> David, > When I sign the same hash with the same certificate I should get the same > signature. That sounds pretty logical to me.
Really? So if you sign the same contract twice, the two signatures will be precisely identical? > The company I'm doing this > project for also told me that I should get the same result as the one > CryptSignHash gives me, that's why I'm trying to get 2 identical results. By "the same result", I hope that they mean the same logical result. You will not get the exact same value. Suppose, for example, there were certain hash values that could weaken RSA keys. If I create a document that you have to sign, I can engineer the document so that the hash you wind up signing is one of those hash values. (Because I know the hash you are going to sign.) Adding random padding means an attacker, even if he chooses the plaintext you sign, cannot chose the hash you sign. Is this serious? No. But algorithms are not deliberately designed with vulnerabilities just because those vulnerabilities are not serious. If you are comparing the two signatures for literal equality, what you are doing makes no sense. One more point, and I apologize for having to bring this up. You are doing a security-related task for which you are not competent. Even if your code appears to work in simple test cases, there is a serious chance that it will have vulnerabilities that could compromise security. For example, if you had used 'strlen', an attacker could trivially create multiple documents that appear to have the same hash simply by choosing documents whose hashes all begin with a zero byte. If anyone is going to rely on your code, you are doing the equivalent of building a suspension bridge that will carry traffic. That takes an expert. That's just a fact. If you blunder you way through it, you will make every mistake. And some of them will leave code that appears to work. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org