Manually decrypt the signature in a digital certificate

Question

I've exported the root CA cert (ISRG Root X1) used by StackOverflow's digital certificate, as a DER encoded binary X.509 (.cer) file and used openssl in cmd to find out the modulus/exponent:

openssl.exe x509 -in C:\Cert.cer -inform der -text

I then did the same thing for the next certificate in the chain which is called R3, to get the signature:

Signature for R3:

I've copied these into C# as byte arrays and am using the following code to decrypt the signature:

using System.Security.Cryptography;

namespace RsaDecryptor
{
    class Program
    {
        static void Main(string[] args)
        {
            byte[] decryptedData;
            using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
            {
                var bytesRead = 0;
                
                // From ISRG root CA:
                var modulus = new byte[] { 0xad, 0xe8, 0x24, 0x73, 0xf4, 0x14, 0x37, 0xf3, 0x9b, 0x9e, 0x2b, 0x57, 0x28, 0x1c, 
                    0x87, 0xbe, 0xdc, 0xb7, 0xdf, 0x38, 0x90, 0x8c, 0x6e, 0x3c, 0xe6, 0x57, 0xa0, 0x78, 0xf7, 0x75, 0xc2, 0xa2, 
                    0xfe, 0xf5, 0x6a, 0x6e, 0xf6, 0x00, 0x4f, 0x28, 0xdb, 0xde, 0x68, 0x86, 0x6c, 0x44, 0x93, 0xb6, 0xb1, 0x63, 
                    0xfd, 0x14, 0x12, 0x6b, 0xbf, 0x1f, 0xd2, 0xea, 0x31, 0x9b, 0x21, 0x7e, 0xd1, 0x33, 0x3c, 0xba, 0x48, 0xf5, 
                    0xdd, 0x79, 0xdf, 0xb3, 0xb8, 0xff, 0x12, 0xf1, 0x21, 0x9a, 0x4b, 0xc1, 0x8a, 0x86, 0x71, 0x69, 0x4a, 0x66, 
                    0x66, 0x6c, 0x8f, 0x7e, 0x3c, 0x70, 0xbf, 0xad, 0x29, 0x22, 0x06, 0xf3, 0xe4, 0xc0, 0xe6, 0x80, 0xae, 0xe2, 
                    0x4b, 0x8f, 0xb7, 0x99, 0x7e, 0x94, 0x03, 0x9f, 0xd3, 0x47, 0x97, 0x7c, 0x99, 0x48, 0x23, 0x53, 0xe8, 0x38, 
                    0xae, 0x4f, 0x0a, 0x6f, 0x83, 0x2e, 0xd1, 0x49, 0x57, 0x8c, 0x80, 0x74, 0xb6, 0xda, 0x2f, 0xd0, 0x38, 0x8d, 
                    0x7b, 0x03, 0x70, 0x21, 0x1b, 0x75, 0xf2, 0x30, 0x3c, 0xfa, 0x8f, 0xae, 0xdd, 0xda, 0x63, 0xab, 0xeb, 0x16, 
                    0x4f, 0xc2, 0x8e, 0x11, 0x4b, 0x7e, 0xcf, 0x0b, 0xe8, 0xff, 0xb5, 0x77, 0x2e, 0xf4, 0xb2, 0x7b, 0x4a, 0xe0, 
                    0x4c, 0x12, 0x25, 0x0c, 0x70, 0x8d, 0x03, 0x29, 0xa0, 0xe1, 0x53, 0x24, 0xec, 0x13, 0xd9, 0xee, 0x19, 0xbf, 
