CryptoSys Home > PKI > Create a SignatureValue from a DigestValue

Create a SignatureValue from a DigestValue


This page shows how to create a SignatureValue from a DigestValue using CryptoSys PKI Pro.

You can see the derivation and relevance of the examples below in Signing an XML document using XMLDSIG (Part 2) and Signing an XML document using XMLDSIG (Part 1).

Using Python | Using C# | Source code | Contact us

Using Python

In this example, encrypted private key and X.509 are hard-coded in "PEM" form. You could use the filenames instead. (Actually, you don't need the certificate to do the signing, but we keep it here for completeness.) The default RSA-SHA-1 signature algorithm is used.

UpdatedUpdated 2021-08-27 for Python 3 (added parentheses to print statements: ``print foo``-->``print(foo)``, otherwise no other changes). Thanks to Bledar (Tirana Tirana) for pointing this out.

import cryptosyspki as pki

######################
# HARD-CODED PKI STUFF
######################
# Alice's PKCS8 encrypted key and X.509 certificate
# from RFC 4134 "Examples of S/MIME Messages"
# Private key password is "password"
myprikey = '''-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICojAcBgoqhkiG9w0BDAEDMA4ECFleZ90vhGrRAgIEAASCAoA9rti16XVH
K4AJVe1CNf61NIpIogu/Xs4Yn4hXflvewiOwe6/9FkxBXLbhKdbQWn1Z4p3C
njVns2VYEO/qpJR3LciHMwp5dsqedUVVia//CqFHtEV9WfvCKWgmlkkT1YEm
1aChZnPP5i6IhwVT9qvFluTZhvVmjW0YyF86OrOp0uxxVic7phPbnPrOMelf
ZPc3A3EGpzDPkxN+o0obw87tUgCL+s0KtUOr3c6Si4KQ3IQjrjZxQF4Se3t/
4PEpqUl5EpYiCx9q5uqb0Lr1kWiiQ5/inZm5ETc+qO+ENcp0KjnX523CATYd
U5iOjl/X9XZeJrMpOCXogEuhmLPRauYP1HEWnAY/hLW93v10QJXY6ALlbkL0
sd5WU8Ces7T04b/p4/12yxqYqV68QePyfHpegdraDq3vRfopSwrUxtL9cisP
jsQcJ5FL/SfloFbmld4CKIjMsromsEWqo6rfo3JqNizgTVIIWExy3jDT9VvK
d9ADH0g3JCbuFzaWVOZMmZ0wlo28PKkLQ8FkW8CG/Lq/Q/bHLPM+sPdLN+ke
gpA6fvL4wpku4ST7hmeN1vWbRLlCfuFijux77hdM7knO9/MawICsA4XdzR78
p0C2hJlc6p46IWZaINQXGstTbJMh+mJ7i1lrbG2kvZ2Twf9R+RaLp2mPHjb1
+P+3f2L3tOoC31oJ18u/L1MXEWxLEZHB0+ANg+N/0/icwImcI0D+wVN2puU4
m58j81sGZUEAB3aFEbPxoX3y+qYlOnt1OfdY7WnNdyr9ZzI09fkrTvujF4LU
nycqE+MXerf0PxkNu1qv9bQvCoH8x3J2EVdMxPBtH1Fb7SbE66cNyh//qzZo
B9Je
-----END ENCRYPTED PRIVATE KEY-----
'''

