Re: How to make PKCS#7 signature using CryptoAPI?

[Mitch Gallant]

No that is not correct. CryptSignMessage (and other simplified capi
MESSAGE functions) create and verify pkcs7 messages.
CryptSignHash and related operate on pkcs1 signatures.

- Mitch Gallant
MVP Security

<dead...@inbox.lv> wrote in message news:1143787764.9...@z34g2000cwc.googlegroups.com...
>I want to make PKCS#7 signature using CryptoAPI. As far as i
> understand, function CryptSignMessage creates PKCS#1 signature, or it
> is not so?
>

[dead...@inbox.lv]

How to cerate PKCS#7 signature using CryptoAPI? As far as I understand,
CryptSignMessage creates PKCS#1 signature, is that so?

[dead...@inbox.lv]

I am very new in security... do I understand correcltly:
1. if I cerate a hash using CryptCreateHash, then sign it using
CryptSignMessage, it will be a valid PKCS#7 format signature.
2. To verify it, i need to obtaint the certificate using
CryptVerifySignature, then I need to get a signed hash from that
signature (how??), create a hash from the text I need to check for
integrity, and compare hashes using CryptVerifyMessageHash?

[dead...@inbox.lv]

I checked MSDN, seems that I need to use CryptSignHash not
CryptSignMessage

[dead...@inbox.lv]

So how can I create PKCS#7 signature signing a hash?

[Mitch Gallant]

No that is not correct.

Any of the CryptoAPI "....Message" functions work with pkcs7 encoding.
CryptSignHash (and CryptVerifySignature) create and verify pkcs#1 basic
signatures. Also that signature is in little-endian order (so reversed from Java 2
and .NET pkcs1 signature byte order).

- Mitch Gallant
MVP Security

<dead...@inbox.lv> wrote in message news:1144045364.1...@i39g2000cwa.googlegroups.com...

[Mitch Gallant]

In CryptoAPI, you can use the "Simplified" message functions to automatically
take care of generating the hash. You provide data buffer, set a few struct
members and then invoke the fns:
http://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/example_c_program_signing_a_message_and_verifying_a_message_signature.asp

Procedure is described schematically here:
http://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/procedure_for_signing_data.asp

You could use lower-level capi functions, but better to use simplified functions unless
you really need some capabiilty not provided in simplified fns.

General info on CryptoAPI and pkcs #7:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/pkcs__7_concepts.asp

- Mitch Gallant

<dead...@inbox.lv> wrote in message news:1144048997.0...@j33g2000cwa.googlegroups.com...

[dead...@inbox.lv]

Thanks for info!

Do you know any tool, that signs daata and generates PKCS#7 signatures?

Thanx,
Anna

[Mitch Gallant]

There are probably lots of utilities that can do this.

If they use CryptoAPI directly, then they would be
similar to this sample:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/example_c_program_signing_a_message_and_verifying_a_message_signature.aspCAPICOM wraps much of the more useful signature,certs and Authenticode features of CryptoAPI.Here is an easy to use vbscript utility a few years ago: http://www.jensign.com/capicom/SignAll.txt(change the extension to .vbs if you choose to try it out).You need WSH (Windows Script Host) which is be defaultin W2k or XPSignall.vbs requires CAPICOM which you can either install andautomatically register using freely redistributable CAPICOM.I provide a page to make this install and registration trivial: http://www.jensign.com/capicom2install/(the dnld is tiny .. and is signed by Microsoft).Signall.vbs takes a few arguments: SignAll <filetosign> <outputsignedfile> [A|D] [anything]where the 3rd optionial argument is for an "Attached" or "Detached" pkcs#7signature. The 4th optionial argument (can be anything) indicates a binarypkcs#7 file (the default is to create a b64-encoded pkcs#7 signature).Note also that .NET 2 now provides almost all of the same functionality as CAPICOM 2did (including pkcs#7 generation and verification).- Mitch Gallant MVP Security<dead...@inbox.lv> wrote in message news:1144412563....@u72g2000cwu.googlegroups.com...> Thanks for info!>> Do you know any tool, that signs daata and generates PKCS#7 signatures?>> Thanx,> Anna>

[Eugene Mayevski]

Hello!
You wrote on 7 Apr 2006 05:22:43 -0700:

d> Do you know any tool, that signs daata and generates PKCS#7 signatures?

