Help with Signature Verification #146

jceddy · 2024-06-28T21:36:54Z

jceddy
Jun 28, 2024

I am running into an issue with a simple C# program testing signature verification with a self-hosted server...I think I have everything set up correctly, but verification fails.

Was wondering whether someone could take a look at my C# code and maybe point me in the direction of what my issue might be?

Here is my test Program.cs:
(KeygenSettings.PublicKeyBase64 is the key from the accounts API - meta.publicKeys.ed25519)

using NSec.Cryptography;
using RestSharp;
using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;

namespace KeygenSignatureVerification
{
	internal partial class Program
	{
		[GeneratedRegex("signature=\"([^\"]+)\"")]
		private static partial Regex SignatureRegex();

		static void Main(string[] args)
		{
			var publicKeyBase64 = KeygenSettings.PublicKeyBase64;
			var host = KeygenSettings.Host;
			var licenseKey = "E34A96-112639-84ECE3-1725AD-40AB22-V3";
			var licenseId = "69aa8195-1729-43f2-b890-d060edbf9890";
			var request = $"/v1/licenses/{licenseId}/entitlements";

			RestClient client = new(new RestClientOptions($"https://{host}")
			{
				RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true
			});
			var restRequest = new RestRequest(request);

			restRequest.AddHeader("Authorization", $"License {licenseKey}");
			restRequest.AddHeader("Accept", "application/vnd.api+json");

			var response = client.Execute(restRequest);

			var responseBody = response.Content ?? string.Empty;
			Console.WriteLine(responseBody);

			if(response.Headers == null)
			{
				Console.WriteLine("Response has no Headers");
				Environment.Exit(1);
			}
			var dateHeaderObject = response.Headers.Where(x => x.Name == "Date").First().Value;
			if(dateHeaderObject == null)
			{
				Console.WriteLine("No Date Header Found");
				Environment.Exit(1);
			}
			var dateHeader = dateHeaderObject.ToString();
			Console.WriteLine(dateHeader);

			var keygenSignatureHeaderObject = response.Headers.Where(x => x.Name == "Keygen-Signature").First().Value;
			if (keygenSignatureHeaderObject == null)
			{
				Console.WriteLine("No Keygen-Signature Header Found");
				Environment.Exit(1);
			}
			var keygenSignatureHeader = keygenSignatureHeaderObject.ToString() ?? string.Empty;
			Console.WriteLine(keygenSignatureHeader);

			var requestTarget = $"get {request}";

			var signature = SignatureRegex().Match(keygenSignatureHeader).Groups[1].Value;
			var signatureBytes = Convert.FromBase64String(signature);

			var digestBytes = SHA256.HashData(Encoding.UTF8.GetBytes(responseBody));
			var encDigest = Convert.ToBase64String(digestBytes);

			var signingData = $"(request target): {requestTarget}\nhost: {host}\ndate: {dateHeader}\ndigest: sha-256={encDigest}";
			var signingDataBytes = Encoding.UTF8.GetBytes(signingData);

			var algorithm = SignatureAlgorithm.Ed25519;

			var publicKeyBytes = Convert.FromHexString(Encoding.UTF8.GetString(Convert.FromBase64String(publicKeyBase64)));
			var publicKey = PublicKey.Import(algorithm, publicKeyBytes, KeyBlobFormat.RawPublicKey);

			var valid = algorithm.Verify(publicKey, signingDataBytes, signatureBytes);

			if(valid)
			{
				Console.WriteLine("data is valid");
			}
			else
			{
				Console.WriteLine("data is invalid");
			}
		}
	}
}

The output of which is:

