[botan-devel] Signing using a certificate stored on a token

Daniel Neus daniel at neus-online.eu
Thu Mar 23 16:20:23 EDT 2017


Hi,

I'm not sure if this is possible with Botan. I think there is some
limited PKCS#7 support in Botan. Can you help with this Jack?

Daniel

Am 21.03.2017 um 14:41 schrieb Massimo De Vivo:
> Hi Daniel and Jack,
> thanks a lot for your replies.
> 
> What I'm trying to do is to do the same operations that Microsoft
> CryptSignMessage does. So, using the key of the certificate stored in
> the token, my function should "creates a hash of the specified content,
> signs the hash, and then encodes both the original message content and
> the signed hash". Currently, it should use SHA256 for signing and
> RSA-PKCS#7 for encoding. I've successfully signed my message using your
> example with EMSA3(SHA-256) ( EMSA4 doesn't work ); now I'm trying to
> use PK_Encryptor_EME for encoding it but, if I've understand well, it
> doesn't support PKCS#7 padding. Is there another way to do it? Is what
> I'm doing the right way?
> 
> Thanks a lot to both of you.
> 
> Max
> 
> 
> 2017-03-19 13:24 GMT+01:00 Daniel Neus <daniel at neus-online.eu
> <mailto:daniel at neus-online.eu>>:
> 
>     Hi Max,
> 
>     if you just want to sign you need the private key, not the certificate.
>     You should have a look in the `test_pkcs11_high_level.cpp` file and look
>     for the `test_rsa_sign_verify()` which describes RSA signing and
>     verification or for `test_ecdsa_sign_verify` which describes ECDSA
>     sign/verify.
> 
>     Here is another example for RSA signing (untested):
> 
>     Module module( "/path/to/the/pkcs11/module" );
>     auto slots = Slot::get_available_slots( module, true );
>     Slot slot( module, slots.front() );
>     Session session( slot, true );
>     const Botan::PKCS11::secure_string pin = { '1', '2', '3', '4', '5',
>     '6' };
> 
>     session.login( UserType::User, pin );
> 
>     const std::string label = "MY_PRIV_KEY";
>     // select key with label 'MY_PRIV_KEY'
>     auto keys = Object::search<PKCS11_RSA_PrivateKey>( session, label );
> 
>     Botan::PK_Signer signer( keys.front(), Test::rng(), "EMSA4(SHA-256)",
>     Botan::IEEE_1363, "pkcs11" );
>     auto signature = signer.sign_message( std::vector<uint8_t>( 256 ),
>     Test::rng() );
> 
> 
>     Daniel
> 
>     Am 18.03.2017 um 15:26 schrieb mdevivo74 at gmail.com
>     <mailto:mdevivo74 at gmail.com>:
>     > Hi,
>     >
>     >
>     >
>     > My name’s Max. I’m starting to use Botan in a project. Currently,
>     I need
>     > to sign a buffer using a certificate stored in a token. I’m trying to
>     > use PKCS11 high level api, but I cannot find any example to access
>     > certificates already stored in a token and to use them for signing.
>     >
>     >
>     >
>     > Could someone help me, please?
>     >
>     >
>     >
>     > Thanks a lot,
>     >
>     >
>     >
>     > Max
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > botan-devel mailing list
>     > botan-devel at randombit.net <mailto:botan-devel at randombit.net>
>     > http://lists.randombit.net/mailman/listinfo/botan-devel
>     <http://lists.randombit.net/mailman/listinfo/botan-devel>
>     >
>     _______________________________________________
>     botan-devel mailing list
>     botan-devel at randombit.net <mailto:botan-devel at randombit.net>
>     http://lists.randombit.net/mailman/listinfo/botan-devel
>     <http://lists.randombit.net/mailman/listinfo/botan-devel>
> 
> 
> 
> 
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://lists.randombit.net/mailman/listinfo/botan-devel
> 


More information about the botan-devel mailing list