You can check PKIBlackbox ( http://www.eldos.com/sbb/desc-pki.php ), it is
available for .NET and as an ActiveX control.

With best regards,
Eugene Mayevski

[dead...@inbox.lv]

Hi, Mitch!

I have signed a simple text message using
signall <filename> output.p7s
that created detached signature with the certificate inside it. When I
try to verify it, using CryptoAPI VerifyMessageSignature, either .NET 2
namespace PKCS, I get the same error ASN1 bad tag value met. I cannot
understand what am I doing wrong :(

Anna

[Mitch Gallant]

Don't think .net directly handles b64 (which is what you generated below
if those are the only args you used). Default signall.vbs is b64.

So try this:
signall.vbs <filename> output.p7s A B
which generates attached (A) sig. in binary (B) format.

Just tried .NET 2 classes .. no problems verifying either way.

Also, signall uses the most common ASCII encoding of the datain pkcs7
signatures.

So use Encoding.ASCII if you convert string to byte[].

- Mitch Gallant

<dead...@inbox.lv> wrote in message news:1144603036.2...@u72g2000cwu.googlegroups.com...

[maryzhang]

Hi, Mitch

I used CryptSignMessage to created a signature and can verify successfully by
CryptVerifyMessageSignature OR CryptVerifyDetachedMessageSignature. However,
I need send the signature to a Linux box and use openssl to verify it, I used
"“openssl dgst –md5 –verify pubkey –signature signed-msg orig-msg”, but the
verification always fail. Do you have any idea or clue about what’s wrong?

For CryptSignMessage, I used RSA_MD5 for hash, the default format of
signature is DER? How can I get PEM(b64) format directly? What's the expected
format for openssl?

Thank you very much in advance!

Mary

[Mitch Gallant]

OpenSSL command like you use takes a pkcs1.5 signature (i.e. the raw encrypted hash),
not a CMS / pkcs #7 signed messages as you create with CryptSignMessage.
You can extract the pkcs1 signature from your capi CMS signedmessage blob using:
CryptMsgGetParam() with CMSG_Encyrpted_Digest.

- Mitch

"maryzhang" <mary...@discussions.microsoft.com> wrote in message
news:5AFE3E47-799D-4188...@microsoft.com...

> Hi, Mitch
>
> I used CryptSignMessage to created a signature and can verify successfully by
> CryptVerifyMessageSignature OR CryptVerifyDetachedMessageSignature. However,
> I need send the signature to a Linux box and use openssl to verify it, I used

> ""openssl dgst -md5 -verify pubkey -signature signed-msg orig-msg", but the

[maryzhang]

Mitch,

Can openssl extract the pkcs1 signature from the pkcs7 signed msg?
I've the signed msg on Linux already, want to try it out ASAP.

Thanks a lot!

Mary

[Mitch Gallant]

I'm sure the OpenSSL Crypto lib supports pkcs7 in there somewhere.
I haven't used it personally. I don;t think the openssl tool itself can
do this though. Maybe someone can correct me.
- Mitch

"maryzhang" <mary...@discussions.microsoft.com> wrote in message

news:EDCA585E-EBCF-4AEB...@microsoft.com...

[maryzhang]

I'm using the openssl cmd tool directly in PHP.

"openssl pkcs7" doesn't help.

And I tried ""openssl smime -verify -inform PEM -in signed.pem -signer
desktop-b64.cer
-content msg.txt -nointern -noverify", it gave me "RAS_verify:bad signature".

One more thing, the signer certificate is sent together with the signature,
and then the public key is extracted for "openssl dgst" cmd.
However, when I compare the public key info(on windows use "certmgr -v
desktop-b64.cer", and on linux use "openssl x509 -in desktop-b64.cer -text
-noout", I found the following difference:

On Windows:
...
SubjectPublicKeyInfo.PublicKey(BitLength:1024)
30 81 89 02 81 81 00 b1 same content follows
...
79 D8 75 E3 6E AE 3D 02 03 01 00 01

On Linux:
...
RSA Public Key:(1024 bit)
Modulus (1024 bit):
00 b1 same content follows
...
79 D8 75 E3 6E AE 3D
Exponent: 0x10001

They are same, but openssl displays more subfields in the PublickKey, right?

