Peter Williams wrote: > > > >> From: matheus ribeiro <[EMAIL PROTECTED]> >> Reply-To: MUSCLE <[email protected]> >> To: [email protected] >> Subject: [Muscle] Re: Probs with muscle applet >> Date: Sun, 6 Nov 2005 16:03:55 +0000 >> >>> >> Then I tried the encrypt with RSA and no padding with success. After >> > this the alggorithm is fixed to RSA with no padding and I get an 9c03 >> > error if I try tro used RSA with PKCS#1 padding. You should have the >> > same behaviour. So if you want to sign something you must hash it, pad >> > it on your own and encrypt the hash with RSA no padding. > > > yup. > > This is muscletool's use of the musclecard API, not an applet issue (or > an issue of the cardedge API). I always assume that muscletool's very > limited sign capability had become tweaked at some point from its > general solution: tweaked to emulate something (or participate in > something) required perhaps by some Linux PAM scheme.
That's not true for the muscleTool version he uses. It support all algorithms the applet (or the MCardPlugin claims to support) supports. (Although this could be improved because the actual supported algorithms could be requested by a call to MSCGetCapabilities(), which is not done at the moment and all possible algorithms are listed.) That means that if you request a signature with RSA and PKCS#1 padding using a MD5 hash exactly this operation is delegated to the API. It the API cannot handle it there is an error. But if the applet and the plug in supports this you get a real RSA signature with MD5 as hash and PKCS#1 padding. You can also use the convenience function filecrypt which accepts a file and writes to a file the result. But usually this raw data is wrapped in some container, e.g. PKCS#7, so the raw data may be useless, which could also be improved, but the current available APIs (at least OpenSSL, BouncyCastle and other common libraries for PKCS#7 are too limited, because they always require a private RSA key and want to do the signature on their own which is in no way convenient for a smart card solution. (NSS or JSS, respectively from Mozilla is the only exception from this insufficient API architecture.) Karsten > > The bottom line is: dont accept muscletools do_sign() and do_encrypt(): > rewrite them for your specific needs. They are good API demos, tho. > > > _______________________________________________ > Muscle mailing list > [email protected] > http://lists.drizzle.com/mailman/listinfo/muscle _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
