Search code examples
c#.netcryptographysmartcardx509certificate2

Decryption with PublicKey of Smartcard Certificate

I'm currently using a smartcard from a German project to secure/encrypt certain data of cash register systems (called INSIKA, if there is anyone that knows about this). The smartcard contains a certificate with an unkonwkn private key to encrypt and a public key to decrypt data. The data can be encrypted using functionality of the smartcard itself. Unfortunately there is no such method for the decryption of the encrypted data.

The INISKA documentation mentions, that I should be able to read the certificate stored on the smartcard and get the public key that I can use to actually decrypt the pdata myselfe. But somehow I cannot find a proper way to do this. Using the smartcard I get:

  • A byte array containing the raw data of the certificate
  • A X509Certificate2 instance using the constructor of this class and the raw data
  • A public key byte array using the GetPublicKey() method of the certificate instance
  • The property PublicKey containing some information like Oid or an AlgorithmId

Most of my search results so far have suggested that I should use some code that looks like the following:

RSACryptoServiceProvider provider = (RSACryptoServiceProvider) certificate.PublicKey.Key;
byte[] decryptedData = provider.Decrypt(signature.SignatureByteArray, false);

However accessing the .Key property throws a NotSupportedException with the message "The certificate key algorithm is not supported.". The certificates PublicKey.Oid property contains the information that the public key algorithm is ECC (ecliptic curve cryptography)

Does anybody have any suggestions what I can do to decrypt the data i managed to encrypt using the information I have? Is it possible that I am missing some part of the certificate or some needed functionality to select the correct key algorithm? Is there another way to use the public key (e.g. the byte array) to manually instantiate some decryption class (all example codes I have found require some information that I do not have or do not know where to get like modulus or exponent)? Thanks in advance!

Solution

  • You cannot decrypt signatures. You can only verify them. Decryption and verification are different concepts and PKCS#1 compatible RSA uses different padding mechanisms - and of course different keys - for both.

    Please take a look at the VerifyData and VerifyHash methods of RSACryptoServiceProvider instead. You cannot decrypt a signature (and if you could you would just get back the one-way-hash value, not the data, in 99% of the cases).