{"data":[{"id":"3ff1059d-804c-4676-94a0-c65cdece6252","type":"entitlements","attributes":{"name":"Feature #2","code":"FEATURE_2","metadata":{},"created":"2024-06-20T18:30:26.075Z","updated":"2024-06-20T18:30:26.075Z"},"relationships":{"account":{"links":{"related":"/v1/accounts/bb420bd7-5e98-4147-831e-a41b990eeccd"},"data":{"type":"accounts","id":"bb420bd7-5e98-4147-831e-a41b990eeccd"}}},"links":{"self":"/v1/accounts/bb420bd7-5e98-4147-831e-a41b990eeccd/entitlements/3ff1059d-804c-4676-94a0-c65cdece6252"}},{"id":"764fb084-0e97-4ee6-a906-33b556a1c3bb","type":"entitlements","attributes":{"name":"Feature #1","code":"FEATURE_1","metadata":{},"created":"2024-06-20T18:30:18.288Z","updated":"2024-06-20T18:30:18.288Z"},"relationships":{"account":{"links":{"related":"/v1/accounts/bb420bd7-5e98-4147-831e-a41b990eeccd"},"data":{"type":"accounts","id":"bb420bd7-5e98-4147-831e-a41b990eeccd"}}},"links":{"self":"/v1/accounts/bb420bd7-5e98-4147-831e-a41b990eeccd/entitlements/764fb084-0e97-4ee6-a906-33b556a1c3bb"}}]}
Fri, 28 Jun 2024 21:32:32 GMT
keyid="bb420bd7-5e98-4147-831e-a41b990eeccd", algorithm="ed25519", signature="vbe//u4f0hXd0t2RldWexw8OZr3OZs0EOXmbiCQV4L74MB0lP5fMpa0pT/NjhbHatSAJJBK5FFwnbS5Kk/STBQ==", headers="(request-target) host date digest"
data is invalid

Answered by ezekg

Jun 30, 2024

In your signing data, you have (request target), but it should be (request-target).

View full answer

ezekg · 2024-06-29T16:22:58Z

ezekg
Jun 29, 2024
Maintainer

I'm AFK, so I haven't tested it, but the code looks good. Are you sure you have the public key correct? Typically, an Ed25519 public key is hex encoded, not base64 encoded.

4 replies

jceddy Jun 29, 2024
Author

When you call the accounts API the meta.publicKeys.ed25519 field of the response has a base64-encoded string that decodes to a 65-character hex string that is a valid ed25519 key.

I assume this is the correct public key for the process, but not 100% sure.

The system is singleplayer and that is the account associated with the license.

ezekg Jun 29, 2024
Maintainer

That should be correct, yeah. You can get the hex public key via this command in the console:

puts Account.sole.ed25519_public_key

Traveling rm but I can try to help further later tonight.

jceddy Jun 29, 2024
Author

That would be great. I have a feeling I am missing something simple, but don't know what.

The way the system is set up makes it a real PITA to get at the console, which is why I am grabbing the value from the API, but I might need to do that just so I can verify the public key is correct.

ezekg Jun 30, 2024
Maintainer

In your signing data, you have (request target), but it should be (request-target).

Answer selected by ezekg

jceddy · 2024-06-30T20:25:52Z

jceddy
Jun 30, 2024
Author

Oh God, thank you! 😂

…

On Sun, Jun 30, 2024, 12:32 PM Zeke Gabrielse ***@***.***> wrote: In your signing data, you have (request target), but it should be (request-target). — Reply to this email directly, view it on GitHub <#146 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJ5557ZZR5XZ7XPPSACHG3ZKA6MRAVCNFSM6AAAAABKCRM3LSVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TSMJYGE2DQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Keygen

Help with Signature Verification #146

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 4 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Keygen

Help with Signature Verification #146

jceddy Jun 28, 2024

Replies: 2 comments · 4 replies

ezekg Jun 29, 2024 Maintainer

jceddy Jun 29, 2024 Author

ezekg Jun 29, 2024 Maintainer

jceddy Jun 29, 2024 Author

ezekg Jun 30, 2024 Maintainer

jceddy Jun 30, 2024 Author

jceddy
Jun 28, 2024

Replies: 2 comments 4 replies

ezekg
Jun 29, 2024
Maintainer

jceddy Jun 29, 2024
Author

ezekg Jun 29, 2024
Maintainer

jceddy Jun 29, 2024
Author

ezekg Jun 30, 2024
Maintainer

jceddy
Jun 30, 2024
Author