RE: ASN.1 encoding for DSA

Fri, 27 May 2005 08:48:09 -0700 

Hello again,

If my understanding of this problem is correct.  The certificate itself is 
fine, the problem is in the way the certificate has been exported into a 
transfer format.

I received the certificate as a P12, imported into the Windows key store via a 
"double click" and then at a later stage read the certificate via the 
mscryptoAPI's.

Does Microsoft or OpenSLL provide any tools/utilities that I can use to remove 
the ASN encoding of this P12?  Before I import it into the Windows key store.

All I found was that was close was..
        OpenSSL DSA -inform DER -outform PEM -in MyKey.cer -out NewKey.cer

But this command line just tells me "EXPECTING PRIVATE KEY"









-----Original Message-----
From: Cullum, Steve 
Sent: 26 May 2005 11:26
To: 'security-dev@xml.apache.org'
Subject: ASN.1 encoding for DSA

(Original thread...
RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via Win CAPI
CryptoX509 using just the PCCERT_CONTEXT cosntructor)

Does this affect TSIK -> xml-security interoperability in general or would this 
be just an isolated incident caused by the creators of my key not using 
appropriate options?

Has anyone else encountered this problem?

Can you think of a workaround?

I was thinking about calling the MSCryptoAPI functions directly - doing 
something along the lines of VeriftDetatchedSignature() against the data; 
unfortunately I don't know how to do the OpenSSL equivalent.

Lots of questions..

Thanks a lot for all the time & trouble this community is taking to help me.

Muchos appreciated...

Steve


 

-----Original Message-----
From: Milan Tomic [mailto:[EMAIL PROTECTED]
Sent: 26 May 2005 07:23
To: security-dev@xml.apache.org
Subject: RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via Win CAPI 
CryptoX509 using just the PCCERT_CONTEXT cosntructor


W3C XML Signature recommendation doesn't mention ASN.1 encoding for DSA:

http://www.w3.org/TR/xmldsig-core/#DSAKeyValue

http://www.w3.org/TR/xmldsig-core/#dsa-sha1

so I would say that proper signing procedure is not to encode DSA signature
in ASN.1 after signing and before Base64 encoding.

However, we could consider adding support for ASN.1 encoded DSA signatures
during verification process. Berin? Others?

Best regards,
Milan

Reply via email to