Many Thanks!

Mary

[maryzhang]

Mitch,

In fact, I only need verify the client does have the private key by signing
some data sent from Server.
Do you think I can simply use CryptSignHash, and send the signed hash to
Linux Server and use "openssl dgst -verify pubkey -md5 -signature
signed-hash"? Do I need convert the format of the signed-hash for openssl?

Thank you very much!

Mary

[maryzhang]

Mitch,

I've tried CryptMsgGetParam() with CMSG_Encyrpted_Digest, but still cannot
get it to work.
I even tried CryptSignHash and low level msg sign
functions(CryptMsgOpenToEncode...), and tried both MD5 hash alg and SHA1 hash
alg, still no luck.

I've also tried "openssl rsautl -verify -in signed-hash -asn1parse -inkey
pubkey -pubin -hexdump -raw" cmd, it can parse sth and print the output like:
.... prim: OBJECT :sha1
some octet string ....
But the raw data doesn't match the original msg, however, if I change to use
some othe pubkey, it'll print error. Is the verification successful for the
1st case?

Thanks a lot!

Mary

[Mitch Gallant]

Send me a blob that you created with CryptSignMessage and the actual
message that you signed. It will be easier to discus this way and will
save time. I have quite a few compiled C capi snippets with many capi
functions (including CryptSignMessage). Might be a terminal string null
issue in the data that's being signed. Let me have a look.

- Mitch

"maryzhang" <mary...@discussions.microsoft.com> wrote in message

news:82998064-26CE-46EF...@microsoft.com...

[Mitch Gallant]

The only fields in the "public key" are the modulus and exponent. Depending
on how that public key is represented, there might be one level (RSAPublicKey)
or two levels (SubjectPublicKeyInfo) of asn.1 sequences.
Another common representation is the XML stingified representation of exactly
the same public key.

"Fields" (required) and extensions (optional) are usually used to refer to specific (signed)
data in an X509 certificate associated with the public key (as below) that the issuer's
signature validates.

- Mitch Gallant

"maryzhang" <mary...@discussions.microsoft.com> wrote in message

news:DE810C3D-9B60-4E28...@microsoft.com...
....

[Mitch Gallant]

If the server already has securely obtained the client's public key (either
for raw rsa keys or via an issued cert with that key), yes this will work.
Again, CryptSignHash generates pkcs1 signature blob in reverse byte
order to what .NET, Java, Openssl etc.. expect.
So to verify the pkcs1 in Openssl, reverse the signature bytes first.
- Mitch

"maryzhang" <mary...@discussions.microsoft.com> wrote in message

news:F5F63291-4E34-47E8...@microsoft.com...

[Mitch Gallant]

Don't need to convert (except for byte reveral) to use with openssl dgst command.

(1) CryptoAPI: CryptSignHash() ; specify same hash algorithm you plan to use for verification
(2) Reverse the signature bytes you obtain (should be same size as key .. e.g. 128 bytes for 1024 bit RSA key)
(3) Verify the signature to taste in any of Java, .NET, OpenSSL (i've confirmed this works with all)

In OpenSSL, verify a pkcs1 signature (after byte reversal above) using:
openssl dgst -sha1 -verify publickey.pem -signature signedhash content.txt
Since the pkcs1 signature is ONLY the signature (not including the content) you
obviously have to pass in the content to verify hash against (which you didn't do below).

