-1

I've exported the root CA cert (ISRG Root X1) used by StackOverflow's digital certificate, as a DER encoded binary X.509 (.cer) file and used openssl in cmd to find out the modulus/exponent:

openssl.exe x509 -in C:\Cert.cer -inform der -text

enter image description here

I then did the same thing for the next certificate in the chain which is called R3, to get the signature:

enter image description here

Signature for R3:

enter image description here

I've copied these into C# as byte arrays and am using the following code to decrypt the signature:

using System.Security.Cryptography;

namespace RsaDecryptor
{
    class Program
    {
        static void Main(string[] args)
        {
            byte[] decryptedData;
            using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
            {
                var bytesRead = 0;


            // From ISRG root CA:
            var modulus = new byte[] { 0xad, 0xe8, 0x24, 0x73, 0xf4, 0x14, 0x37, 0xf3, 0x9b, 0x9e, 0x2b, 0x57, 0x28, 0x1c, 
                0x87, 0xbe, 0xdc, 0xb7, 0xdf, 0x38, 0x90, 0x8c, 0x6e, 0x3c, 0xe6, 0x57, 0xa0, 0x78, 0xf7, 0x75, 0xc2, 0xa2, 
                0xfe, 0xf5, 0x6a, 0x6e, 0xf6, 0x00, 0x4f, 0x28, 0xdb, 0xde, 0x68, 0x86, 0x6c, 0x44, 0x93, 0xb6, 0xb1, 0x63, 
                0xfd, 0x14, 0x12, 0x6b, 0xbf, 0x1f, 0xd2, 0xea, 0x31, 0x9b, 0x21, 0x7e, 0xd1, 0x33, 0x3c, 0xba, 0x48, 0xf5, 
                0xdd, 0x79, 0xdf, 0xb3, 0xb8, 0xff, 0x12, 0xf1, 0x21, 0x9a, 0x4b, 0xc1, 0x8a, 0x86, 0x71, 0x69, 0x4a, 0x66, 
                0x66, 0x6c, 0x8f, 0x7e, 0x3c, 0x70, 0xbf, 0xad, 0x29, 0x22, 0x06, 0xf3, 0xe4, 0xc0, 0xe6, 0x80, 0xae, 0xe2, 
                0x4b, 0x8f, 0xb7, 0x99, 0x7e, 0x94, 0x03, 0x9f, 0xd3, 0x47, 0x97, 0x7c, 0x99, 0x48, 0x23, 0x53, 0xe8, 0x38, 
                0xae, 0x4f, 0x0a, 0x6f, 0x83, 0x2e, 0xd1, 0x49, 0x57, 0x8c, 0x80, 0x74, 0xb6, 0xda, 0x2f, 0xd0, 0x38, 0x8d, 
                0x7b, 0x03, 0x70, 0x21, 0x1b, 0x75, 0xf2, 0x30, 0x3c, 0xfa, 0x8f, 0xae, 0xdd, 0xda, 0x63, 0xab, 0xeb, 0x16, 
                0x4f, 0xc2, 0x8e, 0x11, 0x4b, 0x7e, 0xcf, 0x0b, 0xe8, 0xff, 0xb5, 0x77, 0x2e, 0xf4, 0xb2, 0x7b, 0x4a, 0xe0, 
                0x4c, 0x12, 0x25, 0x0c, 0x70, 0x8d, 0x03, 0x29, 0xa0, 0xe1, 0x53, 0x24, 0xec, 0x13, 0xd9, 0xee, 0x19, 0xbf, 