mycert = '''-----BEGIN CERTIFICATE-----
MIICLDCCAZWgAwIBAgIQRjRrx4AAVrwR024uxBCzsDANBgkqhkiG9w0BAQUFADAS
MRAwDgYDVQQDEwdDYXJsUlNBMB4XDTk5MDkxOTAxMDg0N1oXDTM5MTIzMTIzNTk1
OVowEzERMA8GA1UEAxMIQWxpY2VSU0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOCJczmN2PX16Id2OX9OsAW7U4PeD7er3H3HdSkNBS5tEt+mhibU0m+qWCn8
l+z6glEPMIC+sVCeRkTxLLvYMs/GaG8H2bBgrL7uNAlqE/X3BQWT3166NVbZYf8Z
f8mB5vhs6odAcO+sbSx0ny36VTq5mXcCpkhSjE7zVzhXdFdfAgMBAAGjgYEwfzAM
BgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBTp4JAnrHgg
eprTTPJCN04irp44uzAdBgNVHQ4EFgQUd9K00bdMioqjzkWdzuw8oDrj/1AwHwYD
VR0RBBgwFoEUQWxpY2VSU0FAZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEA
PnBHqEjME1iPylFxa042GF0EfoCxjU3MyqOPzH1WyLzPbrMcWakgqgWBqE4lradw
FHUv9ceb0Q7pY9Jkt8ZmbnMhVN/0uiVdfUnTlGsiNnRzuErsL2Tt0z3Sp0LF6DeK
tNufZ+S9n/n+dO/q+e5jatg/SyUJtdgadq7rm9tJsCI=
-----END CERTIFICATE-----
'''

def sign_digest(digval, prikey, password):
    """Create base64-encoded SignatureValue from DigestValue.

    Args:
        digval (str): Digest value in base64 encoding to be signed.
        prikey (str): Either filename of private key file or key in PEM string format.
        password (str): Password for private key, if encrypted.

    Returns:
        str: Signature value in base64 encoding.
    """
    sigval = pki.Sig.sign_digest(pki.Cnv.frombase64(digval), prikey, password, pki.Sig.Alg.RSA_SHA1)
    return sigval


def main():
    # Sign digest of canonicalized SignedInfo
    print(sign_digest("oloG0znWi2Jc1zg6kyNXiJlWpU4=", myprikey, "password"))
    print(sign_digest("WsjvqwRamkb+ABrFjCU2Rv+I3Go=", myprikey, "password"))
Expected output:
TSQUoVrQ0kg1eiltNwIhKPrIdsi1VhWjYNJlXvfQqW2EKk3X37X862SCfrz7v8IYJ7OorWwlFpGDStJDSR6saOScqSvmesCrGEEq+U6zegR9nH0lvcGZ8Rvc/y7U9kZrE4fHqEiLyfpmzJyPmWUT9Uta14nPJYsl3cmdThHB8Bs=
nihUFQg4mDhLgecvhIcKb9Gz8VRTOlw+adiZOBBXgK4JodEe5aFfCqm8WcRIT8GLLXSk8PsUP4//SsKqUBQkpotcAqQAhtz2v9kCWdoUDnAOtFZkd/CnsZ1sge0ndha40wWDV+nOWyJxkYgicvB8POYtSmldLLepPGMz+J7/Uws=

The Python interface to CryptoSys PKI Pro is available separately here.

[Go to top]

Using C#

´╗┐using System;
using System.Text;
using System.Diagnostics;
using CryptoSysPKI;

