santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cullum, Steve" <steven.cul...@eds.com>
Subject RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via Win CAPI CryptoX509 using just the PCCERT_CONTEXT cosntructor
Date Tue, 24 May 2005 13:00:39 GMT
Hi Milan - thanks for your reply....

1) The signature was created by the TSIK library (coincedentally being discussed on this mailing
list as we speak) 

2) The public key is 1024bits DSA

3) From what I have read on the internet - quoted from

http://groups-beta.google.com/group/sci.crypt/browse_frm/thread/e22197dbb8c326ef/062547ce36c4e085?q=DSA+signature+length+46&rnum=5&hl=en#062547ce36c4e085

"The DSA signature itself is always 40 bytes, regardless of the data. 
But the common asn.1 encoding for it is very strange, and expands 
the signature to 44-48 bytes. Sometimes less, but nearly always in 
that range. Plus another 3 bytes for bitstring encoding." 

I am no expert on this matter and quite frankly the maths involved in deriving the key length
is out of my comprehension, which really translates to "even armed with this information I
am not really sure how to go about enabling xml-security to verify my signature.."

Can anyone offer any guidance...

Thanks

Steve





-----Original Message-----
From: Milan Tomic [mailto:milan@setcce.org] 
Sent: 24 May 2005 08:34
To: security-dev@xml.apache.org
Subject: RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via Win CAPI CryptoX509
using just the PCCERT_CONTEXT cosntructor

Hi Steve,

Just to clear things:

