RE: RSA signing: Bouncy castle <-> Blackberry (Certicom) API interoperability problem

Tue, 04 Oct 2011 13:29:15 -0700 

> From: [email protected] On Behalf Of Sam SunSon
> Sent: Monday, 03 October, 2011 08:10

> I`m working on  RSA sign functionality for my application:  
> RSA signature
> should be generated on device using Blackberry (Certicom) API 
> and verified on PC using OpenSSL.
>
> Code of Sign function is listed below: <snip; compressed:>         
> RSAPrivateKey privKey = new RSAPrivateKey(new
RSACryptoSystem(modulusBitLength), 
>         <CRT fields from PKCS11 or similar>)
> PKCS1SignatureSigner signer = new PKCS1SignatureSigner(key,
>                               new SHA1Digest() , useASN1);
> signer.update(inputData, 0, (int)inputDataLen.longVal);

> signer.sign(outputData, 0);
> outputDataLen.longVal = signer.getLength();

Your subject says BouncyCastle <-> Blackberry 
but your message says BlackBerry -> OpenSSL, 
and this is an OpenSSL maillist.
That code sure looks like Java, but using some API 
(Blackberry?) that is neither JCE nor BouncyCastle.
Those have no class RSAPrivateKey that I can find; 
there are 2 *interfaces* RSAPrivateKey and RSAPrivateCrtKey 
and 2 *classes* RSAPrivateKeySpec and RSAPrivateCrtKeySpec 
and the last has a ctor not quite matching your use.
Also I see class (or interface) PKCS1SignatureSigner 
and the methods you use on it are not those of a 
java.security.Signature although they look like they 
have similar functionality. If I use the JCE API and do:
        Signature s = Signature.getInstance("SHA1withRSA");
        s.initSign(k);
        s.update(b);
        byte [] x = s.sign();
where k is the (RSA)PrivateKey and b is the byte[] data 
the resulting signature verifies with OpenSSL.

> 
> 
> Generated signature passed a verification on Blackberry side, 
> but fails on
> PC side, when I try to verify it with OpenSSL. Input/output 
> parameters on
> both sides are same, digest of data on device is equal to 
> digest of data on
> PC.
> 
Exactly what digests? Do you mean SHA1 of the data computed 
on the Blackberry by whatever equals SHA1 of the same data 
computed on the PC by OpenSSL? Commandline or program? 

How do you try to verify with OpenSSL -- commandline and 
what options, or program and what calls? Exactly what errors 
or other results do you get?



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to