                    0x10, 0xb3, 0x4a, 0x8c, 0x3f, 0x89, 0xa3, 0x61, 0x51, 0xde, 0xac, 0x87, 0x07, 0x94, 0xf4, 0x63, 0x71, 0xec, 
                    0x2e, 0xe2, 0x6f, 0x5b, 0x98, 0x81, 0xe1, 0x89, 0x5c, 0x34, 0x79, 0x6c, 0x76, 0xef, 0x3b, 0x90, 0x62, 0x79, 
                    0xe6, 0xdb, 0xa4, 0x9a, 0x2f, 0x26, 0xc5, 0xd0, 0x10, 0xe1, 0x0e, 0xde, 0xd9, 0x10, 0x8e, 0x16, 0xfb, 0xb7, 
                    0xf7, 0xa8, 0xf7, 0xc7, 0xe5, 0x02, 0x07, 0x98, 0x8f, 0x36, 0x08, 0x95, 0xe7, 0xe2, 0x37, 0x96, 0x0d, 0x36, 
                    0x75, 0x9e, 0xfb, 0x0e, 0x72, 0xb1, 0x1d, 0x9b, 0xbc, 0x03, 0xf9, 0x49, 0x05, 0xd8, 0x81, 0xdd, 0x05, 0xb4, 
                    0x2a, 0xd6, 0x41, 0xe9, 0xac, 0x01, 0x76, 0x95, 0x0a, 0x0f, 0xd8, 0xdf, 0xd5, 0xbd, 0x12, 0x1f, 0x35, 0x2f, 
                    0x28, 0x17, 0x6c, 0xd2, 0x98, 0xc1, 0xa8, 0x09, 0x64, 0x77, 0x6e, 0x47, 0x37, 0xba, 0xce, 0xac, 0x59, 0x5e, 
                    0x68, 0x9d, 0x7f, 0x72, 0xd6, 0x89, 0xc5, 0x06, 0x41, 0x29, 0x3e, 0x59, 0x3e, 0xdd, 0x26, 0xf5, 0x24, 0xc9, 
                    0x11, 0xa7, 0x5a, 0xa3, 0x4c, 0x40, 0x1f, 0x46, 0xa1, 0x99, 0xb5, 0xa7, 0x3a, 0x51, 0x6e, 0x86, 0x3b, 0x9e, 
                    0x7d, 0x72, 0xa7, 0x12, 0x05, 0x78, 0x59, 0xed, 0x3e, 0x51, 0x78, 0x15, 0x0b, 0x03, 0x8f, 0x8d, 0xd0, 0x2f, 
                    0x05, 0xb2, 0x3e, 0x7b, 0x4a, 0x1c, 0x4b, 0x73, 0x05, 0x12, 0xfc, 0xc6, 0xea, 0xe0, 0x50, 0x13, 0x7c, 0x43, 
                    0x93, 0x74, 0xb3, 0xca, 0x74, 0xe7, 0x8e, 0x1f, 0x01, 0x08, 0xd0, 0x30, 0xd4, 0x5b, 0x71, 0x36, 0xb4, 0x07, 
                    0xba, 0xc1, 0x30, 0x30, 0x5c, 0x48, 0xb7, 0x82, 0x3b, 0x98, 0xa6, 0x7d, 0x60, 0x8a, 0xa2, 0xa3, 0x29, 0x82, 
                    0xcc, 0xba, 0xbd, 0x83, 0x04, 0x1b, 0xa2, 0x83, 0x03, 0x41, 0xa1, 0xd6, 0x05, 0xf1, 0x1b, 0xc2, 0xb6, 0xf0, 
                    0xa8, 0x7c, 0x86, 0x3b, 0x46, 0xa8, 0x48, 0x2a, 0x88, 0xdc, 0x76, 0x9a, 0x76, 0xbf, 0x1f, 0x6a, 0xa5, 0x3d, 
                    0x19, 0x8f, 0xeb, 0x38, 0xf3, 0x64, 0xde, 0xc8, 0x2b, 0x0d, 0x0a, 0x28, 0xff, 0xf7, 0xdb, 0xe2, 0x15, 0x42, 
                    0xd4, 0x22, 0xd0, 0x27, 0x5d, 0xe1, 0x79, 0xfe, 0x18, 0xe7, 0x70, 0x88, 0xad, 0x4e, 0xe6, 0xd9, 0x8b, 0x3a, 
                    0xc6, 0xdd, 0x27, 0x51, 0x6e, 0xff, 0xbc, 0x64, 0xf5, 0x33, 0x43, 0x4f };

