Signing Data with Google Service Account Private Key Fails

Question

I\'m not able to sign data with the Service Application private key I downloaded from the Google Developer console. I get the following error:

OAuthTests.TestCr         


        

Answer 1

First of all, there's a mistake in your example #2: you are trying to use public key for signing. And you should get the error: "Object contains only the public half of a key pair. A private key must also be provided."

But I suppose it was just a copy/paste mistake, and you already tried with private key.

The RSACryptoServiceProvider obtained from Google's certificate PrivateKey uses "Microsoft Base Cryptographic Provider v1.0", while newly created RSACryptoServiceProvider object uses "Microsoft Enhanced RSA and AES Cryptographic Provider".

The trick to workaround this is to export the bare math from cert's RSACSP to a new RSACSP object:

[Test]
public void testSha256SignWithGoogleKey()
{
    var cert = new X509Certificate2(@"....41e34b980643fd5b21-privatekey.p12", "notasecret", X509KeyStorageFlags.Exportable);

    byte[] data = new byte[] { 0, 1, 2, 3, 4, 5 };

    using (RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)cert.PrivateKey)
    {
        using (RSACryptoServiceProvider myRsa = new RSACryptoServiceProvider())
        {
            myRsa.ImportParameters(rsa.ExportParameters(true));

            byte[] signature = myRsa.SignData(data, "SHA256");

            if (myRsa.VerifyData(data, "SHA256", signature))
            {
                Console.WriteLine("RSA-SHA256 signature verified");
            }
            else
            {
                Console.WriteLine("RSA-SHA256 signature failed to verify");
            }
        }
    }
}