is it possible to add a digital signature to an excel document with EPPlus and validate a digital signature of an existing excel document?
Maybe you can go with a detached signature.
You can create a signature using the following code:
X509Certificate2 certificate = new X509Certificate2(certPath, password);
byte[] signature;
using (RSA rsa = certificate.GetRSAPrivateKey())
{
signature = rsa.SignData(data, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
}
where data is a byte array
Then store it to an external file
For validating the signature you need your xlsx file and the external signature file.
Then you can verify the signature using the following code
X509Certificate2 publicCertificate = new X509Certificate2(certPath);
var valid = false;
using (RSA rsa = publicCertificate.GetRSAPublicKey())
{
valid = rsa.VerifyData(fileData, signatureData, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
}
where fileData is a byte array of your xlsx file and signatureData is a byte array of your signature file
Tell me if it worked =)
Related
Friends,
We procured class 3 certificate both .pfx and .cer certificates from Certificate Authority. And shared .cer(public key) to our partner.
Encryption (Java)
Our Partner encrypted the message (with our public key) using Java bouncy castle openpgp standard and shared the encrypted message like below,
-----BEGIN PGP MESSAGE-----
Version: x
v2hQEMAzFXJ94q1Nm8AQf/Tld0/3dAvgFKPQVBS8bmbXChXeApeReo1ydNS+......
-----END PGP MESSAGE-----
Decryption: (C#)
We need to decrypt the message with our .pfx file.
I have gone through below articles,
http://burnignorance.com/c-coding-tips/pgp-encryption-decryption-in-c/
It seems new PGPKeyPair is being generated and used for encryption and decryption.
But in my case, i have .pfx file
How do we extract the pgpprivate key from .pfx file use for decryption?
Could you share some thoughts on how we can do this. Advance thanks for all your time on this.
13/12/2020
I had imported the X509Certificate .pfx into store like below and trying to convert the pgpprivate key,
string certPath = #"C:\Users\test.pfx";
string certPass = "apples";
// Create a collection object and populate it using the PFX file
X509Certificate2Collection collection = new X509Certificate2Collection();
collection.Import(certPath, certPass, X509KeyStorageFlags.PersistKeySet);
X509Certificate2 certificate = collection[0];
AsymmetricAlgorithm x509PrivateKey = certificate.PrivateKey;
PgpPrivateKey pK = x509PrivateKey; //Here i am gettting the invalid conversion error.
I am trying to use the X.509 certificate Private key as PGPrivatekey in decryption. But while assigning the private key to pgpprivatekey, getting the invalid cast exception.
Is there any way to achive this?
Regards,
Stalin
You can try using BouncyCastle API to read pfx file using PKCS12 class file, then convert the key to PgpSecretKey.
read document on -- > pkcs12.GetKey()
and PgpSecretKey class.
public static void GetPriveKey(String pfxFile, String pfxPassword)
{
//Load PKCS12 file
Pkcs12Store pkcs12 = new Pkcs12Store(new FileStream(pfxFile, FileMode.Open, FileAccess.Read), pfxPassword.ToArray());
string keyAlias = null;
foreach (string name in pkcs12.Aliases)
{
if (pkcs12.IsKeyEntry(name))
{
keyAlias = name;
break;
}
}
//
AsymmetricKeyParameter Privatekey = pkcs12.GetKey(keyAlias).Key;
X509CertificateEntry[] ce = pkcs12.GetCertificateChain(keyAlias);
AsymmetricKeyParameter PublicKey= ce[0].Certificate.GetPublicKey();
PgpSecretKey mySecretKey = new PgpSecretKey(PgpSignature.DefaultCertification,
PublicKeyAlgorithmTag.RsaGeneral,
PublicKey,
Privatekey,
DateTime.UtcNow,
keyAlias,
SymmetricKeyAlgorithmTag.Cast5,
pfxPassword.ToCharArray(),
true,
null,
null,
new SecureRandom());
}
I have a public key in a .der extension file from a vendor. I have to use this to encrypt something using C# and add the result to an API call. I am new to this type of stuff and can't figure out how to load the key in the .der file into code and use it to encrypt my string. Any help?
Thanks!
