I want to be able to sign a file. By that I mean that the recipient can check that the file is indeed from me and can view its content. Is there any simple way to do that in C++?
I just had a look at the PGP article on Wikipedia but they lost me somewhere in the middle of "hashing, data compression, symmetric-key cryptography, and, finally, public-key cryptography". Ideally, I would like a library which has a function signString(string, privateykey)
and the recipient would have function readSignedString(string, publickey)
. Any suggestion?
Edit:
I'm not sure I'm using the right approach, so here is what I'm trying to do:
I want to implement some simple piracy protection in my desktop application. So when the user buy a license, I send them a signed file containing their name and email. The user then install the file and the app reads it: it checks the signature validity and displays the name/email (in the About box). To make sure that crackers cannot generate these files, I need to make sure that the key to decrypt the file is not t开发者_StackOverflow社区he same as the one to encrypt it. Is there any simple way to implement this?
OpenSSL is almost what you need. It doesn't have two such functions, but it's almost as easy. First of all, every digital signature requires a hash algorithm. The reason is that you don't encrypt the file, you only encrypt the file hash (it would take too long to verify otherwise).
With OpenSSL you can use something like this:
#include <openssl/evp.h>
EVP_MD_CTX ctx;
unsigned char signature[SIGNATURE_LEN];
int signature_len;
EVP_SignInit(&ctx, EVP_sha1());
EVP_SignUpdate(&ctx, data, size);
EVP_SignFinal(&ctx, signature, &signature_len, pkey);
And pretty much the same for validating the signature, only using EVP_ValidateInit
, EVP_ValidateUpdate
and EVP_ValidateFinal
. The last function returns 0/1 to say whether validation succeeded or not.
You still need to get the key into the application, there are quite a few functions to do that, depending on where you read it from (file/memory/certificate etc.)
You can also use Keyczar for encrypting and decrypting your file.
But actually you can't crack-proof your program like this, It makes it harder, but crackers can disassemble your program, find the function that checks the validity of those signed files, and change it to accept any kinds of files.
You might want to take a look at the GNU version of PGP, GnuPG, it uses a OSS lib called libgcrypt http://directory.fsf.org/project/libgcrypt/ which looks to be able to do what you want. http://www.gnupg.org/documentation/manuals/gcrypt/ for the manual.
For information, after having tried most of the suggestions here, I ended up using the openpgp command line tool. It's quite lightweight once UPXed, it's cross-platform and it does what I need in an easy way.
精彩评论