1. You are verifying DSA signatures created by some other app/lib/person and not by you using
Apache XSEC C++ lib?

2. DSA key length used for that signature != 1024 bits?

Best regards,
Milan


> -----Original Message-----
> From: Cullum, Steve [mailto:steven.cullum@eds.com]
> Sent: Monday, May 23, 2005 7:54 PM
> To: 'security-dev@xml.apache.org'
> Subject: RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via 
> Win CAPI CryptoX509 using just the PCCERT_CONTEXT cosntructor
> 
> 
> Ooops..
> 
> My last post didn't actually make a point...
> 
> Q) Is it a limitation in xml-security to only allow keys of length 40.
> 
> The following thread - discusses this topic in more detail...
> 
> http://groups-beta.google.com/group/microsoft.public.platforms
> dk.security/br
> owse_frm/thread/b24b3cfdeac53dd1/ea4a951d04202694?q=DSA+signat
> ure+length+46&
> rnum=15&hl=en#ea4a951d04202694
> 
> -----Original Message-----
> From: Cullum, Steve
> Sent: 23 May 2005 16:52
> To: 'security-dev@xml.apache.org'
> Subject: RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via 
> Win CAPI CryptoX509 using just the PCCERT_CONTEXT cosntructor
> 
> 
> Berin,
> 
> Using the latest version of xml-security from CVS - I can clone the 
> X509 cert using WINCAPI but I get errors during
> sig->validate() regarding and invalid signature.  I tried the
> same sequence of code using the OpenSSL providers and got something 
> very similar.
> 
> Using WINCAPI - the message 
> 	An error occured in the XML-Security-C Crypto routines
> 	Message: WinCAPI:DSA::VerifyBase64Signature - Expect 40 bytes in a 
> DSA signature
> 
> Using OPENSSL - the message
> 	An error occured in the XML-Security-C Crypto routines
>    	Message: OpenSSL:DSA - Signature Length incorrect
> 
> (*) Do these errors relate to the certificte or the signature in the 
> XML document?
> 
> (*) For the OpenSSL test, I exported the key as a BASE64 DER encoded 
> certificate and manually removed the ----BEGIN
> CERTIFICATE---- and ----END
> CERTIFICATE---- headers.  Was this the correct thing to do?
> 
> 
> 
> bool WinCAPICryptoKeyDSA::verifyBase64Signature(unsigned char
> * hashBuf, unsigned int hashLen, char * base64Signature, unsigned int 
> sigLen) {
>   .. hashBuf= [data]
>   .. hashLen= 20
>   .. base64Signature
> "MCwCFFiTYY7/B+tYizrqccMZJKVQC6RyAhQUoVXtXfNUVEFZlaE3USajTEqUzQ=="
>   .. sigLen= 64
> 
>   b64.decodeInit();
>   rawSigLen = b64.decode((unsigned char *) base64Signature, sigLen, 
> rawSig, sigLen);
>   rawSigLen += b64.decodeFinish(&rawSig[rawSigLen], sigLen - 
> rawSigLen);
> 
>   .. rawSigLen = 46
> 
>   if (rawSigLen != 40)
>   {
> 	throw XSECCryptoException(XSECCryptoException::DSAError,
>       "WinCAPI:DSA::VerifyBase64Signature - Expect 40 bytes in a DSA 
> signature");
>   }
> }
> 
> 
> 
> 
> //
> // validate.cpp : Defines the entry point for the console application. 
> // #include "stdafx.h"
> 
> #include "IOStreamOutputter.hpp"
> 
> #define USE_WINCAPI
> 
> // XML-Security-C (XSEC)
> #pragma comment (lib, "crypt32.lib")
> #pragma comment (lib, "xerces-c_2D.lib") #pragma comment (lib, 
> "xsec_1D.lib")
> 
> 
> #include <xsec/framework/XSECProvider.hpp> #include 
> <xsec/dsig/DSIGReference.hpp>
> 
> #ifdef USE_WINCAPI
>   #include <xsec/enc/WinCAPI/WinCAPICryptoKeyHMAC.hpp>
>   #include <xsec/enc/WinCAPI/WinCAPICryptoProvider.hpp>
>   #include <xsec/enc/WinCAPI/WinCAPICryptoX509.hpp>
> #endif
> 
> #ifdef USE_OPENSSL
>   #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyHMAC.hpp>
>   #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
>   #include <xsec/enc/XSECCryptoException.hpp>
> #endif // USE_OPENSSL
> 
> #include <xsec/framework/XSECException.hpp>
> #include <xsec/enc/XSECCryptoException.hpp>
> 
> // Xerces
> #include <xercesc/util/PlatformUtils.hpp> #include 
> <xercesc/parsers/XercesDOMParser.hpp>
> #include <xercesc/framework/MemBufInputSource.hpp>
> 
> 
> #if defined(_WIN32)
> #	include <xsec/utils/winutils/XSECURIResolverGenericWin32.hpp>
> #else
> #	include <xsec/utils/unixutils/XSECURIResolverGenericUnix.hpp>
> #endif
> 
> 
> XERCES_CPP_NAMESPACE_USE
> 
> TCHAR *docToValidate = 0x00;
> #define IDATTRIBUTENS    
> "http://schemas.xmlsoap.org/ws/2002/07/utility" 
