RSACryptoServiceProvider.Verify*

  • Thread starter Thread starter Marian Dvorsky
  • Start date Start date
M

Marian Dvorsky

There are two methods in RSACryptoServiceProvider to verify signed data:

VerifyData(byte[] buffer, object halg, byte[] signature)
VerifyHash(byte[] rgbHash, string str, byte[] rgbSignature)

What is not clear to me is, why the second method (VerifyHash()) needs OID
of used
hash algorithm. Probably, it is used to compare it to the OID saved in a
signature.
But, when there is OID to compare to, then why VerifyData needs the
HashAlgorithm
object instance, when the OID of used hash algorithm is written in
signature?

If my assumptions are right, then VerifyData needs only buffer and
signature. It can decode
OID of used hash algorithm from a signature and compute hash with apropriate
HashAlgorithm.

Can anybody clarify that to me?

Thanks.

Marian
 
Marian Dvorsky said:
What is not clear to me is, why the second method (VerifyHash()) needs OID
of used hash algorithm.

This is because the underlying CryptoAPI doesn't allow signing arbitrary
byte arrays. In fact, the CryptVerifySignature requires that you pass in a
valid HCRYPTHASH handle instead. The RSACryptoServiceProvider uses the OID
to create a HCRYPTHASH handle that can be passed to the CryptVerifySignature
method.
Probably, it is used to compare it to the OID saved in a
signature.

The signature does not contain an OID.

Regards,
Pieter Philippaerts
Managed SSL/TLS: http://www.mentalis.org/go.php?sl
 
Back
Top