AADDeviceTrust.Client

1.0.0

Private/New-RSACertificateSignature.ps1

                                function New-RSACertificateSignature {

    <#

    .SYNOPSIS

        Creates a new signature based on content passed as parameter input using the private key of a certificate determined by it's thumbprint, to sign the computed hash of the content.

    .DESCRIPTION

        Creates a new signature based on content passed as parameter input using the private key of a certificate determined by it's thumbprint, to sign the computed hash of the content.

        The certificate used must be available in the LocalMachine\My certificate store, and must also contain a private key.

    .PARAMETER Content

        Specify the content string to be signed.

    .PARAMETER Thumbprint

        Specify the thumbprint of the certificate.

    .NOTES

        Author:      Nickolaj Andersen / Thomas Kurth

        Contact:     @NickolajA

        Created:     2021-06-03

        Updated:     2021-06-03

        Version history:

        1.0.0 - (2021-06-03) Function created

        Credits to Thomas Kurth for sharing his original C# code.

    #>

    param(

        [parameter(Mandatory = $true, HelpMessage = "Specify the content string to be signed.")]

        [ValidateNotNullOrEmpty()]

        [string]$Content,

        [parameter(Mandatory = $true, HelpMessage = "Specify the thumbprint of the certificate.")]

        [ValidateNotNullOrEmpty()]

        [string]$Thumbprint

    )

    Process {

        # Determine the certificate based on thumbprint input

        $Certificate = Get-ChildItem -Path "Cert:\LocalMachine\My" -Recurse | Where-Object { $PSItem.Thumbprint -eq $CertificateThumbprint }

        if ($Certificate -ne $null) {

            if ($Certificate.HasPrivateKey -eq $true) {

                # Read the RSA private key

                $RSAPrivateKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Certificate)

                if ($RSAPrivateKey -ne $null) {

                    if ($RSAPrivateKey -is [System.Security.Cryptography.RSACng]) {

                        # Construct a new SHA256Managed object to be used when computing the hash

                        $SHA256Managed = New-Object -TypeName "System.Security.Cryptography.SHA256Managed"

                        # Construct new UTF8 unicode encoding object

                        $UnicodeEncoding = [System.Text.UnicodeEncoding]::UTF8

                        # Convert content to byte array

                        [byte[]]$EncodedContentData = $UnicodeEncoding.GetBytes($Content)

                        # Compute the hash

                        [byte[]]$ComputedHash = $SHA256Managed.ComputeHash($EncodedContentData)

                        # Create signed signature with computed hash

                        [byte[]]$SignatureSigned = $RSAPrivateKey.SignHash($ComputedHash, [System.Security.Cryptography.HashAlgorithmName]::SHA256, [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)

                        # Convert signature to Base64 string

                        $SignatureString = [System.Convert]::ToBase64String($SignatureSigned)

                        # Handle return value

                        return $SignatureString

                    }

                }

            }

        }

    }

}