santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Berin Lautenbach <be...@wingsofhermes.org>
Subject Re: ASN.1 encoding for DSA
Date Thu, 02 Jun 2005 09:46:14 GMT
My mailbox is fine - and I don't need the private keys - just the public 
ones.

Cheers,
	Berin

Cullum, Steve wrote:
> Berin,
> 
> I have asked permission from owners of the files/keys I am using.  If they
> agree do I have your permission to post the files to your personal mailbox.
> 
> Unfortunately I very much doubt they will agree to me posting these files on
> a public newsgroup.
> 
> Steve 
> 
> -----Original Message-----
> From: Berin Lautenbach [mailto:berin@wingsofhermes.org] 
> Sent: 29 May 2005 01:03
> To: security-dev@xml.apache.org
> Subject: Re: ASN.1 encoding for DSA
> 
> Steve,
> 
> I don't *believe* (but I've been known time and time again to be wrong
> :>) that the problem is the key.  The error you are getting is that the
> signature is expected to be 40 bytes - which it does not appear to be. 
> That's nothing to do with the key, just that when the library has read in
> the signature value from the document, it has found it is the incorrect
> length.
> 
> Do you have a sample signed XML file that you could send me?  (With a cert
> or public key would be fantastic.)
> 
> Cheers,
> 	Berin
> 
> Cullum, Steve wrote:
> 
>>Hello again,
>>
>>If my understanding of this problem is correct.  The certificate itself is
> 
> fine, the problem is in the way the certificate has been exported into a
> transfer format.
> 
>>I received the certificate as a P12, imported into the Windows key store
> 
> via a "double click" and then at a later stage read the certificate via the
> mscryptoAPI's.
> 
>>Does Microsoft or OpenSLL provide any tools/utilities that I can use to
> 
> remove the ASN encoding of this P12?  Before I import it into the Windows
> key store.
> 
>>All I found was that was close was..
>>	OpenSSL DSA -inform DER -outform PEM -in MyKey.cer -out NewKey.cer
>>
>>But this command line just tells me "EXPECTING PRIVATE KEY"
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>-----Original Message-----
>>From: Cullum, Steve
>>Sent: 26 May 2005 11:26
>>To: 'security-dev@xml.apache.org'
>>Subject: ASN.1 encoding for DSA
>>
>>(Original thread...
>>RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via Win CAPI
>>CryptoX509 using just the PCCERT_CONTEXT cosntructor)
>>
>>Does this affect TSIK -> xml-security interoperability in general or would
> 
> this be just an isolated incident caused by the creators of my key not using
> appropriate options?
> 
>>Has anyone else encountered this problem?
>>
>>Can you think of a workaround?
>>
>>I was thinking about calling the MSCryptoAPI functions directly - doing
> 
> something along the lines of VeriftDetatchedSignature() against the data;
> unfortunately I don't know how to do the OpenSSL equivalent.
> 
>>Lots of questions..
>>
>>Thanks a lot for all the time & trouble this community is taking to help
> 
> me.
> 
>>Muchos appreciated...
>>
>>Steve
>>
>>
>> 
>>
>>-----Original Message-----
>>From: Milan Tomic [mailto:milan@setcce.org]
>>Sent: 26 May 2005 07:23
>>To: security-dev@xml.apache.org
>>Subject: RE: XML Security-C:: HCRYPTPROV DSS/RSA providers not set via 
>>Win CAPI CryptoX509 using just the PCCERT_CONTEXT cosntructor
>>
>>
>>W3C XML Signature recommendation doesn't mention ASN.1 encoding for DSA:
>>
>>http://www.w3.org/TR/xmldsig-core/#DSAKeyValue
>>
>>http://www.w3.org/TR/xmldsig-core/#dsa-sha1
>>
>>so I would say that proper signing procedure is not to encode DSA 
>>signature in ASN.1 after signing and before Base64 encoding.
>>
>>However, we could consider adding support for ASN.1 encoded DSA 
>>signatures during verification process. Berin? Others?
>>
>>Best regards,
>>Milan
>>
>>
> 
> 
> 

Mime
View raw message