Plain C Question
-
John Simmons / outlaw programmer wrote:
I'm using .Net 2.0 (why anyone would start new .Net projects with anything older is beyond me).
Yeah, I was thinking newer because I have no idea what they added to 3.+ So if you are on ASP.NET running under IIS why are you messing with this? It sounds like you want SSL on your site and that is all just IIS configuration?
led mike wrote:
So if you are on ASP.NET running under IIS why are you messing with this?
Because I don't know any better. :) We don't need the sight to be a secure site. We just want to verify that the people trying to access it are coming from a another site through this crappy single sign-on code (I think they may have two or three users - counting our customer). Unfortunately, we're stuck with what the customer is using. We get a query string that contains some data in the clear, some encrypted data, and a SSL signature. We already have the public key with which to verify the signature. Everything is in place and ready to be "verified". That's all I need to do - *verify* the signature. This shouldn't require anything regarding SSL on the part of the server as far as I can tell (if it does, this just serves to illustrate my lack of knowledge in this area). Shouldn't I be able to simply verify the signature without having to make any changes on the IIS side? Shouldn't the crypto stuff in .Net let me do this? The existing PHP code uses its internal openssl module and calls a single function with three parameters - the data, the public key, and the signature - and returns a 1 or a 0 to indicate success. I want to have a function that does exactly the same thing, but using the .Net crypto functionality, if possible. It appears as if it is possible, but I haven't been able to find anything that says how, and I can't find anyplace to ask other than here.
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
That explains it. I have full confidence that you'll be able to convert this. C is great for porting because it's simple enough most of the time to be really certain about what it means just from reading it. I've had some great fun porting C to C++ in the past. Even better from what you posted this C was written by a C++ programmer anyway so it's already closer to C# than it might be in really nasty K&R C. Good luck.
Nothing is exactly what it seems but everything with seems can be unpicked.
Matthew Faithfull wrote:
I have full confidence that you'll be able to convert this.
The problem is that I don't have time to convert it. I'd rather do this with the built in .Net crypto stuff if possible (see my exchange with led_mike).
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
Matthew Faithfull wrote:
I have full confidence that you'll be able to convert this.
The problem is that I don't have time to convert it. I'd rather do this with the built in .Net crypto stuff if possible (see my exchange with led_mike).
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I sympathise with the time pressure. I'm afarid the Crypto API in C# is about as much out of my league as it gets. I can only wish you luck.
Nothing is exactly what it seems but everything with seems can be unpicked.
-
led mike wrote:
So if you are on ASP.NET running under IIS why are you messing with this?
Because I don't know any better. :) We don't need the sight to be a secure site. We just want to verify that the people trying to access it are coming from a another site through this crappy single sign-on code (I think they may have two or three users - counting our customer). Unfortunately, we're stuck with what the customer is using. We get a query string that contains some data in the clear, some encrypted data, and a SSL signature. We already have the public key with which to verify the signature. Everything is in place and ready to be "verified". That's all I need to do - *verify* the signature. This shouldn't require anything regarding SSL on the part of the server as far as I can tell (if it does, this just serves to illustrate my lack of knowledge in this area). Shouldn't I be able to simply verify the signature without having to make any changes on the IIS side? Shouldn't the crypto stuff in .Net let me do this? The existing PHP code uses its internal openssl module and calls a single function with three parameters - the data, the public key, and the signature - and returns a 1 or a 0 to indicate success. I want to have a function that does exactly the same thing, but using the .Net crypto functionality, if possible. It appears as if it is possible, but I haven't been able to find anything that says how, and I can't find anyplace to ask other than here.
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
John Simmons / outlaw programmer wrote:
We just want to verify that the people trying to access it are coming from a another site
??? I don't get that. :confused:
...coming from a specific site. Like everything else web based, it's a clusterfuck of disparate technologies trying to rub each other the right way without puking all over each other's shoes.
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
...coming from a specific site. Like everything else web based, it's a clusterfuck of disparate technologies trying to rub each other the right way without puking all over each other's shoes.
