In fact the sig spec specifically defines the ds:CryptoBinary type
(4.0.1) and then talks about either a base64 binary encoding or
ds:CryptoBinary encoding. The idea being that an int is simply
represented in big endian form with leading 0s removed, but base64 is
used for cases where a signature value is not an INT (the spec uses the
example of a HMAC).
Something like a BER encoded INT wrapped in base64 would not work well
at all!
But - I suppose we could read it in. It just gets tricky to work out
whether it is ASN encoded or a straight int.
Cheers,
Berin
Milan Tomic wrote:
W3C XML Signature recommendation doesn't mention ASN.1 encoding for DSA:
http://www.w3.org/TR/xmldsig-core/#DSAKeyValue
http://www.w3.org/TR/xmldsig-core/#dsa-sha1
so I would say that proper signing procedure is not to encode DSA
signature in ASN.1 after signing and before Base64 encoding.
However, we could consider adding support for ASN.1 encoded DSA
signatures during verification process. Berin? Others?
Best regards,
Milan
