Albert Solana wrote:
Hi all,
While trying to sign using some examples apps written in Java and C
using PKCS#11 and OpenSC, the verification always fails. Using the
command `pkcs11-tool -l -t`, which signs some random data, fails as
well.
After some tests, I have realized that whenever the signature buffer's
size is bigger than the exact signature length, fails on verification
procedure.
Regarding to PKCS#11 standard v2.20, section 11.2:
---->%----->%-----
If pBuf is not NULL_PTR, then *pulBufLen must contain the size in bytes
of the buffer pointed to by pBuf. If that buffer is large enough to hold
the cryptographic output produced from the input to the function, then
that cryptographic output is placed there, and CKR_OK is returned by the
function. If the buffer is not large enough, then CKR_BUFFER_TOO_SMALL
is returned. In either case, *pulBufLen is set to hold the exact number
of bytes needed to hold the cryptographic output produced from the input
to the function.
---->%----->%-----
So, according to it, OpenSC should return the exact number of bytes
needed. I attach a patch with the minimun code's modifications, that
I've tested and worked for me.
don't change the prototype of an exported function ! If we really
need this functionality we need to create new functions with a
different name.
Btw: both functions, sc_pkcs15_compute_signature() and sc_compute_signature(),
return the length of the compute signature (if the return value is > 0).
Of course this doesn't really help if the buffer is too small ...
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
