locked
Get the key from certificate file. RRS feed

  • Question

  • In C# application using verisign certificate file (.pfx), we have generated a key value & added into XML file.

    In C# we have used "using System.Security.Cryptography.X509Certificates".

     

    In another application (client side) we need verify key value using VC++ (without .net framework) & Windows API,

    But we don't want to distribute verisign certificate (.cer) file with the application.

     

    Any help on above issue is appreciated ?

    Thanks is advance.

     


     

    • Moved by lucy-liu Wednesday, July 6, 2011 8:00 AM it is related to security (From:Visual C++ Language)
    Saturday, July 2, 2011 10:17 AM

Answers

  • SandyWarrior wrote:

    In another process (client application) using C++ (Windows API without  .net framework) ,

    I have to parse XML file, get *SignatureValue  (jRJ6YsyjrtOZ5Ejbze1fFIpQZN3Uv.......), *verify the key value.

    But we don't want to distribute verisign certificate (.cer) file with  the client application.

    Well, you'll have to. A digital signature is a hash of the content to be  signed, encrypted with the signer's private key. To verify a signature,  the client needs to a) calculate its own hash of the content; b) decrypt  the hash from the signature using the signer's public key; c) check that  the two hashes match (proving that the content hasn't been altered after  it was signed); and d) verify that the private/public key pair actually  belongs to the signer.

    The certificate is needed for b) and d) - it carries the public key and  the information about the signer. The signer's certificate is in turn  signed by yet another certificate, which in turn may be signed by  another and so on, forming a so-called certificate chain that leads to  some trusted root certificate.

    The signer's certificate is not just a luxury you can dispense with -  it's a vital part of public key-based security infrastructure.

    Now, XML Signature specification at http://www.w3.org/TR/xmldsig-core/  defines KeyInfo element which, among other things, allows one to embed  X.509 certificate, or even the whole certificate chain, into the XML  document together with the signature. This would allow you to generate a  self-contained signature which includes everything needed to verify it  (except that the client would still determine whith root certificates  are trusted).


    Igor Tandetnik

    • Marked as answer by SandyWarrior Monday, July 18, 2011 8:11 AM
    Monday, July 4, 2011 3:05 PM

All replies

  • SandyWarrior wrote:

    In C# application using verisign certificate file (.pfx), we have  generated a key value & added into XML file.

    In C# we have used "using  System.Security.Cryptography.X509Certificates".

    In another application (client side) we need verify key value using  VC++ (without .net framework) & Windows API,

    I'm not sure I follow. What do you mean, generated a key value? How is  this value related to the certificate? It would be best if you show your  C# code that does all this.


    Igor Tandetnik

    Saturday, July 2, 2011 11:33 AM
  • Kindly refer below code, it will explain how we are generating key using C#  X509Certificates & XML.

     

    using System.Security.Cryptography.X509Certificates;  ////.net C# X509Certificates 

    using System.Xml; ///XML Namespace.

     

    // Create a SignedXml object.
    SignedXml signedXml = new SignedXml(xmlDoc);

    //Load the Versign Certificate files.

    X509Certificate2 cert = new X509Certificate2(Versign1.pfx,  "Password@UpdateManager@INSITE");

    // Get the private key from Certificate & Add the key to the SignedXml document.
    signedXml.SigningKey = cert.PrivateKey;

    // Compute the signature using SignedXml object.
    signedXml.ComputeSignature();

    // Get the XML representation of the signature and save it to an XmlElement object.
    XmlElement xmlDigitalSignature = signedXml.GetXml();

    Now How the XML file will  look with key ?

    <SignatureValue>jRJ6YsyjrtOZ5Ejbze1fFIpQZN3UvRg2+1jsDTJF1aTnOzJj1/ERw6qMz.................</SignatureValue>

     

     

    In another process (client application) using C++ (Windows API without .net framework) ,

    I have  to parse XML file, get SignatureValue (jRJ6YsyjrtOZ5Ejbze1fFIpQZN3Uv.......),  verify the key value.

    But we don't want to distribute verisign certificate (.cer) file with the client application.

    In short I want verify Digital signature using C++ & Windows API.

    Kindly guide me how we can handle above issue in a client application ???

    Any help or advice on above issue are highly appreciated.

     

    Thanks is advance.





    Monday, July 4, 2011 7:22 AM
  • Hi SandyWarrior,

    Have you solved this issue?

    If you have solved, please mark the useful reply as answer.

    If not, please provide more detailed information.

     

    Best regards,

    Lucy


    Lucy Liu [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, July 4, 2011 8:11 AM
  • Hi Lucy,

      Nope!! I am still searching for solution & correct approach on solution.

       Kindly read my above post question.

      I am looking for C++ & Windows API to validate Digital signature.



    Monday, July 4, 2011 8:41 AM
  • SandyWarrior wrote:

    In another process (client application) using C++ (Windows API without  .net framework) ,

    I have to parse XML file, get *SignatureValue  (jRJ6YsyjrtOZ5Ejbze1fFIpQZN3Uv.......), *verify the key value.

    But we don't want to distribute verisign certificate (.cer) file with  the client application.

    Well, you'll have to. A digital signature is a hash of the content to be  signed, encrypted with the signer's private key. To verify a signature,  the client needs to a) calculate its own hash of the content; b) decrypt  the hash from the signature using the signer's public key; c) check that  the two hashes match (proving that the content hasn't been altered after  it was signed); and d) verify that the private/public key pair actually  belongs to the signer.

    The certificate is needed for b) and d) - it carries the public key and  the information about the signer. The signer's certificate is in turn  signed by yet another certificate, which in turn may be signed by  another and so on, forming a so-called certificate chain that leads to  some trusted root certificate.

    The signer's certificate is not just a luxury you can dispense with -  it's a vital part of public key-based security infrastructure.

    Now, XML Signature specification at http://www.w3.org/TR/xmldsig-core/  defines KeyInfo element which, among other things, allows one to embed  X.509 certificate, or even the whole certificate chain, into the XML  document together with the signature. This would allow you to generate a  self-contained signature which includes everything needed to verify it  (except that the client would still determine whith root certificates  are trusted).


    Igor Tandetnik

    • Marked as answer by SandyWarrior Monday, July 18, 2011 8:11 AM
    Monday, July 4, 2011 3:05 PM
  • Thanks lot Igor.

    Kindly guide using which C++ Windows Cryptology API will be more appropriate for steps a,b,c, & d ?

     

    a) Calculate its own hash of the content;

    b) Decrypt  the hash from the signature using the signer's public key;

    c) Check that  the two hashes match (proving that the content hasn't been altered after  it was signed); and

    d) Verify that the private/public key pair actually  belongs to the signer.


    Sandy
    Tuesday, July 5, 2011 11:56 AM
  • Hi SandyWarrior,

    I am moving this thread from “Visual C++ Language" forum to the “Security for Applications in Microsoft Windows” forum.since the issue is related to Windows security. There are more experts in the “Security for Applications in Microsoft Windows" forum.

    Thank you for your understanding!

     

    Best regards,

    lucy


    Lucy Liu [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, July 6, 2011 8:00 AM
  •  

    Hi Lucy,

     If you are going to create a new  thread, kindly share thread URL with me.

     

     

    Hi SandyWarrior,

     

    I am moving this thread from “Visual C++ Language" forum to the “Security for Applications in Microsoft Windows” forum.since the issue is related to Windows security. There are more experts in the “Security for Applications in Microsoft Windows" forum.

    Thank you for your understanding!

     

    Best regards,

    lucy


    Lucy Liu [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.



    Sandy
    Wednesday, July 6, 2011 8:24 AM