[botan-devel] Signing using a certificate stored on a token

Massimo De Vivo mdevivo74 at gmail.com
Tue Mar 21 09:41:55 EDT 2017


Hi Daniel and Jack,
thanks a lot for your replies.

What I'm trying to do is to do the same operations that Microsoft
CryptSignMessage does. So, using the key of the certificate stored in the
token, my function should "creates a hash of the specified content, signs
the hash, and then encodes both the original message content and the signed
hash". Currently, it should use SHA256 for signing and RSA-PKCS#7 for
encoding. I've successfully signed my message using your example with
EMSA3(SHA-256)
( EMSA4 doesn't work ); now I'm trying to use PK_Encryptor_EME for encoding
it but, if I've understand well, it doesn't support PKCS#7 padding. Is
there another way to do it? Is what I'm doing the right way?

Thanks a lot to both of you.

Max


2017-03-19 13:24 GMT+01:00 Daniel Neus <daniel at neus-online.eu>:

> Hi Max,
>
> if you just want to sign you need the private key, not the certificate.
> You should have a look in the `test_pkcs11_high_level.cpp` file and look
> for the `test_rsa_sign_verify()` which describes RSA signing and
> verification or for `test_ecdsa_sign_verify` which describes ECDSA
> sign/verify.
>
> Here is another example for RSA signing (untested):
>
> Module module( "/path/to/the/pkcs11/module" );
> auto slots = Slot::get_available_slots( module, true );
> Slot slot( module, slots.front() );
> Session session( slot, true );
> const Botan::PKCS11::secure_string pin = { '1', '2', '3', '4', '5', '6' };
>
> session.login( UserType::User, pin );
>
> const std::string label = "MY_PRIV_KEY";
> // select key with label 'MY_PRIV_KEY'
> auto keys = Object::search<PKCS11_RSA_PrivateKey>( session, label );
>
> Botan::PK_Signer signer( keys.front(), Test::rng(), "EMSA4(SHA-256)",
> Botan::IEEE_1363, "pkcs11" );
> auto signature = signer.sign_message( std::vector<uint8_t>( 256 ),
> Test::rng() );
>
>
> Daniel
>
> Am 18.03.2017 um 15:26 schrieb mdevivo74 at gmail.com:
> > Hi,
> >
> >
> >
> > My name’s Max. I’m starting to use Botan in a project. Currently, I need
> > to sign a buffer using a certificate stored in a token. I’m trying to
> > use PKCS11 high level api, but I cannot find any example to access
> > certificates already stored in a token and to use them for signing.
> >
> >
> >
> > Could someone help me, please?
> >
> >
> >
> > Thanks a lot,
> >
> >
> >
> > Max
> >
> >
> >
> >
> >
> > _______________________________________________
> > botan-devel mailing list
> > botan-devel at randombit.net
> > http://lists.randombit.net/mailman/listinfo/botan-devel
> >
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://lists.randombit.net/mailman/listinfo/botan-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170321/ed212f39/attachment.html>


More information about the botan-devel mailing list