You can use the X509Certificate2 to load the certificate, I.E.:
var cert = new X509Certificate2(#"C:\path\to\key.der");
var publicKey = cert.GetRSAPublicKey();
var privateKey = cert.GetRSAPrivateKey();
To actually encrypt/decrypt data, you would do something similar to the following depending on the specifications
var plaintext = Encoding.UTF8.GetBytes("Some Secret");
var encrypted = publicKey.Encrypt(plaintext, RSAEncryptionPadding.OaepSHA256);
var decrypted = privateKey.Decrypt(encrypted, RSAEncryptionPadding.OaepSHA256);
Console.WriteLine(Encoding.UTF8.GetString(decrypted));
Trying to validate PDF signature isn't working. The PDF were signed by Adobe Acrobat and then trying to verify it with the public key of the client certificate.
So I get the public key of the client certificate, hash the PDF and verify if the hash is equal to the pdf signature, but it fails.
HttpClientCertificate cert = request.ClientCertificate;
X509Certificate2 cert2 = new X509Certificate2(cert.Certificate);
PdfReader pdfreader = new PdfReader("path_to_file");
AcroFields fields = pdfreader.AcroFields;
AcroFields.Item item = fields.GetFieldItem("Signature1");
List<string> names = fields.GetSignatureNames();
foreach (string name in names){
PdfDictionary dict = fields.GetSignatureDictionary(name);
PdfPKCS7 pkcs7 = fields.VerifySignature(name);
Org.BouncyCastle.X509.X509Certificate pdfSign = pkcs7.SigningCertificate;
// Get its associated CSP and public key
RSACryptoServiceProvider csp = (RSACryptoServiceProvider)cert2.PublicKey.Key;
// Hash the data
SHA256 sha256 = new SHA256Managed();
byte[] pdfBytes = System.IO.File.ReadAllBytes("path_to_pdf");
byte[] hash = sha256.ComputeHash(pdfBytes);
// Verify the signature with the hash
bool ok = csp.VerifyHash(hash, CryptoConfig.MapNameToOID("SHA256"), pdfSing.GetSignature());
}
First, to verify whether the signature correctly you can simply use the PdfPKCS7 object you already retrieved, more exactly its Verify method:
/**
* Verify the digest.
* #throws SignatureException on error
* #return <CODE>true</CODE> if the signature checks out, <CODE>false</CODE> otherwise
*/
virtual public bool Verify()
Thus, you can simply call
bool ok = pkcs7.Verify();
and ok is true only if the document hash matches the hash in the signature.
Concerning your attempt to calculate the document hash like this
byte[] pdfBytes = System.IO.File.ReadAllBytes("path_to_pdf");
byte[] hash = sha256.ComputeHash(pdfBytes);
This indeed gives you the hash value of the complete PDF.
For document types with integrated signatures like PDFs, though, this is not the hash of interest because the complete PDF obviously includes the integrated signature!
Thus, you have to find the space reserved for the signature in the PDF and ignore it during hash calculation, cf. this answer on Information Security Stack Exchange, in particular this image:
In case of multiple signatures you furthermore have to consider that the earlier signatures only sign a former revision of the PDF, so the hash is to be calculated only for a starting segment of the file, cf. this image from the answer referenced above:
The iText(Sharp) method PdfPKCS7.Verify() takes all this into account.
Following is my scenario
- I read data from a barcode and its converted into a plain text. This text is a combination of barcode data + digital signature. Digital signature is appended to the end, which enables me to separate out the actual data and digital signature data. Digital signature data is hashed using sha256
-User send me a public key as windows certificate file ( .cer extension).
Required implementation :
-Need to extract public key from the certificate and validate the public key against the barcode data and the digital signature provided.
Here is the code I am trying to use to verify signature
//Note :
//1. certPath : is the path where my certificate is located
//2. GetStreamdata get the stream of data from the certificate.
