[xmlsec] Troubles using XMLSec with Smart Cards
Aleksey Sanin
aleksey at aleksey.com
Wed Jul 23 13:48:23 PDT 2003
When you are calculating RSA signature usualy you RSA encrypt
not the plain SHA1 digest (20 bytes) but some additional
data too. For example, the XMLDSig spec [1] says that for XMLDSig
the RSA signature should be calculated as follows (this is
called PKCS1_v1_5 format btw):
CRYPT (PAD (ASN.1 (OID, DIGEST)))
where CRYPT means RSA encryption and DIGEST is the 20 bytes
SHA1 digest. The total size of encrypted data should match
the RSA key size.
In xmlsec-openssl case (I am guessing that you are using it from
the RSA_private_encrypt function name :) ), all the "wrapping" is
done by openssl. It knows about PKCS 1.5 RSA signatures and xmlsec
simply calls an openssl function and says "do it for me".
I am not sure about the details about your particular crypto device
integration with OpenSSL. I would guess that there are 2 possible
options:
1) Your crypto device also knows about PKCS-1.5 RSA signatures
and can produce desired signature format from 20 bytes digest.
Then it seems like there is a bug in OpenSSL driver for your
crypto device. The code should not call "encrypt" method but
rather call the native crypto device "sign" method.
2) Your crypto device only can do 20 bytes RSA encryption.
Well, you probably out of luck. I don't think you can do something
about that.
Aleksey
[1] http://www.w3.org/TR/xmldsig-core/#sec-SignatureAlg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20030723/608a9b9c/attachment.htm
More information about the xmlsec
mailing list