I tried this .. no problems.

e.g. for this 20 byte content: "JavaScience rocks!\r\n"

I get the following signature (b64 encoded) (using my standard VeriSign smime certificate).
This was generated using VS 2005 compiled C code using capi CryptSignHash(). Then bytes
were reversed and b64 encoded (for posting here):

TCZClK8FKjXVbJjZY20tmMAkFg7SPW8Kt/EPL5NgGgOcHCUIqocIeKxZI8dLyrE2
Vl/mD5wcl93DOLlnl9pZ0quEB9dfU0uA0n7LBRVnHTjFwYemQP9TxrtF5GQ0tLrO
MBdUog7YK3JPv3Pz09meTo1uQqgizvA4VzBouI44w7s=

The PEM public key from my VeriSign cert (that will verify this pkcs1 signature is):

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI8eJ2+1/R+LQUu3Jb0jqm1PLc
mh6k86z0qeoqS+VG141g6xx7uBKV5n64EAkrRcsnVXZznLug7+piBLkjq9312bEw
w7oT1yIHYIlgFn1WxX1dacXMfZzU5u8ayF4mQA7Wnw0f/Glv010iqLOvxI34EIep
VNBT339INw4RNnpWmQIDAQAB
-----END PUBLIC KEY-----

- Mitch Gallant
MVP Security

"maryzhang" <mary...@discussions.microsoft.com> wrote in message

news:F5F63291-4E34-47E8...@microsoft.com...

[maryzhang]

Mitch,

In fact, I am using the example code from MSDN for CryptSignHash:
BYTE *pbBuffer= (BYTE *)"This is a random string.";
DWORD dwBufferLen = strlen((char *)pbBuffer)+1;
LPTSTR szDescription = NULL;

DWORD dwKeyType = AT_KEYEXCHANGE; //AT_SIGNATURE; , key used for the sign
ALG_ID hashAlg = CALG_SHA1; //use default alg for openssl, CALG_MD5,
...
CryptHashData(hHash, pbBuffer, dwBufferLen, 0);
...
CryptSignHash( hHash, dwKeyType, szDescription, 0, pbSignature,
&dwSigLen);
...
And I wrote the dwSigLen bytes in a file(signedhash-sha1.tmp) and worte the
bytes in reversed order to anotherfile(signed-rev-sha1.tmp) and send the
files to Linux by WinSCP. On Linux, I put same string as pbBuffer in a file
msg.txt, then I use openssl cmd:
"openssl dgst -d -verify desktop-pubkey.cer -sha1 -signature
signedhash-rev-sha1.tmp msg.txt"
The desktop-pubkey.cer is extracted using openssl from cert in PEM format
from windows.
But I got verification failure for both signedhash-rev-sha1.tmp and
signedhash-sha1.tmp.

Here is the base64 encoded blob for signedhash-rev-sha1.tmp(it's not 64
chars per line as PEM):

NaNuqemL4ldVLHrcnrtVaGduLyobtdvoGouxqWuklkHWfg46ae9pkWfVuwEjARODJtF6rf3XEiUvRtrBkrnwkXzDxUuuhbkHPopmlgykx5sOPTNxJquf2XLRC8UrZ3KUENS0yfit3HpQ+26WpPxBqTrU7msE1if1poV2AeiLfoY=

And the public key:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxJe01e3MJrgXgAePB39ihCLyN
H6nTPw5MOihIGa3CBlksZ7t1/rC1H0OWmGJXeYtiIhEm6vZEk+vsq1AphjAAVp7j
n0fz7WT7RB3eeYTle0xCtiV+SkePScKsDECyc6RNqFfRFoDwrwik6vJtK01f4aMS
n1TX/NFeedh1426uPQIDAQAB
-----END PUBLIC KEY-----

Thank you so much.

Mary

[Mitch Gallant]

You are not verifying against the correct content!
Those (and most) MSDN samples hash a string PLUS the null byte (so that it
is easy to display the recovered string using a printf (.. %s)
So, just add a null byte to your data, or change to strlen((char *)pbBuffer
and get rid of the +1 (buffer size for extra terminal null).

I tried your sample and had no problem verifying with openssl (after I added
terminal null to your string).

- Mitch

"maryzhang" <mary...@discussions.microsoft.com> wrote in message

news:683B2AFA-88F4-47E6...@microsoft.com...

[maryzhang]

Mitch,

It works now. Just becasue of the null byte :(
Thank you very very ... much!!!

Mary