-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathTest-Encryption.ps1
More file actions
86 lines (66 loc) · 3.96 KB
/
Test-Encryption.ps1
File metadata and controls
86 lines (66 loc) · 3.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
function Test-Encryption {
<#
.SYNOPSIS
Test the signature created with the private key by using the public key.
.DESCRIPTION
Test the signature created with the private key by using the public key.
.PARAMETER PublicKeyEncoded
Specify the Base64 encoded string representation of the Public Key.
.PARAMETER Signature
Specify the Base64 encoded string representation of the signature coming from the inbound request.
.PARAMETER Content
Specify the content string that the signature coming from the inbound request is based upon.
.NOTES
Author: Nickolaj Andersen / Thomas Kurth
Contact: @NickolajA
Created: 2021-06-07
Updated: 2023-05-10
Version history:
1.0.0 - (2021-06-07) Function created
1.0.1 - (2023-05-10) @AzureToTheMax - Updated to use full PEM cert via X502, extract the public key, and perform test like before using that.
Credits to Thomas Kurth for sharing his original C# code.
#>
param(
[parameter(Mandatory = $true, HelpMessage = "Specify the Base64 encoded string representation of the Public Key.")]
[ValidateNotNullOrEmpty()]
[string]$PublicKeyEncoded,
[parameter(Mandatory = $true, HelpMessage = "Specify the Base64 encoded string representation of the signature coming from the inbound request.")]
[ValidateNotNullOrEmpty()]
[string]$Signature,
[parameter(Mandatory = $true, HelpMessage = "Specify the content string that the signature coming from the inbound request is based upon.")]
[ValidateNotNullOrEmpty()]
[string]$Content
)
Process {
Write-Output "Using new X502 encryption test"
# Convert Value (cert) passed back to X502 Object
$X502 = [System.Security.Cryptography.X509Certificates.X509Certificate2]::New([System.Convert]::FromBase64String($PublicKeyEncoded))
# Pull out just the public key, removing extended values
$X502Pub = [System.Convert]::ToBase64String($X502.PublicKey.EncodedKeyValue.rawData)
# Convert encoded public key from Base64 string to byte array
$PublicKeyBytes = [System.Convert]::FromBase64String($X502Pub)
# Convert signature from Base64 string
[byte[]]$Signature = [System.Convert]::FromBase64String($Signature)
# Extract the modulus and exponent based on public key data
$ExponentData = [System.Byte[]]::CreateInstance([System.Byte], 3)
$ModulusData = [System.Byte[]]::CreateInstance([System.Byte], 256)
[System.Array]::Copy($PublicKeyBytes, $PublicKeyBytes.Length - $ExponentData.Length, $ExponentData, 0, $ExponentData.Length)
[System.Array]::Copy($PublicKeyBytes, 9, $ModulusData, 0, $ModulusData.Length)
# Construct RSACryptoServiceProvider and import modolus and exponent data as parameters to reconstruct the public key from bytes
$PublicKey = [System.Security.Cryptography.RSACryptoServiceProvider]::Create(2048)
$RSAParameters = $PublicKey.ExportParameters($false)
$RSAParameters.Modulus = $ModulusData
$RSAParameters.Exponent = $ExponentData
$PublicKey.ImportParameters($RSAParameters)
# Construct a new SHA256Managed object to be used when computing the hash
$SHA256Managed = New-Object -TypeName "System.Security.Cryptography.SHA256Managed"
# Construct new UTF8 unicode encoding object
$UnicodeEncoding = [System.Text.UnicodeEncoding]::UTF8
# Convert content to byte array
[byte[]]$EncodedContentData = $UnicodeEncoding.GetBytes($Content)
# Compute the hash
[byte[]]$ComputedHash = $SHA256Managed.ComputeHash($EncodedContentData)
# Verify the signature with the computed hash of the content using the public key
$PublicKey.VerifyHash($ComputedHash, $Signature, [System.Security.Cryptography.HashAlgorithmName]::SHA256, [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
}
}