Versions Compared

Old Version 11

changes.mady.by.user Einar Ársæll Hrafnsson

Saved on

compared with

New Version 12

changes.mady.by.user Einar Ársæll Hrafnsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To verify PKCS1 signature

When our system returns a PKCS1 response, the digital signature and the authenticated user's certificate are included separately. To verify the digital signature, we use:

  • The user’s certificate

  • The signature

  • The Hash string we sent in the beginning of the authentication process (“binding_content” in CIBA, the IDToken7 input in REST API)

There are ready-made tools available for most programming languages that can be used to verify PKCS1 signatures. Below is a small code example in C# that hopefully makes it clearer:

Code Block
private bool validatePKCS1Signature(string signatureFromAudkenni, string hashStringFromAuthenticationRequest, string

...

usersCertFromAudkenni)
{
    byte[] orgHash = null;
    byte[] signedHash = null;
    byte[] certBytes = null;
    X509Certificate2 certificate = null;
    try
    {
        orgHash = Convert.FromBase64String(hashStringFromAuthenticationRequest);
        signedHash = Convert.FromBase64String(signatureFromAudkenni);
        certBytes = Convert.FromBase64String(

...

usersCertFromAudkenni);
        certificate = new X509Certificate2(certBytes);
        RSA key = (RSA)certificate.PublicKey.Key;
        RSAPKCS1SignatureDeformatter formatter = new RSAPKCS1SignatureDeformatter(key);
        formatter.SetHashAlgorithm("SHA512");
        var result = formatter.VerifySignature(orgHash, signedHash);
        return result;
    }
    catch (CryptographicException e)
    {
        return false;
    }
}

To verify Certificate