this may be - but what happens if you have a \n\r or \r\n in your raw data, before the pkcs7 code (of openssl?) does the conversation? do i get \n\r\r maybe? i didn't check that close till now, so debugging of off pkcs#7 stuff, would be possible, but does it make sense?Ives Steglich schrieb:
Ives Steglich wrote:
actually - i'm that far, that the code itself seemes to be fine in most cases, since i got the pub-user-test certificate working
the problem there was: the signing text had a \n at the end, but the text used to verify against didn't have \n at the end - so the verify fails... i just removed all \n inside the text for generating the signature - and it just worked...
i have deaktivated the unlink of the temp files, so i could verfiy at least this problem:
\n is usaly put as: 0x0A
the used data for verification contains: 0x0D0A which is equivalent to \r\n so somewhere happens this conversation step... but i don't know where right now ;o( - at least the data i find at the temporary file, and this is uses for verification
so the question is, when and where this converting happens, since i don't have in mind we would do some unix/dos linefeed conversation, maybe the browser does, but i don't think so...
Isn't this conversion needed by the PKCS7-Standard? As I remember the S/MIME-Standard you have to convert a "\n" line-ending into "\r\n", before calculating the digest. This is called the "canonical" format.
anyhow - if i remove the 0D byte from the used data for verification
it is working, thats the point, and those data from the file, should be the one send by the browser and this should only contain a \n without \r
if i take some data sign it with openca-sv and verify it again, its all working fine, so with the removed \r - and this how it is supposed to work, the canonicalization should be done by openca-sv or openssl libs, not i have to provide it... i give the data which hase to be signed or verified and this could contain just \n ;o) or no \n whatever...
and it doesn't brings me further, since there is no canonicalization anywhere in the code before, since all used function also used for other things, and it wouldn't make sense...
so the problem is still open ;o(
greetings
dalini
--
Ives Steglich Email: [EMAIL PROTECTED]
System Administration Tel.: +49 (0)3677 - 69 4882
Fax: +49 (0)3677 - 69 4399Fraunhofer Institute for Digital Media Technology Langewiesener Strasse 22 98693 Ilmenau Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel
