2

I want to sign some things within my C# application, but I need to do so with a private RSA key that I have previously generated with GnuPG instead of one new key generated within the application itself.

I can export the RSA key with GnuPG and get something like (please, note I have omitted most lines here, is just an example):

-----BEGIN PGP PRIVATE KEY BLOCK-----
lQOYBFXlhWwBCACfOGAw5Qr5ddFvDFZlDmys18KRV3XawArMiPe4hzivsEB3h+M1
df12Pz3l6IWnUJ/nJt/ZohwCOjm93+zT3xmGcAL9mh/lez6+UoQB8uB0hJ1ltLnZ
8RumvpExXJ2c6LfmaLrwyLHLUSAu8mfV6KoLtD9OxHkIdHktKpBzIPkLG9lRNAmN
kzjI9sz7pLq80+YevPA60niI0SBwbmJTHluvEQB32BkcEQ==
=u3H/
-----END PGP PRIVATE KEY BLOCK-----

Now the question is: how I could import that into C# cryptography subsystem so I can use it for signing things?

Jens Erat
  • 37,523
  • 16
  • 80
  • 96
Fran Marzoa
  • 4,293
  • 1
  • 37
  • 53

2 Answers2

3

The built-in crypto-library of C# only supports X.509, not OpenPGP; both are incompatible although principally using the same cryptographic algorithms. You might be able to extract the RSA primes and import them somehow, but the libraries will still not be able to produce valid OpenPGP output.

Use the Bouncy Castle library instead, which is an OpenPGP implementation for C# (or interface GnuPG, for example through GPGME, but the C# binding is still an alpha version).

Jens Erat
  • 37,523
  • 16
  • 80
  • 96
  • Thanks for your answer. I'm using C# inside Unity, which has some limitations, so I prefer to avoid third party libraries if I can. What if I export my GPG key to X509 instead? Would that make possible to import such key into my C# code? – Fran Marzoa Sep 01 '15 at 12:12
  • 1
    What do you want to achieve? If you want to have OpenPGP signatures, you cannot do this without further libraries. If you do not need them, I'd propose generating X.509 certificates/keys from the start instead. – Jens Erat Sep 01 '15 at 12:35
  • You may be right about that. I just need to sign a request and send it to a server, whether a PHP script will check the signature using this function: http://php.net/manual/en/function.openssl-verify.php I thought these things were standard enough so an RSA key would be always an RSA key, and some signed with an RSA key would be verifiable by any software that supports RSA signing. It seems I was wrong and there are many formats and variations... :-( – Fran Marzoa Sep 01 '15 at 12:45
  • As far as I understand the C# cryptography libraries, you should be able to go for X.509 certificates, which are supported natively. On the PHP side, you can use the OpenSSL library to verify those signatures. There should also be support for pretty much every plattform available. Converting the key still does not seem reasonable to me and just adds additional effort without benefit. – Jens Erat Sep 01 '15 at 13:35
  • 1
    I agree with your point. Moreover, couldn't I achieve the same just using a SslStream class from the client app with its own certificate and handling all in the other side with Apache SSL builtin capabilities? So the PHP script will just have to ask the Apache server if the client is authenticated. I think this would make things even simplier. Anyway, I am choosing your answer as the best for my question, because it is accurate and it is the first one I received: to sum it up, the answer to this question is that I can't directly use those GPG keys into C# code without third parties libraries. – Fran Marzoa Sep 01 '15 at 15:08
  • 1
    If all you need is authentication, your proposal seems like a very reasonable thing to do. Least effort, and common and proven technology. – Jens Erat Sep 01 '15 at 15:12
1

What you quoted is not exactly an "RSA key" but an armored OpenPGP private key which probably includes RSA key material and also includes other stuff.

As said in the other answer, you will have hard time importing it into C# (especially in Unity) without a third-party library. If you need this as a one-time operation, you can take our SecureBlackbox (evaluation will be enough), load the OpenPGP key, then take the key material and save it to format which you can load to Unity later.

If you plan to perform such operations on a regular basis, it makes sense to write key generator in C# and generate RSA keys suitable for your needs without OpenPGP.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Thanks a lot! That won't be a bad idea either, but then I will have to deal with the server part recognizing the C# generated keys instead. I think I am going to try with SSL, that seems to be a well established standard, and see what happens... – Fran Marzoa Sep 01 '15 at 15:10