                0x10, 0xb3, 0x4a, 0x8c, 0x3f, 0x89, 0xa3, 0x61, 0x51, 0xde, 0xac, 0x87, 0x07, 0x94, 0xf4, 0x63, 0x71, 0xec, 
                0x2e, 0xe2, 0x6f, 0x5b, 0x98, 0x81, 0xe1, 0x89, 0x5c, 0x34, 0x79, 0x6c, 0x76, 0xef, 0x3b, 0x90, 0x62, 0x79, 
                0xe6, 0xdb, 0xa4, 0x9a, 0x2f, 0x26, 0xc5, 0xd0, 0x10, 0xe1, 0x0e, 0xde, 0xd9, 0x10, 0x8e, 0x16, 0xfb, 0xb7, 
                0xf7, 0xa8, 0xf7, 0xc7, 0xe5, 0x02, 0x07, 0x98, 0x8f, 0x36, 0x08, 0x95, 0xe7, 0xe2, 0x37, 0x96, 0x0d, 0x36, 
                0x75, 0x9e, 0xfb, 0x0e, 0x72, 0xb1, 0x1d, 0x9b, 0xbc, 0x03, 0xf9, 0x49, 0x05, 0xd8, 0x81, 0xdd, 0x05, 0xb4, 
                0x2a, 0xd6, 0x41, 0xe9, 0xac, 0x01, 0x76, 0x95, 0x0a, 0x0f, 0xd8, 0xdf, 0xd5, 0xbd, 0x12, 0x1f, 0x35, 0x2f, 
                0x28, 0x17, 0x6c, 0xd2, 0x98, 0xc1, 0xa8, 0x09, 0x64, 0x77, 0x6e, 0x47, 0x37, 0xba, 0xce, 0xac, 0x59, 0x5e, 
                0x68, 0x9d, 0x7f, 0x72, 0xd6, 0x89, 0xc5, 0x06, 0x41, 0x29, 0x3e, 0x59, 0x3e, 0xdd, 0x26, 0xf5, 0x24, 0xc9, 
                0x11, 0xa7, 0x5a, 0xa3, 0x4c, 0x40, 0x1f, 0x46, 0xa1, 0x99, 0xb5, 0xa7, 0x3a, 0x51, 0x6e, 0x86, 0x3b, 0x9e, 
                0x7d, 0x72, 0xa7, 0x12, 0x05, 0x78, 0x59, 0xed, 0x3e, 0x51, 0x78, 0x15, 0x0b, 0x03, 0x8f, 0x8d, 0xd0, 0x2f, 
                0x05, 0xb2, 0x3e, 0x7b, 0x4a, 0x1c, 0x4b, 0x73, 0x05, 0x12, 0xfc, 0xc6, 0xea, 0xe0, 0x50, 0x13, 0x7c, 0x43, 
                0x93, 0x74, 0xb3, 0xca, 0x74, 0xe7, 0x8e, 0x1f, 0x01, 0x08, 0xd0, 0x30, 0xd4, 0x5b, 0x71, 0x36, 0xb4, 0x07, 
                0xba, 0xc1, 0x30, 0x30, 0x5c, 0x48, 0xb7, 0x82, 0x3b, 0x98, 0xa6, 0x7d, 0x60, 0x8a, 0xa2, 0xa3, 0x29, 0x82, 
                0xcc, 0xba, 0xbd, 0x83, 0x04, 0x1b, 0xa2, 0x83, 0x03, 0x41, 0xa1, 0xd6, 0x05, 0xf1, 0x1b, 0xc2, 0xb6, 0xf0, 
                0xa8, 0x7c, 0x86, 0x3b, 0x46, 0xa8, 0x48, 0x2a, 0x88, 0xdc, 0x76, 0x9a, 0x76, 0xbf, 0x1f, 0x6a, 0xa5, 0x3d, 
                0x19, 0x8f, 0xeb, 0x38, 0xf3, 0x64, 0xde, 0xc8, 0x2b, 0x0d, 0x0a, 0x28, 0xff, 0xf7, 0xdb, 0xe2, 0x15, 0x42, 
                0xd4, 0x22, 0xd0, 0x27, 0x5d, 0xe1, 0x79, 0xfe, 0x18, 0xe7, 0x70, 0x88, 0xad, 0x4e, 0xe6, 0xd9, 0x8b, 0x3a, 
                0xc6, 0xdd, 0x27, 0x51, 0x6e, 0xff, 0xbc, 0x64, 0xf5, 0x33, 0x43, 0x4f };