                // From R3 intermediate CA:
                var signature = new byte[] { 0x85, 0xca, 0x4e, 0x47, 0x3e, 0xa3, 0xf7, 0x85, 0x44, 0x85, 0xbc, 0xd5, 0x67, 0x78, 
                    0xb2, 0x98, 0x63, 0xad, 0x75, 0x4d, 0x1e, 0x96, 0x3d, 0x33, 0x65, 0x72, 0x54, 0x2d, 0x81, 0xa0, 0xea, 0xc3, 
                    0xed, 0xf8, 0x20, 0xbf, 0x5f, 0xcc, 0xb7, 0x70, 0x00, 0xb7, 0x6e, 0x3b, 0xf6, 0x5e, 0x94, 0xde, 0xe4, 0x20, 
                    0x9f, 0xa6, 0xef, 0x8b, 0xb2, 0x03, 0xe7, 0xa2, 0xb5, 0x16, 0x3c, 0x91, 0xce, 0xb4, 0xed, 0x39, 0x02, 0xe7, 
                    0x7c, 0x25, 0x8a, 0x47, 0xe6, 0x65, 0x6e, 0x3f, 0x46, 0xf4, 0xd9, 0xf0, 0xce, 0x94, 0x2b, 0xee, 0x54, 0xce, 
                    0x12, 0xbc, 0x8c, 0x27, 0x4b, 0xb8, 0xc1, 0x98, 0x2f, 0xa2, 0xaf, 0xcd, 0x71, 0x91, 0x4a, 0x08, 0xb7, 0xc8, 
                    0xb8, 0x23, 0x7b, 0x04, 0x2d, 0x08, 0xf9, 0x08, 0x57, 0x3e, 0x83, 0xd9, 0x04, 0x33, 0x0a, 0x47, 0x21, 0x78, 
                    0x09, 0x82, 0x27, 0xc3, 0x2a, 0xc8, 0x9b, 0xb9, 0xce, 0x5c, 0xf2, 0x64, 0xc8, 0xc0, 0xbe, 0x79, 0xc0, 0x4f, 
                    0x8e, 0x6d, 0x44, 0x0c, 0x5e, 0x92, 0xbb, 0x2e, 0xf7, 0x8b, 0x10, 0xe1, 0xe8, 0x1d, 0x44, 0x29, 0xdb, 0x59, 
                    0x20, 0xed, 0x63, 0xb9, 0x21, 0xf8, 0x12, 0x26, 0x94, 0x93, 0x57, 0xa0, 0x1d, 0x65, 0x04, 0xc1, 0x0a, 0x22, 
                    0xae, 0x10, 0x0d, 0x43, 0x97, 0xa1, 0x18, 0x1f, 0x7e, 0xe0, 0xe0, 0x86, 0x37, 0xb5, 0x5a, 0xb1, 0xbd, 0x30, 
                    0xbf, 0x87, 0x6e, 0x2b, 0x2a, 0xff, 0x21, 0x4e, 0x1b, 0x05, 0xc3, 0xf5, 0x18, 0x97, 0xf0, 0x5e, 0xac, 0xc3, 
                    0xa5, 0xb8, 0x6a, 0xf0, 0x2e, 0xbc, 0x3b, 0x33, 0xb9, 0xee, 0x4b, 0xde, 0xcc, 0xfc, 0xe4, 0xaf, 0x84, 0x0b, 
                    0x86, 0x3f, 0xc0, 0x55, 0x43, 0x36, 0xf6, 0x68, 0xe1, 0x36, 0x17, 0x6a, 0x8e, 0x99, 0xd1, 0xff, 0xa5, 0x40, 