> #define IDATTRIBUTENAME  "Id"
> #define MY_TYPE          (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING)
> #define SIGNER_NAME      L"MYSIGNER"
> #define CERT_STORE_NAME  L"MY"
> 
> void ReadFile(TCHAR *fileName, TCHAR **chars, DWORD *len /* in TCHARS 
> */) {
>   DWORD bytesRead = 0;
>   HANDLE hfp = CreateFile(fileName, GENERIC_READ, FILE_SHARE_READ, 
> NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
>   *len = GetFileSize(hfp, NULL);
> 
>   *len /= sizeof(TCHAR); // convert length from bytes to TCHAR's
>   *chars = (TCHAR *)malloc(*len * sizeof(TCHAR)); // dont mul by
> sizeof(TCHAR)
>   ReadFile(hfp, (LPVOID)*chars, *len * sizeof(TCHAR), &bytesRead, 
> NULL);
>   CloseHandle(hfp);
> }
> 
> 
> int main (int argc, char **argv) {
> 
>   try 
>   {
>     XMLPlatformUtils::Initialize();
>     XSECPlatformUtils::Initialise();
>   }
>   catch (const XMLException &e)
>   {
>     cerr << "Error during initialisation of Xerces" << endl;
>     cerr << "Error Message = : " << e.getMessage() << endl;
>   }
> 
>   // Use xerces to parse the document
>   XercesDOMParser * parser = new XercesDOMParser;
>   parser->setDoNamespaces(true);
>   parser->setCreateEntityReferenceNodes(true);
>   parser->setDoSchema(true);
> 
>   // Create an input source
>   DWORD len = 0;
>   ReadFile(_T("c:\\apache\\signedxml\\nocert.xml"),
> &docToValidate, &len);
>   MemBufInputSource* memIS = new MemBufInputSource ((const
> XMLByte*) docToValidate, (unsigned int) len, "XSECMem");
> 
>   parser->parse(*memIS);
>   int errorCount = parser->getErrorCount();
>   if (errorCount > 0) {
>     cerr << "Error parsing input document\n";
>     exit (1);
>   }
> 
>   DOMDocument *doc = parser->getDocument();
>   docSetup(doc);
> 
>   // Now create a signature object to validate the document
>   XSECProvider prov;
>  
>   DSIGSignature * sig = prov.newSignatureFromDOM(doc);
> 
>   // Register defined attribute name
>   sig->registerIdAttributeName(MAKE_UNICODE_STRING("ID"));
>   sig->registerIdAttributeNameNS(MAKE_UNICODE_STRING(IDATTRIBUTENS),
> MAKE_UNICODE_STRING(IDATTRIBUTENAME));
> 
>   try 
>   {
> #ifdef USE_WINCAPI
>     HCERTSTORE     certStore = NULL;
>     PCCERT_CONTEXT certContext = NULL;
> 
>     certStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, 
> CERT_SYSTEM_STORE_CURRENT_USER, CERT_STORE_NAME);
>     if(certStore == NULL)
>     {
>       cout << "Certificate store cannot be opened\n";
>       exit (1);
>     }
> 
>     // find signer's certificate. -- this certificate must have access 
> to the signer's private key.
>     certContext = CertFindCertificateInStore(certStore,
> MY_TYPE, 0, CERT_FIND_SUBJECT_STR, SIGNER_NAME, NULL);
>     if(certContext == NULL)
>     {
>       cout << "unable to find signers certificate\n";
>       exit (1);
>     }
> 
>     WinCAPICryptoProvider * cp = new
> WinCAPICryptoProvider(NULL, NULL, CRYPT_MACHINE_KEYSET);
>     XSECPlatformUtils::SetCryptoProvider(cp);
>     WinCAPICryptoX509 * x509 = new WinCAPICryptoX509(certContext,
> cp->getProviderRSA(), cp->getProviderDSS());
> #endif // USE_WINCAPI
> 
> #ifdef USE_OPENSSL    
>     OpenSSLCryptoX509 * x509 = new OpenSSLCryptoX509();
>     TCHAR *b64;
>     DWORD b64Len;
>     ReadFile(_T("c:\\apache\\signedxml\\nocert.cer"), &b64, &b64Len);
>     x509->loadX509Base64Bin(b64, (unsigned int) b64Len); #endif // 
> USE_OPENSSL
> 
>     // in my XML file i have no keyinfo
>     sig->load();
>     sig->setSigningKey(x509->clonePublicKey());
> 
>     if (sig->verify()) 
>     {
>       cout << "Signature Valid\n";
>     }
>     else 
>     {
>       char * err = XMLString::transcode(sig->getErrMsgs());
>       cout << "Incorrect Signature\n";
>       cout << err << endl;
>       XSEC_RELEASE_XMLCH(err);
>     }
>   }
>   catch (XSECException &e)
>   {
>     cerr << "An error occured during a signature load\n   
> Message: " <<
> e.getMsg() << endl;
>     exit(1);
>   }
>   catch (XSECCryptoException &e) {
>     cerr << "An error occured in the XML-Security-C Crypto routines\n
> Message: " << e.getMsg() << endl;
>     exit(1);
>   }
> 
>   // Clean up
> 
>   delete memIS;
>   delete parser;
> 
>   return 0;
> }
> 
> 
> 
> 
> 
>  
> 


Mime
View raw message