santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lopez Cantero, Sergio" <SLCANT...@sadiel.es>
Subject RE: Remote private key
Date Wed, 06 Aug 2008 06:12:59 GMT
This is because before you sign it, you have to encode in DER the digest with something like:

(Using bouncycastle classes)

      public static byte[] doDER(byte[] data) throws IOException {

//This OID is for SHA1 only

            String hashOID = 1.3.14.3.2.26;

            DigestInfo dInfo = new DigestInfo(new AlgorithmIdentifier(

                        new DERObjectIdentifier(hashOID), null), data);

            return dInfo.getEncoded(ASN1Encodable.DER);

      }

I recommend sending the digested hash, not the entire byte secuence, so you can do DER  it
and sign it with "NONEwithRSA" algorithm afterwards.

De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com] 
Enviado el: martes, 05 de agosto de 2008 23:21
Para: security-dev@xml.apache.org
Asunto: Re: Remote private key

 

Hi:

I'm still having problems. After building the Signature element (everything but the SignatureValue
element) I execute:

  [Server side]
  XMLSignature sig = .... -> It uses http://www.w3.org/2000/09/xmldsig#rsa-sha1 as signature
method
  sig.getSignedInfo().generateDigestValues();
  byte[] data2Sign = sig.getSignedInfo().getCanonicalizedOctetStream();

then, the Server sends 'data2Sign' to the Client (encoded) and the client executes

[Client side]
  PrivateKey pKey = ....
  Signature signature = Signature.getInstance("SHA1withRSA");
  signature.initSign(privateKey);
  signature.update(data2Sign); --> data2Sign is the decoded data received from the Server
  byte[] dataSigned =  signature.sign();

then, the Client sends back to the Server 'dataSigned' (encoded) and the server adds it to
the SignatureValue element (decoded). 

But the signature build this way is not valid :-( If I execute XMLSignature.sign() directly,
the signature I get is different. What I'm doing wrong? 

As you can see, the server sends directly the C14N data, not the digested one. I have also
tried digesting it before with the same result. In fact, I am doing the same that XMLSignature.sign()'s
method, so I can't see where the problem is.

Does anybody have an idea?

Thanks a lot

Isi




2008/7/29 Lopez Cantero, Sergio <SLCANTERO@sadiel.es>

As far as I know, yes, you have to digest them "by hand"

 

I hope to have helped you.

 

Sergio

 


 

	De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com] 
	Enviado el: martes, 29 de julio de 2008 8:41

	
	Para: security-dev@xml.apache.org

	Asunto: Re: Remote private key

	 

	Thanks
	
	So, how can I get the digested value? Do I have to digest them "by hand"?
	
	Thanks
	
	Isi

	2008/7/29 Lopez Cantero, Sergio <SLCANTERO@sadiel.es>

	Hi Isidoro, 

	getCanonicalizedOctetStream returns the bytes you have to digest, not the digested data,
so that's the difference.

	Concerning the way to put back the signature, you can get the signature element and search
through the DOM for the SignatureValue Element to fill its contents.

	I'm doing something like that ;)

	 

	Sergio

	 

	De: Legido Martínez, Isidoro [mailto:islegmar@gmail.com] 
	Enviado el: lunes, 28 de julio de 2008 21:45
	Para: security-dev@xml.apache.org
	Asunto: Remote private key

	 

	Hi everybody:
	
	Firs, I will try to explain my current situation (sorry in advanced for my poor English :-(
). My signing system is splitted in two pieces: a lightweith client that owns the private
key and ONLY can sign (no digest) and the server side that does everything else EXCEPT signing
(digest, add Manifest elements or aditional References). 
	My initial idea was: the server side builds the SignedInfo elements, get its digest and send
it to the client. The client signs and send the result to the server, which adds this to the
SignedInfo. Is that possible withe the current implementation? 
	I expected that
	
	  SignedInfo si.generateDigestValues();
	  String digest = Base64.encode(si.getCanonicalizedOctetStream());
	
	'digest' would contain the digest value in Base64, but what I get is something different.
How can I get the digest? After signing, is there any way for adding it to SignInfo.
	
	Thanks a lot
	
	Isi

	
	
	
	-- 
	,-""""""-.
	/\j__/\ ( \`--.
	\`@_@'/ _) >--.`.
	_{.:Y:_}_{{_,' ) )
	{_}`-^{_} ``` (_/




-- 
,-""""""-.
/\j__/\ ( \`--.
\`@_@'/ _) >--.`.
_{.:Y:_}_{{_,' ) )
{_}`-^{_} ``` (_/


Mime
View raw message