                    0xa7, 0x34, 0xb7, 0xc0, 0xd0, 0x63, 0x39, 0x35, 0x39, 0x75, 0x6e, 0xf2, 0xba, 0x76, 0xc8, 0x93, 0x02, 0xe9, 
                    0xa9, 0x4b, 0x6c, 0x17, 0xce, 0x0c, 0x02, 0xd9, 0xbd, 0x81, 0xfb, 0x9f, 0xb7, 0x68, 0xd4, 0x06, 0x65, 0xb3, 
                    0x82, 0x3d, 0x77, 0x53, 0xf8, 0x8e, 0x79, 0x03, 0xad, 0x0a, 0x31, 0x07, 0x75, 0x2a, 0x43, 0xd8, 0x55, 0x97,
                    0x72, 0xc4, 0x29, 0x0e, 0xf7, 0xc4, 0x5d, 0x4e, 0xc8, 0xae, 0x46, 0x84, 0x30, 0xd7, 0xf2, 0x85, 0x5f, 0x18, 
                    0xa1, 0x79, 0xbb, 0xe7, 0x5e, 0x70, 0x8b, 0x07, 0xe1, 0x86, 0x93, 0xc3, 0xb9, 0x8f, 0xdc, 0x61, 0x71, 0x25, 
                    0x2a, 0xaf, 0xdf, 0xed, 0x25, 0x50, 0x52, 0x68, 0x8b, 0x92, 0xdc, 0xe5, 0xd6, 0xb5, 0xe3, 0xda, 0x7d, 0xd0, 
                    0x87, 0x6c, 0x84, 0x21, 0x31, 0xae, 0x82, 0xf5, 0xfb, 0xb9, 0xab, 0xc8, 0x89, 0x17, 0x3d, 0xe1, 0x4c, 0xe5, 
                    0x38, 0x0e, 0xf6, 0xbd, 0x2b, 0xbd, 0x96, 0x81, 0x14, 0xeb, 0xd5, 0xdb, 0x3d, 0x20, 0xa7, 0x7e, 0x59, 0xd3, 
                    0xe2, 0xf8, 0x58, 0xf9, 0x5b, 0xb8, 0x48, 0xcd, 0xfe, 0x5c, 0x4f, 0x16, 0x29, 0xfe, 0x1e, 0x55, 0x23, 0xaf, 
                    0xc8, 0x11, 0xb0, 0x8d, 0xea, 0x7c, 0x93, 0x90, 0x17, 0x2f, 0xfd, 0xac, 0xa2, 0x09, 0x47, 0x46, 0x3f, 0xf0,
                    0xe9, 0xb0, 0xb7, 0xff, 0x28, 0x4d, 0x68, 0x32, 0xd6, 0x67, 0x5e, 0x1e, 0x69, 0xa3, 0x93, 0xb8, 0xf5, 0x9d, 
                    0x8b, 0x2f, 0x0b, 0xd2, 0x52, 0x43, 0xa6, 0x6f, 0x32, 0x57, 0x65, 0x4d, 0x32, 0x81, 0xdf, 0x38, 0x53, 0x85, 
                    0x5d, 0x7e, 0x5d, 0x66, 0x29, 0xea, 0xb8, 0xdd, 0xe4, 0x95, 0xb5, 0xcd, 0xb5, 0x56, 0x12, 0x42, 0xcd, 0xc4, 
                    0x4e, 0xc6, 0x25, 0x38, 0x44, 0x50, 0x6d, 0xec, 0xce, 0x00, 0x55, 0x18, 0xfe, 0xe9, 0x49, 0x64, 0xd4, 0x4e, 
                    0xca, 0x97, 0x9c, 0xb4, 0x5b, 0xc0, 0x73, 0xa8, 0xab, 0xb8, 0x47, 0xc2 };

