Signing with conzept 16

Digital signatures are used in many areas where authenticity and integrity play an important role. Examples include e-mails, invoices and electronic ID cards. As a result, it will be possible to create and verify digital signatures in the upcoming conzept 16 version 5.7.08.

General information

GeneralA digital signature is an electronic security identifier used to ensure that a message actually originates from the specified sender and that the content has not been changed since the signature was created.

The creation of a signature uses an asymmetric cryptographic method in which the hash value of the message to be transmitted is first calculated. This hash value is then encrypted with a private key and the result is attached to the message.

The recipient of the message can verify the signature with the corresponding public key. To do this, the hash value is calculated again from the message. The attached, encrypted hash value is then decrypted using the sender’s public key. If the two hash values determined match, it can be concluded that the sender is correct and the message has not been altered by a third party.

However, the entire system requires that only the authorized signature creators are in possession of the private key. A clear assignment of the private key to a person can be achieved by means of a certificate, for example.

Signatures can be encrypted and decrypted in conzept 16 using the two asymmetric methods RSA or DSA. The methods MD5, Ripe-MD, SHA-1 and SHA-2 are available for the hash values.

Create signature

The command for signing is MemSign() and is defined as follows:

MemSign(
    aMem       : handle  // Memory object with message
    aOptions   : int     // Options
    aKey       : alpha   // Private key
    vSignature : alpha   // Out:Signature
opt aPos       : int     // Message position in the memory object
opt aLen       : int     // Length of the message in the memory object
)
: int                    // Error value

A memory object containing the message to be signed is transferred in aMem.

The algorithms for the four areas Signature-algorithm, Hash-algorithm, Coding of the private key und die Coding of the signature are selected in aOptions.

• Signature-algorithm
  _MemSignRSA, _MemSignDSA
• Hash-algorithm
  _MemHashMD5, _MemHashRMD160, _MemHashSHA1, _MemHashSHA256, _MemHashSHA384, _MemHashSHA512
• Key coding
  _MemKeyHex, _MemKeyBase64
• Signature coding
  _MemResultHex, _MemResultBase64

The private key is transferred in aKey. This can be in the formats PKCS #1 or PKCS #8.signature encoding

vSignature is a reference argument and contains the signature if signing is successful, otherwise an empty string.

The arguments aPos and aLen are optional and are used to specify the area in the memory object that contains the message to be signed.

If the signing was successful, the MemSign() function returns _ErrOK. Otherwise, one of the following error values may be returned:

• _ErrMemKeyInvalid
  The error occurs if, for example, an RSA key is expected but a different (invalid) key was specified, or if the decoding of the key failed.
• _ErrMemKeyLength
  The specified key is too short to sign the message.

The following example can be used to create a signature:

// ...

tErg # tMem->MemSign(
             _MemSignDSA |      // A DSA signature is to be created
             _MemHashSHA1 |     // SHA1-Hash
             _MemKeyBase64 |    // Key is Base64-encoded
             _MemResultBase64 | // Signature is Base64-encoded
             tPrivateKey,       // Private key
             var tSignature,    // Private key signature is stored in tSignature
);

// Output signature
WinDialogBox(0, 'Signature', tSignature, _WinIcoInformation, _WinDialogOk, 0);

// ...

Verify signature

The MemVerify() command also has 6 parameters,

MemVerify(
      aMem       : handle  // Memory object with message
      aOptions   : int     // Options
      aKey       : alpha   // Memory object with messagePublic key
      aSignature : alpha   // Signature to be verified
  opt aPos       : int     // Message item in the memory object
  opt aLen       : int     // Length of the message in the memory object
)
: int                      // Error value

which differ from MemSign() in three respects:

• aOptions defines the coding of the specified signature with the constants _MemSignatureHex or _MemSignatureBase64.
• aKey contains the public key in X509 format. RSA keys can also be specified in PKCS #1 format.
• The signature to be verified is transferred in aSignature.

If the verification was successful, the MemVerify() function returns _ErrOK. Otherwise, one of the following values is returned:

• _ErrMemMsgVerify
  The signature does not match the key.
• _ErrMemSgnInvalid
  The signature does not match the key The decoding of the signature failed or the signature is invalid.
• _ErrMemKeyInvalid
  The decoding of the key failed or the key is invalid.

An example for verification:

// ...

tErr # tMem->MemVerify(
             _MemSignDSA |        // DSA signature is available
             _MemHashSHA1 |       // SHA1 hash must be used because the signature was generated with SHA1
             _MemKeyBase64 |      // Key is Base64-encoded
             _MemSignatureBase64, // Signature is Base64-encoded
             tPublicKey,          // public key
             tSignature           // Signature
);

if (tErr = _ErrOK)
  WinDialogBox(0, 'Verification', 'The signature has been verified.', _WinIcoInformation, _WinDialogOk, 0);

// ...

In addition to the error values, both functions can trigger the runtime errors _ErrHdlInvalid, _ErrValueInvalid and _ErrValueRange.