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001ROTFLMAO... and I couldn't agree more. I've been involved in web dev off and on since 1996 and have seen it go from something that was enormously beneficial to being abused beyond all imagination by all the wanna-be jerkoffs. But I was asking a specific question to try and assist you. Perhaps my reply in the new thread will start a fruitful conversation.
-
I'd say Windows, Linux, Un*x, <insert OS kernel here> are full of these constructs. Poor man's OO! :)
-- Kein Mitleid Für Die Mehrheit
-
ROTFLMAO... and I couldn't agree more. I've been involved in web dev off and on since 1996 and have seen it go from something that was enormously beneficial to being abused beyond all imagination by all the wanna-be jerkoffs. But I was asking a specific question to try and assist you. Perhaps my reply in the new thread will start a fruitful conversation.
I just found a site that looks like it has a five-part article about what I'm after. http://www.dotnetbips.com/articles/c9e90522-df22-4a0b-937a-913d6b992ddd.aspx[^] Unfortunately, the associated download is lost somewhere on the site. :(
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
led mike wrote:
So if you are on ASP.NET running under IIS why are you messing with this?
Because I don't know any better. :) We don't need the sight to be a secure site. We just want to verify that the people trying to access it are coming from a another site through this crappy single sign-on code (I think they may have two or three users - counting our customer). Unfortunately, we're stuck with what the customer is using. We get a query string that contains some data in the clear, some encrypted data, and a SSL signature. We already have the public key with which to verify the signature. Everything is in place and ready to be "verified". That's all I need to do - *verify* the signature. This shouldn't require anything regarding SSL on the part of the server as far as I can tell (if it does, this just serves to illustrate my lack of knowledge in this area). Shouldn't I be able to simply verify the signature without having to make any changes on the IIS side? Shouldn't the crypto stuff in .Net let me do this? The existing PHP code uses its internal openssl module and calls a single function with three parameters - the data, the public key, and the signature - and returns a 1 or a 0 to indicate success. I want to have a function that does exactly the same thing, but using the .Net crypto functionality, if possible. It appears as if it is possible, but I haven't been able to find anything that says how, and I can't find anyplace to ask other than here.
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001I think you would need to create a System.Security.Cryptography.X509Certificates.X509Certificate2 to represent the certificate, then get the PublicKey property's Key property, which is an abstract type representing the encryption algorithm used by the certificate, appropriately initialised. Then you'd have to cast that to an RSACryptoServiceProvider or DSACryptoServiceProvider as appropriate (you can simply use
asfor this, to check the type and cast in one operation, as per C++dynamic_cast) and callVerifyData. For thehalgparameter I think you pass the certificate'sSignatureAlgorithmproperty (this may need to be the FriendlyName or the Value property). Yes, I can see why you were struggling!
DoEvents: Generating unexpected recursion since 1991 -
I have had to do some pretty wide-ranging stuff. I've converted about 500 lines of PHP code down to 200 lines of C# code, and now my boss wants to see if we can convert part of the PHP source code that deals with openssl signature verification (written in C) to C# (the original message is part of that tasking). In order to convert it, I have to understand what it's doing in the original language. I've already suggested that we at least use C++/CLI, but he really wants it in C#. I could have avoided this conversion if I could have found a way to verify the signature with the .net crypto stuff. I've never dealt with any kind of crypto stuff before, so I haven't got an earthly clue about where to start or what to look for in that regard (and nobody here or anywhere else seems to know where to point me). I am therefore doomed challenged to convert this code (if possible).
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001Oh you don't really want to rewrite the crypto code in C# for your project. All Web security is based on standards, all the algorithms are built into .Net framework, and most importantly - the administration part of handling the certificates, public/private keys and such. This means that you can port the C code, but the result will be unmanageable: the administrators who know how to work with .Net servers, have no idea how it is done for PHP; the administrators who run PHP servers, do not know how to deal with .Net security policies. And no one knows how your solution will work when Microsoft issues the next security update. I strongly recommend to use .Net native cryptography, even if you need to learn it or use an external expert. Cheers, Alex