            // From R3 intermediate CA:
            var signature = new byte[] { 0x85, 0xca, 0x4e, 0x47, 0x3e, 0xa3, 0xf7, 0x85, 0x44, 0x85, 0xbc, 0xd5, 0x67, 0x78, 
                0xb2, 0x98, 0x63, 0xad, 0x75, 0x4d, 0x1e, 0x96, 0x3d, 0x33, 0x65, 0x72, 0x54, 0x2d, 0x81, 0xa0, 0xea, 0xc3, 
                0xed, 0xf8, 0x20, 0xbf, 0x5f, 0xcc, 0xb7, 0x70, 0x00, 0xb7, 0x6e, 0x3b, 0xf6, 0x5e, 0x94, 0xde, 0xe4, 0x20, 
                0x9f, 0xa6, 0xef, 0x8b, 0xb2, 0x03, 0xe7, 0xa2, 0xb5, 0x16, 0x3c, 0x91, 0xce, 0xb4, 0xed, 0x39, 0x02, 0xe7, 
                0x7c, 0x25, 0x8a, 0x47, 0xe6, 0x65, 0x6e, 0x3f, 0x46, 0xf4, 0xd9, 0xf0, 0xce, 0x94, 0x2b, 0xee, 0x54, 0xce, 
                0x12, 0xbc, 0x8c, 0x27, 0x4b, 0xb8, 0xc1, 0x98, 0x2f, 0xa2, 0xaf, 0xcd, 0x71, 0x91, 0x4a, 0x08, 0xb7, 0xc8, 
                0xb8, 0x23, 0x7b, 0x04, 0x2d, 0x08, 0xf9, 0x08, 0x57, 0x3e, 0x83, 0xd9, 0x04, 0x33, 0x0a, 0x47, 0x21, 0x78, 
                0x09, 0x82, 0x27, 0xc3, 0x2a, 0xc8, 0x9b, 0xb9, 0xce, 0x5c, 0xf2, 0x64, 0xc8, 0xc0, 0xbe, 0x79, 0xc0, 0x4f, 
                0x8e, 0x6d, 0x44, 0x0c, 0x5e, 0x92, 0xbb, 0x2e, 0xf7, 0x8b, 0x10, 0xe1, 0xe8, 0x1d, 0x44, 0x29, 0xdb, 0x59, 
                0x20, 0xed, 0x63, 0xb9, 0x21, 0xf8, 0x12, 0x26, 0x94, 0x93, 0x57, 0xa0, 0x1d, 0x65, 0x04, 0xc1, 0x0a, 0x22, 
                0xae, 0x10, 0x0d, 0x43, 0x97, 0xa1, 0x18, 0x1f, 0x7e, 0xe0, 0xe0, 0x86, 0x37, 0xb5, 0x5a, 0xb1, 0xbd, 0x30, 
                0xbf, 0x87, 0x6e, 0x2b, 0x2a, 0xff, 0x21, 0x4e, 0x1b, 0x05, 0xc3, 0xf5, 0x18, 0x97, 0xf0, 0x5e, 0xac, 0xc3, 
                0xa5, 0xb8, 0x6a, 0xf0, 0x2e, 0xbc, 0x3b, 0x33, 0xb9, 0xee, 0x4b, 0xde, 0xcc, 0xfc, 0xe4, 0xaf, 0x84, 0x0b, 
                0x86, 0x3f, 0xc0, 0x55, 0x43, 0x36, 0xf6, 0x68, 0xe1, 0x36, 0x17, 0x6a, 0x8e, 0x99, 0xd1, 0xff, 0xa5, 0x40, 
                0xa7, 0x34, 0xb7, 0xc0, 0xd0, 0x63, 0x39, 0x35, 0x39, 0x75, 0x6e, 0xf2, 0xba, 0x76, 0xc8, 0x93, 0x02, 0xe9, 
                0xa9, 0x4b, 0x6c, 0x17, 0xce, 0x0c, 0x02, 0xd9, 0xbd, 0x81, 0xfb, 0x9f, 0xb7, 0x68, 0xd4, 0x06, 0x65, 0xb3, 
                0x82, 0x3d, 0x77, 0x53, 0xf8, 0x8e, 0x79, 0x03, 0xad, 0x0a, 0x31, 0x07, 0x75, 0x2a, 0x43, 0xd8, 0x55, 0x97,
                0x72, 0xc4, 0x29, 0x0e, 0xf7, 0xc4, 0x5d, 0x4e, 0xc8, 0xae, 0x46, 0x84, 0x30, 0xd7, 0xf2, 0x85, 0x5f, 0x18, 
                0xa1, 0x79, 0xbb, 0xe7, 0x5e, 0x70, 0x8b, 0x07, 0xe1, 0x86, 0x93, 0xc3, 0xb9, 0x8f, 0xdc, 0x61, 0x71, 0x25, 
                0x2a, 0xaf, 0xdf, 0xed, 0x25, 0x50, 0x52, 0x68, 0x8b, 0x92, 0xdc, 0xe5, 0xd6, 0xb5, 0xe3, 0xda, 0x7d, 0xd0, 
                0x87, 0x6c, 0x84, 0x21, 0x31, 0xae, 0x82, 0xf5, 0xfb, 0xb9, 0xab, 0xc8, 0x89, 0x17, 0x3d, 0xe1, 0x4c, 0xe5, 
                0x38, 0x0e, 0xf6, 0xbd, 0x2b, 0xbd, 0x96, 0x81, 0x14, 0xeb, 0xd5, 0xdb, 0x3d, 0x20, 0xa7, 0x7e, 0x59, 0xd3, 
                0xe2, 0xf8, 0x58, 0xf9, 0x5b, 0xb8, 0x48, 0xcd, 0xfe, 0x5c, 0x4f, 0x16, 0x29, 0xfe, 0x1e, 0x55, 0x23, 0xaf, 
                0xc8, 0x11, 0xb0, 0x8d, 0xea, 0x7c, 0x93, 0x90, 0x17, 0x2f, 0xfd, 0xac, 0xa2, 0x09, 0x47, 0x46, 0x3f, 0xf0,
                0xe9, 0xb0, 0xb7, 0xff, 0x28, 0x4d, 0x68, 0x32, 0xd6, 0x67, 0x5e, 0x1e, 0x69, 0xa3, 0x93, 0xb8, 0xf5, 0x9d, 
                0x8b, 0x2f, 0x0b, 0xd2, 0x52, 0x43, 0xa6, 0x6f, 0x32, 0x57, 0x65, 0x4d, 0x32, 0x81, 0xdf, 0x38, 0x53, 0x85, 
                0x5d, 0x7e, 0x5d, 0x66, 0x29, 0xea, 0xb8, 0xdd, 0xe4, 0x95, 0xb5, 0xcd, 0xb5, 0x56, 0x12, 0x42, 0xcd, 0xc4, 
                0x4e, 0xc6, 0x25, 0x38, 0x44, 0x50, 0x6d, 0xec, 0xce, 0x00, 0x55, 0x18, 0xfe, 0xe9, 0x49, 0x64, 0xd4, 0x4e, 
                0xca, 0x97, 0x9c, 0xb4, 0x5b, 0xc0, 0x73, 0xa8, 0xab, 0xb8, 0x47, 0xc2 };

