Berin,
I have asked permission from owners of the files/keys I am using. If they
agree do I have your permission to post the files to your personal mailbox.
Unfortunately I very much doubt they will agree to me posting these files on
a public newsgroup.
Steve
-----Original Message-----
From: Berin Lautenbach [mailto:[EMAIL PROTECTED]
Sent: 29 May 2005 01:03
To: security-dev@xml.apache.org
Subject: Re: ASN.1 encoding for DSA
Steve,
I don't *believe* (but I've been known time and time again to be wrong
:>) that the problem is the key. The error you are getting is that the
signature is expected to be 40 bytes - which it does not appear to be.
That's nothing to do with the key, just that when the library has read in
the signature value from the document, it has found it is the incorrect
length.
Do you have a sample signed XML file that you could send me? (With a cert
or public key would be fantastic.)
Cheers,
Berin
Cullum, Steve wrote:
Hello again,
If my understanding of this problem is correct. The certificate itself is
fine, the problem is in the way the certificate has been exported into a
transfer format.
I received the certificate as a P12, imported into the Windows key store
via a "double click" and then at a later stage read the certificate via the
mscryptoAPI's.
Does Microsoft or OpenSLL provide any tools/utilities that I can use to
remove the ASN encoding of this P12? Before I import it into the Windows
key store.
All I found was that was close was..
OpenSSL DSA -inform DER -outform PEM -in MyKey.cer -out NewKey.cer
But this command line just tells me "EXPECTING PRIVATE KEY"
-----Original Message-----
From: Cullum, Steve
Sent: 26 May 2005 11:26
To: 'security-dev@xml.apache.org'
Subject: ASN.1 encoding for DSA
(Original thread...
RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via Win CAPI
CryptoX509 using just the PCCERT_CONTEXT cosntructor)
Does this affect TSIK -> xml-security interoperability in general or would
this be just an isolated incident caused by the creators of my key not using
appropriate options?
Has anyone else encountered this problem?
Can you think of a workaround?
I was thinking about calling the MSCryptoAPI functions directly - doing
something along the lines of VeriftDetatchedSignature() against the data;
unfortunately I don't know how to do the OpenSSL equivalent.
Lots of questions..
Thanks a lot for all the time & trouble this community is taking to help
me.
Muchos appreciated...
Steve
-----Original Message-----
From: Milan Tomic [mailto:[EMAIL PROTECTED]
Sent: 26 May 2005 07:23
To: security-dev@xml.apache.org
Subject: RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via
Win CAPI CryptoX509 using just the PCCERT_CONTEXT cosntructor
W3C XML Signature recommendation doesn't mention ASN.1 encoding for DSA:
http://www.w3.org/TR/xmldsig-core/#DSAKeyValue
http://www.w3.org/TR/xmldsig-core/#dsa-sha1
so I would say that proper signing procedure is not to encode DSA
signature in ASN.1 after signing and before Base64 encoding.
However, we could consider adding support for ASN.1 encoded DSA
signatures during verification process. Berin? Others?
Best regards,
Milan
