Java signature verification fail in openssl
hi can any one tell me why the signature verification in openssl fail when the message is signed bu java IBM fips compliant.i am using openssl 0.9.8g in power Pc. i am getting error in if (((unsigned int)sig-digest-length != m_len) || (memcmp(m,sig-digest-data,m_len) != 0)) line of source code in RSA_verify(). the value are m data :a12df146d87db3ce911e61444eed322bbd027a58cfa27ceec3626317ebe62f89 sig-digest-data :�*�H�b9���A6w�(� Memcompare fail mLen :64sig-digest-length :20 why this is happening.? whether is it due to d2i_X509_SIG() this function -- View this message in context: http://old.nabble.com/Java-signature-verification-fail-in-openssl-tp32589928p32589928.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Java signature verification fail in openssl
On 10/4/2011 4:58 PM, brajan wrote: hi can any one tell me why the signature verification in openssl fail when the message is signed bu java IBM fips compliant.i am using openssl 0.9.8g in power Pc. i am getting error in if (((unsigned int)sig-digest-length != m_len) || (memcmp(m,sig-digest-data,m_len) != 0)) line of source code in RSA_verify(). the value are m data :a12df146d87db3ce911e61444eed322bbd027a58cfa27ceec3626317ebe62f89 sig-digest-data :�*�H�b9���A6w�(� Memcompare fail mLen :64sig-digest-length :20 why this is happening.? whether is it due to d2i_X509_SIG() this function Was the signature made with a different hash algorithm than the one you try to use to verify it? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Java signature verification fail in openssl
On Tue, Oct 4, 2011 at 10:58 AM, brajan balamurugan@gmail.com wrote: hi can any one tell me why the signature verification in openssl fail when the message is signed bu java IBM fips compliant.i am using openssl 0.9.8g in power Pc. i am getting error in if (((unsigned int)sig-digest-length != m_len) || (memcmp(m,sig-digest-data,m_len) != 0)) line of source code in RSA_verify(). the value are m data :a12df146d87db3ce911e61444eed322bbd027a58cfa27ceec3626317ebe62f89 sig-digest-data :�*�H�b9���A6w�(� Memcompare fail mLen :64 sig-digest-length :20 DSA? Java uses a DER encoded signature per RFC 3279: SEQUENCE ::= { r INTEGER, s INTEGER } Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Java signature verification fail in openssl
From: owner-openssl-us...@openssl.org On Behalf Of brajan Sent: Tuesday, 04 October, 2011 10:58 can any one tell me why the signature verification in openssl fail when the message is signed bu java IBM fips compliant.i am using openssl 0.9.8g in power Pc. i am getting error in if (((unsigned int)sig-digest-length != m_len) || (memcmp(m,sig-digest-data,m_len) != 0)) line of source code in RSA_verify(). the value are m data :a12df146d87db3ce911e61444eed322bbd027a58cfa27ceec3626317ebe62f89 sig-digest-data :?*?H?b9???A6w?(? Memcompare fail mLen :64sig-digest-length :20 Assuming 'mLen' is the m_length/m_len passed to RSA_verify, it appears your digest-to-compare is 64 hex chars (32 bytes) while the digest specified by the signer is 20 bytes. It looks like you are computing the wrong hash, maybe SHA256 instead of SHA1, and also representing it wrongly. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS-capable OpenSSL that works on Windows NT
Hello, Does anyone know how to produce a FIPS-capable OpenSSL that works on Windows NT? I have built the latest FIPS-capable OpenSSL (openssl-fips-1.2.3) with openssl-0.9.8r using MS Visual Studio .NET 2003 on Windows 7. I have a small app that uses the OpenSSL library (just encrypts/decrypts). It runs fine on Windows 7/32-bit. But when I run it under Windows NT, I get the following run-time error: The procedure entry point Module32NextW could not be located in the dynamic link library KERNEL32.dll So I re-built the FIPS-capable OpenSSL again specifying TARGET=VC-NT in ms/do_fips.bat. I then configured openssl-0.9.8r as follows: perl Configure VC-NT ... And then rebuilt it as before. I still get the same run-time error on Wiindows NT. I did some research and determined that Module32NextW call is not available on Windows NT (it is available on Windows 2000 and above). So is it possible to produce a working FIPS-capable OpenSSL without some hacking of the code to remove calls to Module32NextW and friends? Any ideas? Thanks, Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS-capable OpenSSL that works on Windows NT
On 10/4/2011 10:45 PM, Bill Durant wrote: Does anyone know how to produce a FIPS-capable OpenSSL that works on Windows NT? It's likely not possible... But when I run it under Windows NT, I get the following run-time error: The procedure entry point Module32NextW could not be located in the dynamic link library KERNEL32.dll If you use the equivalent of nm against the fipscanister.lib, I'd expect you'll find the binding there. I see no reason the team would accommodate this in OpenSSL/FIPS 2.0, though. Support for Windows NT 4.xx ended on December 31, 2004. Support for Windows 2000 ended on July 13, 2010. So updating security or cryptographic software validation for such systems is something of an oxymoron. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS-capable OpenSSL that works on Windows NT
On Wed, Oct 5, 2011 at 12:59 AM, William A. Rowe Jr. wr...@rowe-clan.net wrote: On 10/4/2011 10:45 PM, Bill Durant wrote: Does anyone know how to produce a FIPS-capable OpenSSL that works on Windows NT? It's likely not possible... But when I run it under Windows NT, I get the following run-time error: The procedure entry point Module32NextW could not be located in the dynamic link library KERNEL32.dll That's Windows 2000 and above. http://msdn.microsoft.com/en-us/library/windows/desktop/ms684221%28v=vs.85%29.aspx Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org