namespace SignDigest
{
    class SigValFromDigVal {
        // Alice's PKCS8 encrypted key and X.509 certificate
        // from RFC 4134 "Examples of S/MIME Messages"
        // Private key password is "password"
        const string myprikey = @"-----BEGIN ENCRYPTED PRIVATE KEY-----
            MIICojAcBgoqhkiG9w0BDAEDMA4ECFleZ90vhGrRAgIEAASCAoA9rti16XVH
            K4AJVe1CNf61NIpIogu/Xs4Yn4hXflvewiOwe6/9FkxBXLbhKdbQWn1Z4p3C
            njVns2VYEO/qpJR3LciHMwp5dsqedUVVia//CqFHtEV9WfvCKWgmlkkT1YEm
            1aChZnPP5i6IhwVT9qvFluTZhvVmjW0YyF86OrOp0uxxVic7phPbnPrOMelf
            ZPc3A3EGpzDPkxN+o0obw87tUgCL+s0KtUOr3c6Si4KQ3IQjrjZxQF4Se3t/
            4PEpqUl5EpYiCx9q5uqb0Lr1kWiiQ5/inZm5ETc+qO+ENcp0KjnX523CATYd
            U5iOjl/X9XZeJrMpOCXogEuhmLPRauYP1HEWnAY/hLW93v10QJXY6ALlbkL0
            sd5WU8Ces7T04b/p4/12yxqYqV68QePyfHpegdraDq3vRfopSwrUxtL9cisP
            jsQcJ5FL/SfloFbmld4CKIjMsromsEWqo6rfo3JqNizgTVIIWExy3jDT9VvK
            d9ADH0g3JCbuFzaWVOZMmZ0wlo28PKkLQ8FkW8CG/Lq/Q/bHLPM+sPdLN+ke
            gpA6fvL4wpku4ST7hmeN1vWbRLlCfuFijux77hdM7knO9/MawICsA4XdzR78
            p0C2hJlc6p46IWZaINQXGstTbJMh+mJ7i1lrbG2kvZ2Twf9R+RaLp2mPHjb1
            +P+3f2L3tOoC31oJ18u/L1MXEWxLEZHB0+ANg+N/0/icwImcI0D+wVN2puU4
            m58j81sGZUEAB3aFEbPxoX3y+qYlOnt1OfdY7WnNdyr9ZzI09fkrTvujF4LU
            nycqE+MXerf0PxkNu1qv9bQvCoH8x3J2EVdMxPBtH1Fb7SbE66cNyh//qzZo
            B9Je
            -----END ENCRYPTED PRIVATE KEY-----
            ";
        /// <summary>
        /// Create base64-encoded SignatureValue from DigestValue.
        /// </summary>
        /// <param name="digVal">Digest value in base64 encoding to be signed.</param>
        /// <param name="priKey">Either filename of private key file or key in PEM string format.</param>
        /// <param name="password">Password for private key, if encrypted.</param>
        /// <returns>Signature value in base64 encoding or empty string <c>""</c> on error.</returns>
        public static string SignDigest(string digVal, string priKey, string password)
        {
            string sigVal;
            sigVal = Sig.SignDigest(Cnv.FromBase64(digVal), priKey, password, SigAlgorithm.Rsa_Sha1);
            return sigVal;
        }
        static void Main(string[] args)
        {
            string sigVal;
            Console.WriteLine("PKI Version={0}", General.Version());    // At least 110200
            sigVal = SignDigest("oloG0znWi2Jc1zg6kyNXiJlWpU4=", myprikey, "password");
            Debug.Assert(sigVal.Length > 0);
            Console.WriteLine(sigVal);
            sigVal = SignDigest("WsjvqwRamkb+ABrFjCU2Rv+I3Go=", myprikey, "password");
            Debug.Assert(sigVal.Length > 0);
            Console.WriteLine(sigVal);
        }
    }
}
Expected output:
PKI Version=110200
TSQUoVrQ0kg1eiltNwIhKPrIdsi1VhWjYNJlXvfQqW2EKk3X37X862SCfrz7v8IYJ7OorWwlFpGDStJDSR6saOScqSvmesCrGEEq+U6zegR9nH0lvcGZ8Rvc/y7U9kZrE4fHqEiLyfpmzJyPmWUT9Uta14nPJYsl3cmdThHB8Bs=
nihUFQg4mDhLgecvhIcKb9Gz8VRTOlw+adiZOBBXgK4JodEe5aFfCqm8WcRIT8GLLXSk8PsUP4//SsKqUBQkpotcAqQAhtz2v9kCWdoUDnAOtFZkd/CnsZ1sge0ndha40wWDV+nOWyJxkYgicvB8POYtSmldLLepPGMz+J7/Uws=

[Go to top]

Source code

Download the above source code modules (4.0 kB). (Python code updated for Python 3 on 2021-08-27).

[Go to top]

Contact

For more information or to comment on this page, please send us a message.

This page last updated 27 August 2021

[Go to top]