santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cullum, Steve" <steven.cul...@eds.com>
Subject RE: ASN.1 encoding for DSA
Date Fri, 27 May 2005 15:46:59 GMT
Hello again,

If my understanding of this problem is correct.  The certificate itself is fine, the problem
is in the way the certificate has been exported into a transfer format.

I received the certificate as a P12, imported into the Windows key store via a "double click"
and then at a later stage read the certificate via the mscryptoAPI's.

Does Microsoft or OpenSLL provide any tools/utilities that I can use to remove the ASN encoding
of this P12?  Before I import it into the Windows key store.

All I found was that was close was..
	OpenSSL DSA -inform DER -outform PEM -in MyKey.cer -out NewKey.cer

But this command line just tells me "EXPECTING PRIVATE KEY"









-----Original Message-----
From: Cullum, Steve 
Sent: 26 May 2005 11:26
To: 'security-dev@xml.apache.org'
Subject: ASN.1 encoding for DSA

(Original thread...
RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via Win CAPI
CryptoX509 using just the PCCERT_CONTEXT cosntructor)

Does this affect TSIK -> xml-security interoperability in general or would this be just
an isolated incident caused by the creators of my key not using appropriate options?

Has anyone else encountered this problem?

Can you think of a workaround?

I was thinking about calling the MSCryptoAPI functions directly - doing something along the
lines of VeriftDetatchedSignature() against the data; unfortunately I don't know how to do
the OpenSSL equivalent.

Lots of questions..

Thanks a lot for all the time & trouble this community is taking to help me.

Muchos appreciated...

Steve


 

-----Original Message-----
From: Milan Tomic [mailto:milan@setcce.org]
Sent: 26 May 2005 07:23
To: security-dev@xml.apache.org
Subject: RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via Win CAPI CryptoX509
using just the PCCERT_CONTEXT cosntructor


W3C XML Signature recommendation doesn't mention ASN.1 encoding for DSA:

http://www.w3.org/TR/xmldsig-core/#DSAKeyValue

http://www.w3.org/TR/xmldsig-core/#dsa-sha1

so I would say that proper signing procedure is not to encode DSA signature
in ASN.1 after signing and before Base64 encoding.

However, we could consider adding support for ASN.1 encoded DSA signatures
during verification process. Berin? Others?

Best regards,
Milan

Mime
View raw message