            // The next line results in:
            // AsnContentException: The encoded length exceeds the maximum supported by this library (Int32.MaxValue).
            rsa.ImportRSAPublicKey(modulus, out bytesRead);

            //var rsaParams = new RSAParameters();
            //rsaParams.Modulus = modulus;
            //rsaParams.Exponent = new byte[] { 0x01, 0x00, 0x01 };
            //rsa.ImportParameters(rsaParams);

            // If the 4 lines above are used instead, the following throws:
            // System.Security.Cryptography.CryptographicException: 'Cryptography_OAEPDecoding'
            // if fOAEP == true.
            // if fOAEP == false then it throws:
            // Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException: 'Key does not exist.'
            var fOAEP = false;
            decryptedData = rsa.Decrypt(signature, fOAEP);
        }
    }
}



}

rsa.ImportRSAPublicKey(modulus, out bytesRead); is failing with:

System.Security.Cryptography.CryptographicException: 'ASN1 corrupted data.'
AsnContentException: The encoded length exceeds the maximum supported by this library (Int32.MaxValue).

From the comments in the above code, you can see I'm trying another method, however this fails as well.

Is this the correct way to manually decrypt a signature using RSA?

Do I need to specify the exponent somewhere? Or is it assumed to be 65537?

David Klempfner
  • 125
  • 7
  • The coding part is off-topic here. ASN.1 JavaScript decoder may help your process. – kelalaka Feb 05 '22 at 10:46
  • 2
    You can't decrypt a signature. It's not encrypted. What are you actually trying to do? – Gilles 'SO- stop being evil' Feb 05 '22 at 10:55
  • Yes, as Gilles pointed out you are using the wrong terminology. You need to say decoding the DER and verification the signature. – kelalaka Feb 05 '22 at 11:38
  • As an old [so] user, you should know that cross-posting is not welcomed. Now we had two answers on the both sides. https://stackoverflow.com/q/70997010/1820553 – kelalaka Feb 05 '22 at 11:44
  • @Gilles'SO-stopbeingevil' the signature is the encrypted hash of the certificate. – David Klempfner Feb 05 '22 at 13:29
  • No, it's not. That's a somewhat common misconception, but in fact encryption and signature have nothing in common. There are encryption methods based on RSA, and there are signature methods based on RSA, but they work differently. Are you trying to understand how to verify an RSA signature? Have you read a description of how RSA signature verification works? (How encryption works won't help you.) If not, start by doing this, for example by reading the Wikipedia article and following its references. Then come back here if you have specific questions. – Gilles 'SO- stop being evil' Feb 05 '22 at 21:24

1 Answers1

1

From the docs, the public key should be in the following form:

The bytes of a PKCS#1 RSAPublicKey structure in the ASN.1-BER encoding.

That means it should be a sequence (0x30) of two integers (0x02), where each tag is followed by the length of the data encoded. Here are some examples of the structure: https://crypto.stackexchange.com/a/98513/49392 What is the SSL private key file format?

Note that a public key consists of both the modulus and the exponent (65537). At the moment, you're just trying to use the modulus alone. That is why you need to use the BER structure above to provide both pieces of data.

meshcollider
  • 1,573
  • 1
  • 10
  • 14