Asymmetric Signing

Official Content
This documentation is valid for:

Note: This is part of GeneXus Cryptography Module.

AsymmetricSigningAlgorithm Domain

Values:

RSA, ECDSA

AsymmetricSigner

Signs a text with a private key and verifies the signature with a public key. 

As for paddings, it follows RFC-4051.

Considerations

  • The hashing algorithm is identified from the certificate in public-key cases.
  • HashAlgorithm NONE value is not a valid value for the signing algorithms.
  • When using ECDSA key type, the default HashAlgorithm value used is SHA1.

Valid Key formats

  • Encoded Base64 key PKCS8 formatted (.pem extension). It can contain a public key, private key or both.  
    • Encrypted .pem files are not admitted.
    • Encrypted PKCS8 private keys are admitted since GeneXus 17 Upgrade 2
    • Files with .key extensions are supported since GeneXus 16 Upgrade 11
  • DER certificate (.crt or .cer extension). It contains only public keys.
  • PKCS12 certificate or keystore (.p12 or .pfx or .jks extension). It contains only private keys or both.
    • JKS format (JavaKeyStore) is available only for Java implementation.
    • For PKCS12 certificates the file password is needed for both Java and .Net implementations.
    • .Net implementation does not use the PKCS12 alias; it takes the public key from the first certificate on the certificate chain and the first default private key listed on the file.
    • Files with .pkcs12 extensions are supported since GeneXus 16 Upgrade 11
  • Every certificate must implement the X509 standard.

DoSign

AsymmetricSigner.DoSign(privateKey, hashAlgorithm, plainText)
  • Input privateKey: PrivateKey type, preloaded private key
  • Input hashAlgorithm: HashAlgorithm Domain value
  • Input plainText: Varchar(256) It uses UTF-8 by default unless CryptographyEncodingUtil is used.
  • Returns: Varchar(256) Base64 encoded

Signs a text with the specified certificate key and the given hash algorithm.

Example:

&key.Load("C:\\certificates\\key.pem")
&hash = HashAlgorithm.SHA256
&plainText = "Lorem ipsum dolor sit amet, consectetur adipiscing elit. In aliquet ultrices dolor a consectetur."

&signature = &AsymmetricSigner.DoSign(&key, &hash, &plainText)

DoVerify

AsymmetricSigner.DoVerify(certificate, plainText, signature)
  • Input certificate: Certificate type, preloaded public key
  • Input plainText: Varchar(256) It uses UTF-8 by default unless CryptographyEncodingUtil is used.
  • Input signature: Varchar(256) Base64 encoded
  • Returns: Boolean, true if the signature is valid for the plainText with the certificate data.
Example:

&certificate.Load("C:\\certificates\\certificate.cer")
&plainText = "Lorem ipsum dolor sit amet, consectetur adipiscing elit. In aliquet ultrices dolor a consectetur."
&signature = "Il3rfo20i3kqdTcrg/O0nhYAtb6y+l7fKKEzP1gvKNhnCNKwZajCEiBarg21E7nVXjvXeB4E7QSXCLD8kEUNlsfkuAkvnbf52+zcRb5HxaN+jWargDlVw2v1zzxYxQ8VdjVNdBioI6oHWzurcfRfn9D8Kfuy9mUWwGlZkHgpAj6RGdr95B67Fn5XnAjN1iEW9LPuRHi4rN2VqJ8GQT3mQ9y76kuv4mKfabzq/8ar+zxqXKa2B+0znVjTK7gbWtUZCL6hRnXfttdVYhnblvGKIix2WsfZEDXtjVcyOc5MCe83cGLEVFgd4R0vZEqq7E4M4jgZyTaQlqBXCgscxUGwVQ=="

&verify = &AsymmetricSigner.DoVerify(&certificate, &plainText, &signature)

DoSignFile

This method is available since GeneXus 17 Upgrade 6

AsymmetricSigner.DoSignFile(privateKey, hashAlgorithm, path)

  • Input privateKey: PrivateKey type, preloaded private key
  • Input hashAlgorithm: HashAlgorithm Domain value
  • Input path: Varchar(256) File's path to sign
  • Returns: Varchar(256) Base64 encoded

Signs a file with the specified certificate key and the given hash algorithm.

Example:
&key.Load("C:\\certificates\\key.pem")
&hash = HashAlgorithm.SHA256
&path= "C:\\Temp\\file.txt"
&signature = &AsymmetricSigner.DoSign(&key, &hash, &path)

DoVerifyFile

This method is available since GeneXus 17 Upgrade 6

AsymmetricSigner.DoVerifyFile(certificate, path, signature)
  • Input certificate: Certificate type, preloaded public key
  • Input path: Varchar(256) File's path to be verified
  • Input signature: Varchar(256) Base64 encoded
  • Returns: Boolean, true if the signature is valid for the file with the certificate data.
Example:

&certificate.Load("C:\\certificates\\certificate.cer")
&path= "C:\\Temp\\file.txt"
&signature = "Il3rfo20i3kqdTcrg/O0nhYAtb6y+l7fKKEzP1gvKNhnCNKwZajCEiBarg21E7nVXjvXeB4E7QSXCLD8kEUNlsfkuAkvnbf52+zcRb5HxaN+jWargDlVw2v1zzxYxQ8VdjVNdBioI6oHWzurcfRfn9D8Kfuy9mUWwGlZkHgpAj6RGdr95B67Fn5XnAjN1iEW9LPuRHi4rN2VqJ8GQT3mQ9y76kuv4mKfabzq/8ar+zxqXKa2B+0znVjTK7gbWtUZCL6hRnXfttdVYhnblvGKIix2WsfZEDXtjVcyOc5MCe83cGLEVFgd4R0vZEqq7E4M4jgZyTaQlqBXCgscxUGwVQ=="

&verify = &AsymmetricSigner.DoVerifyFile(&certificate, &path, &signature)

Security tips

When assigning file paths, do not use user input concatenations or sanitize user entries to avoid path traversal or path manipulation vulnerability risks.