
      [cert.RawData goes here, which is already DER encoded]
      [do you have an intermediate you want to share?
        okay, write intermediate.RawData here; repeat]
   // skip the crls.
   // SET (OF SignerInfo (singerInfos))
   31 xg [yg [zg]]
      // SEQUENCE (SignerInfo)
      30 xh [yh [zh]]
         // INTEGER (Version=1)
         02 01 01
         // SEQUENCE (IssuerAndSerialNumber)
         30 xi [yi [zi]]
            // SEQUENCE (Issuer)
            [cert.IssuerName.RawData]
            // OCTECT STRING (SerialNumber)
            02 xj [yj [zj]]
               [cert.GetSerialNumberBytes() (see note "j")]
         // SEQUENCE (DigestAlgorithm (digestAlgorithm))
         30 xk [yk [zk]]
            // OBJECT IDENTIFIER (2.16.840.1.101.3.4.2.1 == SHA-2-256)
            06 09 60 86 48 01 65 03 04 02 01
         // skip signedAttrs
         // SEQUENCE (DigestEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier)
         30 xl [yl [zl]]
            // OBJECT IDENTIFIER (1.2.840.113549.1.1.1 == rsaEncryption)
            06 09 2A 86 48 86 F7 0D 01 01 01 
            // NULL (rsaEncryption says parameters must be explicit NULL)
            05 00
         // OCTECT STRING (signature)
         04 xm [ym [zm]]
            [rsa.SignData(
                 new byte[] { 0x48, 0x65, 0x6C, 0x6C, 0x6F },
                 HashAlgorithmName.SHA256,
                 RSASignaturePadding.Pkcs1)]
         // skip unsignedAttrs

Now we're done and we can close off all the missing lengths. The signature size is a function of the RSA key. Let's assume it's a 2048-bit key, that makes a 2048-bit signature, or 256 bytes. 256 is 0x100, which is bigger than 0x7F, so we have to break it up into two length bytes and one length-length byte: So the "m" series of bytes is 80 01 00.

The "l" series is complete, it contained 13 bytes, so 0D (no y or z byte).

"k" is complete at 11 bytes (0B).

"j" depends on how long the serial number is. My certificate has serial number 9B 5D E6 C1 51 26 A5 8B, but you're not supposed to write it down as a negative number (first byte has the high bit set), so it needs a padding byte, making the content 00 9B 5D E6 C1 51 26 A5 8B, and therefore the length 9 (09).

"i" depends on the length of the issuer name. Mine came out to a 141 byte array (already DER encoded), plus our serial number (9 bytes + tag + length == 11 bytes) => 152 bytes (0x98). Since 0x98 is greater than 0x7F we have to length-prefix it: 81 98.

Now "h" is done. (3 + (1 + 2 + 152) + (1 + 1 + 11) + (1 + 1 + 13) + (1 + 3 + 256) => 446 = 0x1BE => 82 01 BE.

"g" is (1 + 3 + 446) => 450 = 0x1C2 82 01 C2.

"f" is the sum of all the certs you encoded. Mine came out to 683 = 0x2AB (82 02 AB)

"e" is 7 (07)

"d" is 11 + (1 + 1 + 7) = 20 = 0x14 (14)

"c" is 11 (0B)

"b" is (1 + 1 + 11) = 13 (0D)

"a" is 3 + (1 + 1 + 13) + (1 + 1 + 11) + (1 + 3 + 683) + (1 + 3 + 450) = 1172 = 0x494 (82 04 94).

30 82 04 94  02 01 01 31    0D 30 0B 06  09 60 86 48
01 65 03 04  02 01 30 14    06 09 2A 86  48 86 F7 0D
01 07 01 A0  07 04 05 65    6C 6C 6F A0  82 02 AB ...
...cert.RawData...
31 82 01 C2  30 82 01 BE    02 01 01 30  81 98 ...
...cert.IssuerName.RawData...
02 09 00 9B  5D E6 C1 51    26 A5 8B 30  0B 06 09 60
86 48 01 65  03 04 02 01    30 0D 06 09  2A 86 48 86
F7 0D 01 01  01 05 00 04    80 01 00 ... signature ...

If you go this route, you'll be assisted by tools like openssl asn1parse -i -dump -inform DER < your.signed.cms or ASN.1 Editor, or other such DER reader/rendering tools.

3
votes

According the Apisof.Net, both classes SignedCms and CmsSigner wouldn't be ported to .Net Core. What you can do is two things here:

  • Wait for a 2.0 version of .Net Core, so you'll be able to use PrivateKey property, and use the AsymmetricAlgorithm object to sign the data

  • Or you can use extension method GetRSAPrivateKey(X509Certificate2):

    public byte[] Sign(string message)
{
    using (var key = certificate.GetRSAPrivateKey())
    {
        return key.SignData(Encoding.UTF8.GetBytes(message),
          HashAlgorithmName.SHA256,
          RSASignaturePadding.Pkcs1);
    }
}

HashAlgorithmName has static names for algorithms and RSASignaturePadding has default objects for padding.