Hi,
I succeeded to get rid of the verification error.
I modified signBase64SignatureDSA in OpenSSLCryptoKeyEC.cpp as follows:
unsigned int OpenSSLCryptoKeyEC::signBase64SignatureDSA(unsigned char *
hashBuf,
unsigned int hashLen,
char * base64SignatureBuf,
unsigned int base64SignatureBufLen) {
// Sign a pre-calculated hash using this key
if (mp_ecKey == NULL) {
throw XSECCryptoException(XSECCryptoException::ECError,
"OpenSSL:EC - Attempt to sign data with empty
key");
}
ECDSA_SIG * dsa_sig;
dsa_sig = ECDSA_do_sign(hashBuf, hashLen, mp_ecKey);
if (dsa_sig == NULL) {
throw XSECCryptoException(XSECCryptoException::ECError,
"OpenSSL:EC - Error signing data");
}
// Now turn the signature into a base64 string
bool rOdd = false, sOdd = false;
int rLen = BN_num_bytes(dsa_sig->r);
if (rLen%2) {
rLen++;
rOdd = true;
}
int sLen = BN_num_bytes(dsa_sig->s);
if (sLen%2) {
sLen++;
sOdd = true;
}
unsigned char* rawSigBuf = new unsigned char[rLen+sLen];
memset((void *)rawSigBuf, '\0', rLen+sLen);
ArrayJanitor<unsigned char> j_sigbuf(rawSigBuf);
if (rOdd) {
if (BN_bn2bin(dsa_sig->r, rawSigBuf+1) <= 0) {
throw XSECCryptoException(XSECCryptoException::ECError,
"OpenSSL:EC - Error converting signature to raw
buffer");
}
}
else {
if (BN_bn2bin(dsa_sig->r, rawSigBuf) <= 0) {
throw XSECCryptoException(XSECCryptoException::ECError,
"OpenSSL:EC - Error converting signature to raw
buffer");
}
}
if (sOdd) {
if (BN_bn2bin(dsa_sig->s, rawSigBuf+rLen+1) <= 0) {
throw XSECCryptoException(XSECCryptoException::ECError,
"OpenSSL:EC - Error converting signature to raw
buffer");
}
}
else {
if (BN_bn2bin(dsa_sig->s, rawSigBuf+rLen) <= 0) {
throw XSECCryptoException(XSECCryptoException::ECError,
"OpenSSL:EC - Error converting signature to raw
buffer");
}
}
// Now convert to Base 64
BIO * b64 = BIO_new(BIO_f_base64());
BIO * bmem = BIO_new(BIO_s_mem());
BIO_set_mem_eof_return(bmem, 0);
b64 = BIO_push(b64, bmem);
// Translate signature to Base64
BIO_write(b64, rawSigBuf, rLen+sLen);
BIO_flush(b64);
unsigned int sigValLen = BIO_read(bmem, base64SignatureBuf,
base64SignatureBufLen);
ECDSA_SIG_free(dsa_sig);
BIO_free_all(b64);
if (sigValLen <= 0) {
throw XSECCryptoException(XSECCryptoException::ECError,
"OpenSSL:EC - Error base64 encoding signature");
}
return sigValLen;
}
I am not an expert on elliptic curve cryptography so my analysis may go
wrong but the issue seemed to be that generated
signature length can vary because signature must be different and unique
each time signing is done. Therefore
the length can be shorter than expected which has to be taken into
account. I am not claiming that these changes
work in all cases because I tested code only with my simple test case.
Anyway I hope this helps to find a better
solution for the problem.
Thanks
Raino
----------------------------------------------------------------
Please note: This e-mail may contain confidential information
intended solely for the addressee. If you have received this
e-mail in error, please do not disclose it to anyone, notify
the sender promptly, and delete the message from your system.
Thank you.
