On 5/06/2010 12:56 AM, Fares Gianluca wrote:
Hi all, I’m try to figure out why my X509_REQ signature is always not verified. I’m using openssl-1.0.0 and gclib.dll provided by gemalto.
It is helpful to actually provide a complete working example rather than just a subset. However in this case the simple fix to the code is to pass in the correct information to C_Sign:
just change:
if ((rv = (C_Sign(hSession, m, m_len, buf_out, &outl))) != CKR_OK) {
to the following:
if ((rv = (C_Sign(hSession, p, inl, buf_out, &outl))) != CKR_OK) {
You can remove the manual digest calls in the block before that as they are not
required.
Basically the C_Sign operation wants the whole data passed to it (the request) and not a pre-calculated digest.
After doing that the code will work on devices where that template is accepted.Generally you require additional information in the template when creating keys making it clear which of the various operations are permitted.
http://www.cryptsoft.com/pkcs11doc/v220/ contains the documentation for the current version of the PKCS#11 standard which also helps when working with various vendor devices.
The "bad signature" is a rather accurate and precise error return - you were presenting a signature for different data (a digest) for verification against the request.
Tim.
PGP.sig
Description: PGP signature
