[botan-devel] Signing using a certificate stored on a token

Massimo De Vivo mdevivo74 at gmail.com
Mon Mar 27 12:02:53 EDT 2017


Hi Jack,
You're right, I wrongly thought that the padding was not PKCS#1 v1.5.
At the end I've succeeded in developing the PK#7 envelope for my project.
I've compared the results with CryptSignMessage results and the only
difference is that, for the DN, Botan uses PRINTABLE_STRING = 0x13 while
windows function uses UTF8_STRING = 0x0C.

Thanks a lot for everything,

Massimo

2017-03-24 21:00 GMT+01:00 Jack Lloyd <jack at randombit.net>:

> Hi Massimo,
>
> The old Botan PKCS7 code was never completed (one reason it was removed)
> and it's unlikely that even if you got it compiling against a recent
> version of the API that it would do what you need.
>
> I'm confused about this
>
> > use PK_Encryptor_EME for encoding it but, if I've understand well, it
> > doesn't support PKCS#7 padding. Is there another way to do it? Is what
>
> My read of RFC 2315 is that PKCS#7 uses PKCS#1 v1.5 padding for RSA
> encryption. Then the ciphertext is encoded in a PKCS#7 structure. The
> encryption padding is supported, but for the PKCS7 structures you
> would have to create them yourself using the ASN1 library.
>
> Jack
>
>
> On Thu, Mar 23, 2017 at 09:55:39PM +0100, Massimo De Vivo wrote:
> > HI Daniel,
> >
> > thanks for your reply.
> >
> > Indeed I'm becoming crazy with that, because I've seen that PKCS#7 is not
> > anymore supported in Botan. I've tried to reuse the old code, but there
> are
> > many differences. Also, integrating the code with OpenSSL is very hard,
> > because OpenSSL CMS functions need to have access to certificates.
> >
> > I cannot find any open source libraries that support PKCS#7. I think it's
> > unbelievable...
> >
> > Could you help me please?
> >
> > Thanks a lot,
> >
> > Max
> >
> >
> >
> >
> > 2017-03-23 21:20 GMT+01:00 Daniel Neus <daniel at neus-online.eu>:
> >
> > > Hi,
> > >
> > > I'm not sure if this is possible with Botan. I think there is some
> > > limited PKCS#7 support in Botan. Can you help with this Jack?
> > >
> > > Daniel
> > >
> > > Am 21.03.2017 um 14:41 schrieb Massimo De Vivo:
> > > > Hi Daniel and Jack,
> > > > thanks a lot for your replies.
> > > >
> > > > What I'm trying to do is to do the same operations that Microsoft
> > > > CryptSignMessage does. So, using the key of the certificate stored in
> > > > the token, my function should "creates a hash of the specified
> content,
> > > > signs the hash, and then encodes both the original message content
> and
> > > > the signed hash". Currently, it should use SHA256 for signing and
> > > > RSA-PKCS#7 for encoding. I've successfully signed my message using
> your
> > > > example with EMSA3(SHA-256) ( EMSA4 doesn't work ); now I'm trying to
> > > > use PK_Encryptor_EME for encoding it but, if I've understand well, it
> > > > doesn't support PKCS#7 padding. Is there another way to do it? Is
> what
> > > > I'm doing the right way?
> > > >
> > > > Thanks a lot to both of you.
> > > >
> > > > Max
> > > >
> > > >
> > > > 2017-03-19 13:24 GMT+01:00 Daniel Neus <daniel at neus-online.eu
> > > > <mailto:daniel at neus-online.eu>>:
> > > >
> > > >     Hi Max,
> > > >
> > > >     if you just want to sign you need the private key, not the
> > > certificate.
> > > >     You should have a look in the `test_pkcs11_high_level.cpp` file
> and
> > > look
> > > >     for the `test_rsa_sign_verify()` which describes RSA signing and
> > > >     verification or for `test_ecdsa_sign_verify` which describes
> ECDSA
> > > >     sign/verify.
> > > >
> > > >     Here is another example for RSA signing (untested):
> > > >
> > > >     Module module( "/path/to/the/pkcs11/module" );
> > > >     auto slots = Slot::get_available_slots( module, true );
> > > >     Slot slot( module, slots.front() );
> > > >     Session session( slot, true );
> > > >     const Botan::PKCS11::secure_string pin = { '1', '2', '3', '4',
> '5',
> > > >     '6' };
> > > >
> > > >     session.login( UserType::User, pin );
> > > >
> > > >     const std::string label = "MY_PRIV_KEY";
> > > >     // select key with label 'MY_PRIV_KEY'
> > > >     auto keys = Object::search<PKCS11_RSA_PrivateKey>( session,
> label );
> > > >
> > > >     Botan::PK_Signer signer( keys.front(), Test::rng(),
> "EMSA4(SHA-256)",
> > > >     Botan::IEEE_1363, "pkcs11" );
> > > >     auto signature = signer.sign_message( std::vector<uint8_t>( 256
> ),
> > > >     Test::rng() );
> > > >
> > > >
> > > >     Daniel
> > > >
> > > >     Am 18.03.2017 um 15:26 schrieb mdevivo74 at gmail.com
> > > >     <mailto:mdevivo74 at gmail.com>:
> > > >     > Hi,
> > > >     >
> > > >     >
> > > >     >
> > > >     > My name’s Max. I’m starting to use Botan in a project.
> Currently,
> > > >     I need
> > > >     > to sign a buffer using a certificate stored in a token. I’m
> trying
> > > to
> > > >     > use PKCS11 high level api, but I cannot find any example to
> access
> > > >     > certificates already stored in a token and to use them for
> signing.
> > > >     >
> > > >     >
> > > >     >
> > > >     > Could someone help me, please?
> > > >     >
> > > >     >
> > > >     >
> > > >     > Thanks a lot,
> > > >     >
> > > >     >
> > > >     >
> > > >     > Max
> > > >     >
> > > >     >
> > > >     >
> > > >     >
> > > >     >
> > > >     > _______________________________________________
> > > >     > botan-devel mailing list
> > > >     > botan-devel at randombit.net <mailto:botan-devel at randombit.net>
> > > >     > http://lists.randombit.net/mailman/listinfo/botan-devel
> > > >     <http://lists.randombit.net/mailman/listinfo/botan-devel>
> > > >     >
> > > >     _______________________________________________
> > > >     botan-devel mailing list
> > > >     botan-devel at randombit.net <mailto:botan-devel at randombit.net>
> > > >     http://lists.randombit.net/mailman/listinfo/botan-devel
> > > >     <http://lists.randombit.net/mailman/listinfo/botan-devel>
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > botan-devel mailing list
> > > > botan-devel at randombit.net
> > > > http://lists.randombit.net/mailman/listinfo/botan-devel
> > > >
> > > _______________________________________________
> > > botan-devel mailing list
> > > botan-devel at randombit.net
> > > http://lists.randombit.net/mailman/listinfo/botan-devel
> > >
>
> > _______________________________________________
> > botan-devel mailing list
> > botan-devel at randombit.net
> > http://lists.randombit.net/mailman/listinfo/botan-devel
>
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://lists.randombit.net/mailman/listinfo/botan-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170327/7ce8ec19/attachment-0001.html>


More information about the botan-devel mailing list