That looks like it should solve the problem. I didn't actually try it out, because I'm trying to stay as close as I can to released code, and the change you checked in is more extensive than my simple-minded one.
My apologies for not checking CVS first. But maybe it's for the best; I'm inclined to think the XSCryptCryptoBase64 approach is better, too. That could just be foolish pride speaking, so here's some rationale: - I'm a big fan of consistency. It simplifies understanding and maintenance. This would suggest that WinCAPICryptoKeyRSA::verifySHA1PKCS1Base64Signature() and OpenSSLCryptoKeyRSA::verifySHA1PKCS1Base64Signature() should use the same approach, and the former already uses XSCryptCryptoBase64. (It could be modified to match the latter, of course. See the next point...) - Using XSCryptCryptoBase64 is simpler to implement and maintain because it uses a pre-existing class rather than adding a new function. - It looks to me like using XSCryptCryptoBase64 avoids an unnecessary memory allocation and copy, which may mean it's more efficient. > -----Original Message----- > From: Berin Lautenbach [mailto:[EMAIL PROTECTED] > Sent: Saturday, March 19, 2005 9:28 PM > To: security-dev@xml.apache.org > Subject: Re: XML-Security-C with OpenSSL overly strict about > base64 line lengths > > Jesse Pelton wrote: > > > OpenSSLCryptoKeyRSA::verifySHA1PKCS1Base64Signature() uses OpenSSL's > > EVP_Decode...() routines to decode the base64 contents of > > SignatureValue. This fails if line breaks don't occur where OpenSSL > > thinks they should. I think this is contrary to the > specification (see > > rationale below), and that this function should use > XSCryptCryptoBase64, > > as WinCAPICryptoKeyRSA::verifySHA1PKCS1Base64Signature() > does, rather > > than the EVP_Decode...() routines. > > Can you have a look at the code in CVS and let me know what > you think? > I fixed this a few months ago as I ran into the same problem. But in > this case, rather than use XSCryptCryptoBase64 I now "clean" > the buffer > and still let OpenSSL do it. I suspect the better approach is as you > propose - just use XSCryptCryptoBase64, but for some reason I > decided to > get fancy. > > Cheers, > Berin >
