[botan-devel] Signing using a certificate stored on a token

Massimo De Vivo mdevivo74 at gmail.com
Thu Mar 23 16:55:39 EDT 2017


HI Daniel,

thanks for your reply.

Indeed I'm becoming crazy with that, because I've seen that PKCS#7 is not
anymore supported in Botan. I've tried to reuse the old code, but there are
many differences. Also, integrating the code with OpenSSL is very hard,
because OpenSSL CMS functions need to have access to certificates.

I cannot find any open source libraries that support PKCS#7. I think it's
unbelievable...

Could you help me please?

Thanks a lot,

Max




2017-03-23 21:20 GMT+01:00 Daniel Neus <daniel at neus-online.eu>:

> Hi,
>
> I'm not sure if this is possible with Botan. I think there is some
> limited PKCS#7 support in Botan. Can you help with this Jack?
>
> Daniel
>
> Am 21.03.2017 um 14:41 schrieb Massimo De Vivo:
> > Hi Daniel and Jack,
> > thanks a lot for your replies.
> >
> > What I'm trying to do is to do the same operations that Microsoft
> > CryptSignMessage does. So, using the key of the certificate stored in
> > the token, my function should "creates a hash of the specified content,
> > signs the hash, and then encodes both the original message content and
> > the signed hash". Currently, it should use SHA256 for signing and
> > RSA-PKCS#7 for encoding. I've successfully signed my message using your
> > example with EMSA3(SHA-256) ( EMSA4 doesn't work ); now I'm trying to
> > use PK_Encryptor_EME for encoding it but, if I've understand well, it
> > doesn't support PKCS#7 padding. Is there another way to do it? Is what
> > I'm doing the right way?
> >
> > Thanks a lot to both of you.
> >
> > Max
> >
> >
> > 2017-03-19 13:24 GMT+01:00 Daniel Neus <daniel at neus-online.eu
> > <mailto:daniel at neus-online.eu>>:
> >
> >     Hi Max,
> >
> >     if you just want to sign you need the private key, not the
> certificate.
> >     You should have a look in the `test_pkcs11_high_level.cpp` file and
> look
> >     for the `test_rsa_sign_verify()` which describes RSA signing and
> >     verification or for `test_ecdsa_sign_verify` which describes ECDSA
> >     sign/verify.
> >
> >     Here is another example for RSA signing (untested):
> >
> >     Module module( "/path/to/the/pkcs11/module" );
> >     auto slots = Slot::get_available_slots( module, true );
> >     Slot slot( module, slots.front() );
> >     Session session( slot, true );
> >     const Botan::PKCS11::secure_string pin = { '1', '2', '3', '4', '5',
> >     '6' };
> >
> >     session.login( UserType::User, pin );
> >
> >     const std::string label = "MY_PRIV_KEY";
> >     // select key with label 'MY_PRIV_KEY'
> >     auto keys = Object::search<PKCS11_RSA_PrivateKey>( session, label );
> >
> >     Botan::PK_Signer signer( keys.front(), Test::rng(), "EMSA4(SHA-256)",
> >     Botan::IEEE_1363, "pkcs11" );
> >     auto signature = signer.sign_message( std::vector<uint8_t>( 256 ),
> >     Test::rng() );
> >
> >
> >     Daniel
> >
> >     Am 18.03.2017 um 15:26 schrieb mdevivo74 at gmail.com
> >     <mailto:mdevivo74 at gmail.com>:
> >     > Hi,
> >     >
> >     >
> >     >
> >     > My name’s Max. I’m starting to use Botan in a project. Currently,
> >     I need
> >     > to sign a buffer using a certificate stored in a token. I’m trying
> to
> >     > use PKCS11 high level api, but I cannot find any example to access
> >     > certificates already stored in a token and to use them for signing.
> >     >
> >     >
> >     >
> >     > Could someone help me, please?
> >     >
> >     >
> >     >
> >     > Thanks a lot,
> >     >
> >     >
> >     >
> >     > Max
> >     >
> >     >
> >     >
> >     >
> >     >
> >     > _______________________________________________
> >     > botan-devel mailing list
> >     > botan-devel at randombit.net <mailto:botan-devel at randombit.net>
> >     > http://lists.randombit.net/mailman/listinfo/botan-devel
> >     <http://lists.randombit.net/mailman/listinfo/botan-devel>
> >     >
> >     _______________________________________________
> >     botan-devel mailing list
> >     botan-devel at randombit.net <mailto:botan-devel at randombit.net>
> >     http://lists.randombit.net/mailman/listinfo/botan-devel
> >     <http://lists.randombit.net/mailman/listinfo/botan-devel>
> >
> >
> >
> >
> > _______________________________________________
> > botan-devel mailing list
> > botan-devel at randombit.net
> > http://lists.randombit.net/mailman/listinfo/botan-devel
> >
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://lists.randombit.net/mailman/listinfo/botan-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170323/aa1a2198/attachment.html>


More information about the botan-devel mailing list