//Get the certificate data here
Org.BouncyCastle.X509.X509Certificate cert1 = new X509CertificateParser().ReadCertificate(GetStreamData(cerPath));
//get the public key
ECPublicKeyParameters ecPublic = (ECPublicKeyParameters)cert1.GetPublicKey();
//create a signerutility with type SHA-256withECDSA
ISigner signer = SignerUtilities.GetSigner("SHA-256withECDSA");
//initial signer with the public key
signer.Init(false, ecPublic);
//get signature in bytes : digitalsignature parameter contains signature that should be used.
byte[] dBytes = encoding.GetBytes(digitalsignature);
//block/finalise update to signer : data : is the actual data.
signer.BlockUpdate(data, 0, data.Length);
try
{
//verify signature
verified = signer.VerifySignature(dBytes);
}
catch(Exception ex)
{
_log.LogException(ex);
}
what was I able to achieve was : extract public using bouncy castle libraries
Problem :
Exception thrown on signer.verifysignature
Message=Unable to cast object of type 'Org.BouncyCastle.Asn1.DerApplicationSpecific' to type 'Org.BouncyCastle.Asn1.Asn1Sequence'.
Source=BouncyCastle.Crypto
The problem was that I had to encode digitalsignature value in iso-8859-1. I was encoding in ASCII before.
This solves the problem and I was able to validate signature.
Im trying to sign some data using PKCS#12 certificate ,however i have problem with obtaining private key from PKCS#12 (.p12) file.
public byte[] sign(string text)
{
string password = "1111";
X509Certificate2 cert = new X509Certificate2("c:\\certificate.p12",password);
byte[] certData = cert.Export(X509ContentType.Pfx,password);
X509Certificate2 newCert = new X509Certificate2(certData, password);
RSACryptoServiceProvider crypt = (RSACryptoServiceProvider)newCert.PrivateKey;
SHA1Managed sha1 = new SHA1Managed();
UnicodeEncoding encoding = new UnicodeEncoding();
byte[] data = encoding.GetBytes(text);
byte[] hash = sha1.ComputeHash(data);
return crypt.SignHash(hash, CryptoConfig.MapNameToOID("SHA1"));
}
The problem is that newCert.PrivateKey is null but if i am using .pfx certicitae in similar way it works.
public byte[] sign(string text)
{
string password = "1234";
X509Certificate2 cert = new X509Certificate2("c:\\certificate.pfx", password);
RSACryptoServiceProvider crypt = (RSACryptoServiceProvider)cert.PrivateKey;
SHA1Managed sha1 = new SHA1Managed();
UnicodeEncoding encoding = new UnicodeEncoding();
byte[] data = encoding.GetBytes(text);
byte[] hash = sha1.ComputeHash(data);
return crypt.SignHash(hash, CryptoConfig.MapNameToOID("SHA1"));
}
So the question is how to get that private key from .p12 file ?
I had a similar problem which I posted here, although it is not the same thing for you, the problem may be also permissions.
My suggestions are, first, you have to make sure (which I suppose you already did) that the private key is exportable and you have permissions to the file.
Next, try exporting the content type as X509ContentType.Pkcs12 instead of X509ContentType.Pfx
Finally, if it is possible, why don't you try importing it to the certstore. I believe that's more secure. The steps are in the link above.
Have a look at this question. It looks very similar.
In the docs, it says that .export() doesn't support the Pfx type, only Cert, SerializedCert, and Pkcs12.
This was done for using Android - so the R.raw.key below was my file in the Android Raw folder.
I opened key.p12 as as input stream. Which I then converted to the private key using the libraries as seen in the example.
http://www.flexiprovider.de/examples/ExampleSMIMEsign.html
My code looks like this
Security.addProvider(new de.flexiprovider.core.FlexiCoreProvider());
// Next, we have to read the private PKCS #12 file, since the the
// private key used for signing is contained in this file:
DERDecoder dec = new DERDecoder(getResources().openRawResource(
R.raw.key));
PFX pfx = new PFX();
try {
pfx.decode(dec);
SafeBag safeBag = pfx.getAuthSafe().getSafeContents(0)
.getSafeBag(0);
PKCS8ShroudedKeyBag kBag = (PKCS8ShroudedKeyBag) safeBag
.getBagValue();
char[] password = "my password for the p12".toCharArray();
privKey = kBag.getPrivateKey(password);
new AsyncLoadStorage(this).execute();
} catch (ASN1Exception e) {