In fact the sig spec specifically defines the ds:CryptoBinary type (4.0.1) and then talks about either a base64 binary encoding or ds:CryptoBinary encoding. The idea being that an int is simply represented in big endian form with leading 0s removed, but base64 is used for cases where a signature value is not an INT (the spec uses the example of a HMAC).

Something like a BER encoded INT wrapped in base64 would not work well at all!

But - I suppose we could read it in. It just gets tricky to work out whether it is ASN encoded or a straight int.

Cheers,
        Berin

Milan Tomic wrote:

W3C XML Signature recommendation doesn't mention ASN.1 encoding for DSA:

http://www.w3.org/TR/xmldsig-core/#DSAKeyValue

http://www.w3.org/TR/xmldsig-core/#dsa-sha1

so I would say that proper signing procedure is not to encode DSA
signature in ASN.1 after signing and before Base64 encoding.

However, we could consider adding support for ASN.1 encoded DSA
signatures during verification process. Berin? Others?

Best regards,
Milan




Reply via email to