Berin, I have asked permission from owners of the files/keys I am using. If they agree do I have your permission to post the files to your personal mailbox.
Unfortunately I very much doubt they will agree to me posting these files on a public newsgroup. Steve -----Original Message----- From: Berin Lautenbach [mailto:[EMAIL PROTECTED] Sent: 29 May 2005 01:03 To: security-dev@xml.apache.org Subject: Re: ASN.1 encoding for DSA Steve, I don't *believe* (but I've been known time and time again to be wrong :>) that the problem is the key. The error you are getting is that the signature is expected to be 40 bytes - which it does not appear to be. That's nothing to do with the key, just that when the library has read in the signature value from the document, it has found it is the incorrect length. Do you have a sample signed XML file that you could send me? (With a cert or public key would be fantastic.) Cheers, Berin Cullum, Steve wrote: > Hello again, > > If my understanding of this problem is correct. The certificate itself is fine, the problem is in the way the certificate has been exported into a transfer format. > > I received the certificate as a P12, imported into the Windows key store via a "double click" and then at a later stage read the certificate via the mscryptoAPI's. > > Does Microsoft or OpenSLL provide any tools/utilities that I can use to remove the ASN encoding of this P12? Before I import it into the Windows key store. > > All I found was that was close was.. > OpenSSL DSA -inform DER -outform PEM -in MyKey.cer -out NewKey.cer > > But this command line just tells me "EXPECTING PRIVATE KEY" > > > > > > > > > > -----Original Message----- > From: Cullum, Steve > Sent: 26 May 2005 11:26 > To: 'security-dev@xml.apache.org' > Subject: ASN.1 encoding for DSA > > (Original thread... > RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via Win CAPI > CryptoX509 using just the PCCERT_CONTEXT cosntructor) > > Does this affect TSIK -> xml-security interoperability in general or would this be just an isolated incident caused by the creators of my key not using appropriate options? > > Has anyone else encountered this problem? > > Can you think of a workaround? > > I was thinking about calling the MSCryptoAPI functions directly - doing something along the lines of VeriftDetatchedSignature() against the data; unfortunately I don't know how to do the OpenSSL equivalent. > > Lots of questions.. > > Thanks a lot for all the time & trouble this community is taking to help me. > > Muchos appreciated... > > Steve > > > > > -----Original Message----- > From: Milan Tomic [mailto:[EMAIL PROTECTED] > Sent: 26 May 2005 07:23 > To: security-dev@xml.apache.org > Subject: RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via > Win CAPI CryptoX509 using just the PCCERT_CONTEXT cosntructor > > > W3C XML Signature recommendation doesn't mention ASN.1 encoding for DSA: > > http://www.w3.org/TR/xmldsig-core/#DSAKeyValue > > http://www.w3.org/TR/xmldsig-core/#dsa-sha1 > > so I would say that proper signing procedure is not to encode DSA > signature in ASN.1 after signing and before Base64 encoding. > > However, we could consider adding support for ASN.1 encoded DSA > signatures during verification process. Berin? Others? > > Best regards, > Milan > >
