[botan-devel] Signing using a certificate stored on a token

Jack Lloyd jack at randombit.net
Fri Mar 24 16:00:54 EDT 2017


Hi Massimo,

The old Botan PKCS7 code was never completed (one reason it was removed)
and it's unlikely that even if you got it compiling against a recent
version of the API that it would do what you need.

I'm confused about this

> use PK_Encryptor_EME for encoding it but, if I've understand well, it
> doesn't support PKCS#7 padding. Is there another way to do it? Is what

My read of RFC 2315 is that PKCS#7 uses PKCS#1 v1.5 padding for RSA
encryption. Then the ciphertext is encoded in a PKCS#7 structure. The
encryption padding is supported, but for the PKCS7 structures you
would have to create them yourself using the ASN1 library.

Jack


On Thu, Mar 23, 2017 at 09:55:39PM +0100, Massimo De Vivo wrote:
> HI Daniel,
> 
> thanks for your reply.
> 
> Indeed I'm becoming crazy with that, because I've seen that PKCS#7 is not
> anymore supported in Botan. I've tried to reuse the old code, but there are
> many differences. Also, integrating the code with OpenSSL is very hard,
> because OpenSSL CMS functions need to have access to certificates.
> 
> I cannot find any open source libraries that support PKCS#7. I think it's
> unbelievable...
> 
> Could you help me please?
> 
> Thanks a lot,
> 
> Max
> 
> 
> 
> 
> 2017-03-23 21:20 GMT+01:00 Daniel Neus <daniel at neus-online.eu>:
> 
> > Hi,
> >
> > I'm not sure if this is possible with Botan. I think there is some
> > limited PKCS#7 support in Botan. Can you help with this Jack?
> >
> > Daniel
> >
> > Am 21.03.2017 um 14:41 schrieb Massimo De Vivo:
> > > Hi Daniel and Jack,
> > > thanks a lot for your replies.
> > >
> > > What I'm trying to do is to do the same operations that Microsoft
> > > CryptSignMessage does. So, using the key of the certificate stored in
> > > the token, my function should "creates a hash of the specified content,
> > > signs the hash, and then encodes both the original message content and
> > > the signed hash". Currently, it should use SHA256 for signing and
> > > RSA-PKCS#7 for encoding. I've successfully signed my message using your
> > > example with EMSA3(SHA-256) ( EMSA4 doesn't work ); now I'm trying to
> > > use PK_Encryptor_EME for encoding it but, if I've understand well, it
> > > doesn't support PKCS#7 padding. Is there another way to do it? Is what
> > > I'm doing the right way?
> > >
> > > Thanks a lot to both of you.
> > >
> > > Max
> > >
> > >
> > > 2017-03-19 13:24 GMT+01:00 Daniel Neus <daniel at neus-online.eu
> > > <mailto:daniel at neus-online.eu>>:
> > >
> > >     Hi Max,
> > >
> > >     if you just want to sign you need the private key, not the
> > certificate.
> > >     You should have a look in the `test_pkcs11_high_level.cpp` file and
> > look
> > >     for the `test_rsa_sign_verify()` which describes RSA signing and
> > >     verification or for `test_ecdsa_sign_verify` which describes ECDSA
> > >     sign/verify.
> > >
> > >     Here is another example for RSA signing (untested):
> > >
> > >     Module module( "/path/to/the/pkcs11/module" );
> > >     auto slots = Slot::get_available_slots( module, true );
> > >     Slot slot( module, slots.front() );
> > >     Session session( slot, true );
> > >     const Botan::PKCS11::secure_string pin = { '1', '2', '3', '4', '5',
> > >     '6' };
> > >
> > >     session.login( UserType::User, pin );
> > >
> > >     const std::string label = "MY_PRIV_KEY";
> > >     // select key with label 'MY_PRIV_KEY'
> > >     auto keys = Object::search<PKCS11_RSA_PrivateKey>( session, label );
> > >
> > >     Botan::PK_Signer signer( keys.front(), Test::rng(), "EMSA4(SHA-256)",
> > >     Botan::IEEE_1363, "pkcs11" );
> > >     auto signature = signer.sign_message( std::vector<uint8_t>( 256 ),
> > >     Test::rng() );
> > >
> > >
> > >     Daniel
> > >
> > >     Am 18.03.2017 um 15:26 schrieb mdevivo74 at gmail.com
> > >     <mailto:mdevivo74 at gmail.com>:
> > >     > Hi,
> > >     >
> > >     >
> > >     >
> > >     > My name’s Max. I’m starting to use Botan in a project. Currently,
> > >     I need
> > >     > to sign a buffer using a certificate stored in a token. I’m trying
> > to
> > >     > use PKCS11 high level api, but I cannot find any example to access
> > >     > certificates already stored in a token and to use them for signing.
> > >     >
> > >     >
> > >     >
> > >     > Could someone help me, please?
> > >     >
> > >     >
> > >     >
> > >     > Thanks a lot,
> > >     >
> > >     >
> > >     >
> > >     > Max
> > >     >
> > >     >
> > >     >
> > >     >
> > >     >
> > >     > _______________________________________________
> > >     > botan-devel mailing list
> > >     > botan-devel at randombit.net <mailto:botan-devel at randombit.net>
> > >     > http://lists.randombit.net/mailman/listinfo/botan-devel
> > >     <http://lists.randombit.net/mailman/listinfo/botan-devel>
> > >     >
> > >     _______________________________________________
> > >     botan-devel mailing list
> > >     botan-devel at randombit.net <mailto:botan-devel at randombit.net>
> > >     http://lists.randombit.net/mailman/listinfo/botan-devel
> > >     <http://lists.randombit.net/mailman/listinfo/botan-devel>
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > botan-devel mailing list
> > > botan-devel at randombit.net
> > > http://lists.randombit.net/mailman/listinfo/botan-devel
> > >
> > _______________________________________________
> > botan-devel mailing list
> > botan-devel at randombit.net
> > http://lists.randombit.net/mailman/listinfo/botan-devel
> >

> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://lists.randombit.net/mailman/listinfo/botan-devel



More information about the botan-devel mailing list