[CryptoAPI] Digital Signatures?

[CryptoAPI] Digital Signatures?

  
Forge Component
(12)
Published on 2015-11-29 by Ricardo Silva
12 votes
Published on 2015-11-29 by Ricardo Silva
I have a need to both encrypt and digitally sign a document.  Can this library be used for digital signatures?  I understand that you would want to hash a document and then encrypt the digest with the signer's private key.  When I tried using the library, I was successful in encrypting with the public key and decrypting with the private key, but encrypting with the private key gives an error when trying to decrypt with the public key.  

I am new to this subject so I'm sure I'm doing something wrong, but could you help me.  I'm using the RSA encryption algorithm, with keys created using your methods (GenerateRSAKey & GetRSAPublicKey).

Thanks for any help you can provide.
Hello Joe,

I have not implemented signatures with RSA keys in CryptoAPI.

Can you provide a more concrete example of what you are trying to achieve? What are the security properties you want to have?

In particular, when you say you want to "encrypt and digitally sign a document", are we talking about a binary file, or a piece of text?
I am building an app that brokers the exchange of confidential documents.  To date, they are all JSON documents (therefore all text).  The process I want to enable is:
Alice makes a request and provides her public key.  I forward the request to Bob.  Bob creates a JSON object, which he would has using SHA-256 to create a digest.  Bob would encrypt the digest with his private key to digitally sign the document.  Bob would then create a JSON document that had original JSON + Signature + Bob's public key + hash method + encryption method.  Bob would then encrypt the composite JSON document with Alice's public key and return it to me.  I then forward the ciphertext to Alice which would decrypt using her private key.  Extract Bob's public key to validate the digital signature.  This is where I'm failing  Bob's public key needs to be able to decrypt the digest so Alice can compare that against her hashing the first JSON document to verify nothing has been modified and provide non-repudiation.   Hope that gives you what you're looking for.

I really appreciate the help!
Hi Joe,

While the concept with RSA is that you encrypt with your private key to sign something, in practice there are other things you need to take into consideration. So the signing "algorithm" is slightly different from the encryption algorithm. Basically what changes is the way you pad the value you encrypt.

In your case, that probably wouldn't work. Encrypting with RSA is roughly limited to the size of the RSA key, and the output of an encryption is the same size as the key. This means that most like you won't be able to encrypt the JSON + Signature + hash method + encryption method with the same key.

What's usually done is you encrypt a symmetric key with the public key and encrypt the data with the symmetric key. In CryptoAPI terms that would be:

Encrypt_RSA(Alice's key, GenerateAESKey()) + Encrypt(AESKey, json document)

In any case, back to the signing part: Currently CryptoAPI does not have this. I'm not sure when I would be able to pick this up to ensure it works in both .NET and Java. In any case I believe you can look at the CryptoAPI code and make your own signing functions based on the .NET APIs .
Ricardo,
Thanks for your help.  As you can tell I am new to encryption details.  There is always so much to learn moving from the theory to the practice!  :-)  I appreciate the advice and the great work that you have done for the community.  I'm also using ardoJSON.

Best regards,
Joe

Hi Ricardo,

I also have a need to sign an SHA1 hash with an RSA private key. I'm wondering if you had a chance to work on this since this old thread started back in 2015? If not, is there any chance you could add this function to CryptoAPI anytime soon?

Thanks in advance.

Charles

Hi Charles,

I did look into this but did not reach any conclusion of how I should present this to OutSystems Platform users.

Can you provide some more information on what you're trying to achieve? Who you're trying to integrate with?

Best regards,

Hi Ricardo,

Thanks for your reply. I was trying to connect to a Private Application in Xero. This requires an RSA-SHA1 signature to be sent as part of the Authorisation header of the request.

There is some general info here as a starting point: https://developer.xero.com/documentation/auth-and-limits/private-applications

I did manage to solve this in the meantime by creating a .Net extension. I'm considering publishing it to the Forge as a separate extension, and I'd be happy for you to incorporate it into the CryptoAPI too if there is a demand for it, but I can't help you with the Java version.

Charles Papp wrote:

I did manage to solve this in the meantime by creating a .Net extension. I'm considering publishing it to the Forge as a separate extension...

UPDATE: I published the function to generate the RSA-SHA1 signature from a Plain Text string with a Private Key (in XML format) as part of the CryptoSign component, in case anyone else finds a need for this.