Hi Douglas, I'm trying to get signature with the PIV card and verify it with the 'openssl pkeyutl'. I use EC key #04 "CARD AUTH Key".
It fails because of the 'raw' output format of the signature produced by OpenSC. OpenSSL expects the signature as a ASN1 sequence of two integers. I've seen in card-piv.c your comments: https://github.com/OpenSC/OpenSC/blob/staging/src/libopensc/card-piv.c#L2023 > /* The PIV returns a DER SEQUENCE{INTEGER, INTEGER} > * Which may have leading 00 to force positive > * TODO: -DEE should check if PKCS15 want the same It seems that PKCS#15 really wants it. > * But PKCS11 just wants 2* filed_length in bytes Can you explain more? Why it wants 'raw' data? > * So we have to strip out the integers > * if present and pad on left if too short. > */ I would propose to keep the ASN1 encoded data at the PKCS#15 level, and, if needed, to convert it to the 'raw' format by dedicated procedure in the pkcs15 framework of pkcs11. Kind regards, Viktor. -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
