5

I want to be able to sign a file. By that I mean that the recipient can check that the file is indeed from me and can view its content. Is there any simple way to do that in C++?

I just had a look at the PGP article on Wikipedia but they lost me somewhere in the middle of "hashing, data compression, symmetric-key cryptography, and, finally, public-key cryptography". Ideally, I would like a library which has a function signString(string, privateykey) and the recipient would have function readSignedString(string, publickey). Any suggestion?

Edit:

I'm not sure I'm using the right approach, so here is what I'm trying to do:

I want to implement some simple piracy protection in my desktop application. So when the user buy a license, I send them a signed file containing their name and email. The user then install the file and the app reads it: it checks the signature validity and displays the name/email (in the About box). To make sure that crackers cannot generate these files, I need to make sure that the key to decrypt the file is not the same as the one to encrypt it. Is there any simple way to implement this?

Rob Hruska
  • 118,520
  • 32
  • 167
  • 192
laurent
  • 88,262
  • 77
  • 290
  • 428
  • do you want to encrypt the file (as your code examples say) or sign a file (as your text and subject say)? It's not clear what you are asking for – knittl Aug 13 '11 at 10:06
  • I want to sign a file (or a string) - I have updated the examples to show that. I hope it's clearer. – laurent Aug 13 '11 at 10:10
  • 1
    I know that, it's not what I'm asking. – laurent Aug 13 '11 at 10:49

4 Answers4

6

OpenSSL is almost what you need. It doesn't have two such functions, but it's almost as easy. First of all, every digital signature requires a hash algorithm. The reason is that you don't encrypt the file, you only encrypt the file hash (it would take too long to verify otherwise).

With OpenSSL you can use something like this:

#include <openssl/evp.h>

EVP_MD_CTX ctx;
unsigned char signature[SIGNATURE_LEN];
int signature_len;

EVP_SignInit(&ctx, EVP_sha1());
EVP_SignUpdate(&ctx, data, size);
EVP_SignFinal(&ctx, signature, &signature_len, pkey);

And pretty much the same for validating the signature, only using EVP_ValidateInit, EVP_ValidateUpdate and EVP_ValidateFinal. The last function returns 0/1 to say whether validation succeeded or not.

You still need to get the key into the application, there are quite a few functions to do that, depending on where you read it from (file/memory/certificate etc.)

Omri Barel
  • 9,182
  • 3
  • 29
  • 22
2

You can also use Keyczar for encrypting and decrypting your file.

But actually you can't crack-proof your program like this, It makes it harder, but crackers can disassemble your program, find the function that checks the validity of those signed files, and change it to accept any kinds of files.

Kamyar Infinity
  • 2,711
  • 1
  • 21
  • 32
  • Seems like a very promising project but unfortunately it's not for Windows. – laurent Aug 13 '11 at 16:41
  • I know I can't crack-proof my program, my goal is to make the protection annoying enough that the only way to go around it is to download a cracked version from the internet (because some people don't like to download stuff from dodgy crack websites). And if someone publishes their license file, their name will be attached to it, so I can blacklist the license in future versions. – laurent Aug 13 '11 at 16:46
0

You might want to take a look at the GNU version of PGP, GnuPG, it uses a OSS lib called libgcrypt http://directory.fsf.org/project/libgcrypt/ which looks to be able to do what you want. http://www.gnupg.org/documentation/manuals/gcrypt/ for the manual.

Svend
  • 7,916
  • 3
  • 30
  • 45
0

For information, after having tried most of the suggestions here, I ended up using the openpgp command line tool. It's quite lightweight once UPXed, it's cross-platform and it does what I need in an easy way.

laurent
  • 88,262
  • 77
  • 290
  • 428