Siev�nen Markku wrote: > > Hi! > > Yes I know that, but in my example below my decrypt function also removes > the padding. > But my key point was that in the OCF API documentation in the *Verify* > functions the signature is the input parameter to the PKA algorithm, not the > hash value! The way I read the documentation (for whatever its worth), is you pass both the byte[] data and the byte[] signature to the verifySignedData function. The verifySignedData then 1. hashes the data passed to it, 2. decrypts the signature, and 3. compares hash values (after removing the padding). It returns true if the hash values are the same. So you don't need to separately hash the data for the verification: the verify function does that. ------------------------------------------------- > MaSi > > -----Original Message----- > From: J. Orlin Grabbe [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 09, 1999 9:30 PM > To: Siev�nen Markku > Cc: 'opencard' > Subject: Re: �OCF� Signature Card Service > > Siev�nen Markku wrote: > > > (relevant excerpt, full letter below): > > In my understandig when you verify signature, you first hash the data and > > THEN YOU APPLY THE PKA ALGORITHM (USING SIGNER'S PUBLIC KEY) TO THE > > SIGNATURE (DECRYPT) AND THEN COMPARE THE RESULT TO THE HASH VALUE YOU > > CALCULATED EARLIER FROM THE DATA. > > No. After doing the hash (the message digest), the hash value, which > is typically 128 or 160 bits long, is padded to bring it up to the > length of the key modulus (typically 1024 bits). > > For a detailed example of the padding, with numbers, see my > article "Digital Signatures Illustrated" at > > http://www.aci.net/kalliste/digsig.htm > > Orlin Grabbe > http://www.aci.net/kalliste/homepage.html > > -------------- > > > Hi OCF-people! > > > > I read the API-documentation of the Signature Card Service. I got a little > > confused about the documentation of the *Verfify* functions? For eaxmple > the > > API says: > > > > > ---------------------------------------------------------------------------- > > ---------------------- > > verifySignedData > > > > public boolean verifySignedData(PublicKeyRef publicKey, > > java.lang.String signAlgorithm, > > byte[] data, > > byte[] signature) > > throws > opencard.core.service.CardServiceException, > > java.security.InvalidKeyException, > > > opencard.core.terminal.CardTerminalException > > > > Verify a digital Signature including hashing. First hash the data, > then > > pad the hash, apply the PKA algorithm to the > > padded hash, then compare the result to the provided signature. > > > ---------------------------------------------------------------------------- > > ----------------------- > > > > In my understandig when you verify signature, you first hash the data and > > THEN YOU APPLY THE PKA ALGORITHM (USING SIGNER'S PUBLIC KEY) TO THE > > SIGNATURE (DECRYPT) AND THEN COMPARE THE RESULT TO THE HASH VALUE YOU > > CALCULATED EARLIER FROM THE DATA. > > > > So, I think that the explanation of all *Verify* functions are incorrect. > > > > Or, miss I something? > > > > Regards, > > > > MaSi > > > > > ---------------------------------------------------------------------------- > > --------- > > Markku Siev�nen Tel: +358 9 8941 4253 > > Setec Oy Fax: +358 9 878 6133 > > P. O. Box 31 E-mail: [EMAIL PROTECTED] > > FIN-01741 Vantaa > > Finland > > > > Visit the OpenCard Framework's WWW site at http://www.opencard.org/ for > > access to documentation, code, presentations, and OCF announcements. > > > ---------------------------------------------------------------------------- > - > > To unsubscribe from the OCF Mailing list, send a mail to > > "[EMAIL PROTECTED]" with the word "unsubscribe" in the BODY of > the > > message. Visit the OpenCard Framework's WWW site at http://www.opencard.org/ for access to documentation, code, presentations, and OCF announcements. ----------------------------------------------------------------------------- To unsubscribe from the OCF Mailing list, send a mail to "[EMAIL PROTECTED]" with the word "unsubscribe" in the BODY of the message.
