santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse Pelton" <...@PKC.com>
Subject RE: XML-Security-C with OpenSSL overly strict about base64 line lengths
Date Mon, 21 Mar 2005 13:16:28 GMT
That looks like it should solve the problem.  I didn't actually try it
out, because I'm trying to stay as close as I can to released code, and
the change you checked in is more extensive than my simple-minded one.

My apologies for not checking CVS first.  But maybe it's for the best;
I'm inclined to think the XSCryptCryptoBase64 approach is better, too.
That could just be foolish pride speaking, so here's some rationale:

- I'm a big fan of consistency.  It simplifies understanding and
maintenance.  This would suggest that
WinCAPICryptoKeyRSA::verifySHA1PKCS1Base64Signature() and
OpenSSLCryptoKeyRSA::verifySHA1PKCS1Base64Signature() should use the
same approach, and the former already uses XSCryptCryptoBase64.  (It
could be modified to match the latter, of course.  See the next
point...)
- Using XSCryptCryptoBase64 is simpler to implement and maintain because
it uses a pre-existing class rather than adding a new function.
- It looks to me like using XSCryptCryptoBase64 avoids an unnecessary
memory allocation and copy, which may mean it's more efficient.


> -----Original Message-----
> From: Berin Lautenbach [mailto:berin@wingsofhermes.org] 
> Sent: Saturday, March 19, 2005 9:28 PM
> To: security-dev@xml.apache.org
> Subject: Re: XML-Security-C with OpenSSL overly strict about 
> base64 line lengths
> 
> Jesse Pelton wrote:
> 
> > OpenSSLCryptoKeyRSA::verifySHA1PKCS1Base64Signature() uses OpenSSL's
> > EVP_Decode...() routines to decode the base64 contents of
> > SignatureValue.  This fails if line breaks don't occur where OpenSSL
> > thinks they should.  I think this is contrary to the 
> specification (see
> > rationale below), and that this function should use 
> XSCryptCryptoBase64,
> > as WinCAPICryptoKeyRSA::verifySHA1PKCS1Base64Signature() 
> does, rather
> > than the EVP_Decode...() routines.
> 
> Can you have a look at the code in CVS and let me know what 
> you think? 
> I fixed this a few months ago as I ran into the same problem.  But in 
> this case, rather than use XSCryptCryptoBase64 I now "clean" 
> the buffer 
> and still let OpenSSL do it.  I suspect the better approach is as you 
> propose - just use XSCryptCryptoBase64, but for some reason I 
> decided to 
> get fancy.
> 
> Cheers,
> 	Berin
> 

Mime
View raw message