                // The next line results in:
                // AsnContentException: The encoded length exceeds the maximum supported by this library (Int32.MaxValue).
                rsa.ImportRSAPublicKey(modulus, out bytesRead);

                //var rsaParams = new RSAParameters();
                //rsaParams.Modulus = modulus;
                //rsaParams.Exponent = new byte[] { 0x01, 0x00, 0x01 };
                //rsa.ImportParameters(rsaParams);

                // If the 4 lines above are used instead, the following throws:
                // System.Security.Cryptography.CryptographicException: 'Cryptography_OAEPDecoding'
                // if fOAEP == true.
                // if fOAEP == false then it throws:
                // Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException: 'Key does not exist.'
                var fOAEP = false;
                decryptedData = rsa.Decrypt(signature, fOAEP);
            }
        }
    }
}

rsa.ImportRSAPublicKey(modulus, out bytesRead); is failing with:

System.Security.Cryptography.CryptographicException: 'ASN1 corrupted data.'
AsnContentException: The encoded length exceeds the maximum supported by this library (Int32.MaxValue).

From the comments in the above code, you can see I'm trying another method, however this fails as well.

Is this the correct way to manually decrypt a signature using RSA?

Do I need to specify the exponent somewhere? Or is it assumed to be 65537?

Answer 1

C# does not support a low level verifying process, in particular no decryption with the public key is possible. However, this is supported by Bouncy Castle:

using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Encodings;
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Utilities.Encoders;
...
RsaKeyParameters rsaPublicKeyParameters = new RsaKeyParameters(false, new BigInteger(1, modulus), new BigInteger("65537"));
IAsymmetricBlockCipher rsa = new Pkcs1Encoding(new RsaEngine());
rsa.Init(false, rsaPublicKeyParameters);
byte[] decrypted = rsa.ProcessBlock(signature, 0, signature.Length);
Console.WriteLine(Hex.ToHexString(decrypted));

This gives for your data (hex encoded):

3031300d060960864801650304020105000420444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce

The front part:

3031300d060960864801650304020105000420

identifies the digest, here SHA256. The rest is the actual hash of the signed data:

444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce

---

Details:

The public key contains the modulus as well as the public exponent (which is 65537 according to the screenshot). The ImportRSAPublicKey() method expects a public key in PKCS#1 format, DER encoded. So the error message is caused because a wrong key is passed. Regarding the padding: sha256WithRSAEncryption implies PKCS#1 v1.5, not OAEP.

When verifying, the data is hashed as during signing, the DER encoding of the DigestInfo value is generated and padded. This data is compared to the data resulting from decrypting the signature with the public key. If both data are identical, the verification is successful, otherwise it is not. This is described in detail in RFC8017, section 8.2.2. Signature Verification Operation for PKCS#1 v1.5.

.NET does not support decryption with the public key, so a low level implementation of this process with the built-in classes is not possible. Of course, the overall process, i.e. verification, is supported with various methods, e.g. RSA.VerifyData(). This method requires the signed data in addition to the signature.

---

Edit:

To verify the signature of the user certificate with C#, user and root certificate must first be imported, e.g. using BouncyCastle. In the following, PEM encoded certificates are assumed for simplicity (DER encoding is also supported, however):

using Org.BouncyCastle.X509;
...

string userCertPem = @"-----BEGIN CERTIFICATE-----
                     ...
                     -----END CERTIFICATE-----";
string rootCertPem = @"-----BEGIN CERTIFICATE-----
                     ...
                     -----END CERTIFICATE-----";
                     
X509CertificateParser certificateParser = new X509CertificateParser();
X509Certificate userCert = certificateParser.ReadCertificate(Encoding.UTF8.GetBytes(userCertPem)); 
X509Certificate rootCert = certificateParser.ReadCertificate(Encoding.UTF8.GetBytes(rootCertPem));

BouncyCastle encapsulates verification in the Verify() method:

try
{
    userCert.Verify(rootCert.GetPublicKey());
    Console.WriteLine("verification succeeded");
}
catch
{
    Console.WriteLine("verification failed");
}

With regard to the previously mentioned VerifyData() it may be noted that with GetPublicKey(), GetSignature() and GetTbsCertificate() the public key of the root certificate, as well as signature and signed data of the user certificate can be determined, so that alternatively the verification can be performed with VerifyData().