[botan-devel] Signing using a certificate stored on a token

Massimo De Vivo mdevivo74 at gmail.com
Mon Mar 27 12:11:04 EDT 2017


Furthermore, I've noted that Botan PKCS#11 module calls the hash algorithm
SHA1 while in the oids the name is SHA160. So there is an error if someone
sets this algorithm and uses the Botan::OIDS::lookup. I had to insert it
manually together with CMS Oids while producing the PKCS#7 envelope.

Thanks again,
Massimo


2017-03-27 18:02 GMT+02:00 Massimo De Vivo <mdevivo74 at gmail.com>:

> Hi Jack,
> You're right, I wrongly thought that the padding was not PKCS#1 v1.5.
> At the end I've succeeded in developing the PK#7 envelope for my project.
> I've compared the results with CryptSignMessage results and the only
> difference is that, for the DN, Botan uses PRINTABLE_STRING = 0x13 while
> windows function uses UTF8_STRING = 0x0C.
>
> Thanks a lot for everything,
>
> Massimo
>
> 2017-03-24 21:00 GMT+01:00 Jack Lloyd <jack at randombit.net>:
>
>> Hi Massimo,
>>
>> The old Botan PKCS7 code was never completed (one reason it was removed)
>> and it's unlikely that even if you got it compiling against a recent
>> version of the API that it would do what you need.
>>
>> I'm confused about this
>>
>> > use PK_Encryptor_EME for encoding it but, if I've understand well, it
>> > doesn't support PKCS#7 padding. Is there another way to do it? Is what
>>
>> My read of RFC 2315 is that PKCS#7 uses PKCS#1 v1.5 padding for RSA
>> encryption. Then the ciphertext is encoded in a PKCS#7 structure. The
>> encryption padding is supported, but for the PKCS7 structures you
>> would have to create them yourself using the ASN1 library.
>>
>> Jack
>>
>>
>> On Thu, Mar 23, 2017 at 09:55:39PM +0100, Massimo De Vivo wrote:
>> > HI Daniel,
>> >
>> > thanks for your reply.
>> >
>> > Indeed I'm becoming crazy with that, because I've seen that PKCS#7 is
>> not
>> > anymore supported in Botan. I've tried to reuse the old code, but there
>> are
>> > many differences. Also, integrating the code with OpenSSL is very hard,
>> > because OpenSSL CMS functions need to have access to certificates.
>> >
>> > I cannot find any open source libraries that support PKCS#7. I think
>> it's
>> > unbelievable...
>> >
>> > Could you help me please?
>> >
>> > Thanks a lot,
>> >
>> > Max
>> >
>> >
>> >
>> >
>> > 2017-03-23 21:20 GMT+01:00 Daniel Neus <daniel at neus-online.eu>:
>> >
>> > > Hi,
>> > >
>> > > I'm not sure if this is possible with Botan. I think there is some
>> > > limited PKCS#7 support in Botan. Can you help with this Jack?
>> > >
>> > > Daniel
>> > >
>> > > Am 21.03.2017 um 14:41 schrieb Massimo De Vivo:
>> > > > Hi Daniel and Jack,
>> > > > thanks a lot for your replies.
>> > > >
>> > > > What I'm trying to do is to do the same operations that Microsoft
>> > > > CryptSignMessage does. So, using the key of the certificate stored
>> in
>> > > > the token, my function should "creates a hash of the specified
>> content,
>> > > > signs the hash, and then encodes both the original message content
>> and
>> > > > the signed hash". Currently, it should use SHA256 for signing and
>> > > > RSA-PKCS#7 for encoding. I've successfully signed my message using
>> your
>> > > > example with EMSA3(SHA-256) ( EMSA4 doesn't work ); now I'm trying
>> to
>> > > > use PK_Encryptor_EME for encoding it but, if I've understand well,
>> it
>> > > > doesn't support PKCS#7 padding. Is there another way to do it? Is
>> what
>> > > > I'm doing the right way?
>> > > >
>> > > > Thanks a lot to both of you.
>> > > >
>> > > > Max
>> > > >
>> > > >
>> > > > 2017-03-19 13:24 GMT+01:00 Daniel Neus <daniel at neus-online.eu
>> > > > <mailto:daniel at neus-online.eu>>:
>> > > >
>> > > >     Hi Max,
>> > > >
>> > > >     if you just want to sign you need the private key, not the
>> > > certificate.
>> > > >     You should have a look in the `test_pkcs11_high_level.cpp` file
>> and
>> > > look
>> > > >     for the `test_rsa_sign_verify()` which describes RSA signing and
>> > > >     verification or for `test_ecdsa_sign_verify` which describes
>> ECDSA
>> > > >     sign/verify.
>> > > >
>> > > >     Here is another example for RSA signing (untested):
>> > > >
>> > > >     Module module( "/path/to/the/pkcs11/module" );
>> > > >     auto slots = Slot::get_available_slots( module, true );
>> > > >     Slot slot( module, slots.front() );
>> > > >     Session session( slot, true );
>> > > >     const Botan::PKCS11::secure_string pin = { '1', '2', '3', '4',
>> '5',
>> > > >     '6' };
>> > > >
>> > > >     session.login( UserType::User, pin );
>> > > >
>> > > >     const std::string label = "MY_PRIV_KEY";
>> > > >     // select key with label 'MY_PRIV_KEY'
>> > > >     auto keys = Object::search<PKCS11_RSA_PrivateKey>( session,
>> label );
>> > > >
>> > > >     Botan::PK_Signer signer( keys.front(), Test::rng(),
>> "EMSA4(SHA-256)",
>> > > >     Botan::IEEE_1363, "pkcs11" );
>> > > >     auto signature = signer.sign_message( std::vector<uint8_t>( 256
>> ),
>> > > >     Test::rng() );
>> > > >
>> > > >
>> > > >     Daniel
>> > > >
>> > > >     Am 18.03.2017 um 15:26 schrieb mdevivo74 at gmail.com
>> > > >     <mailto:mdevivo74 at gmail.com>:
>> > > >     > Hi,
>> > > >     >
>> > > >     >
>> > > >     >
>> > > >     > My name’s Max. I’m starting to use Botan in a project.
>> Currently,
>> > > >     I need
>> > > >     > to sign a buffer using a certificate stored in a token. I’m
>> trying
>> > > to
>> > > >     > use PKCS11 high level api, but I cannot find any example to
>> access
>> > > >     > certificates already stored in a token and to use them for
>> signing.
>> > > >     >
>> > > >     >
>> > > >     >
>> > > >     > Could someone help me, please?
>> > > >     >
>> > > >     >
>> > > >     >
>> > > >     > Thanks a lot,
>> > > >     >
>> > > >     >
>> > > >     >
>> > > >     > Max
>> > > >     >
>> > > >     >
>> > > >     >
>> > > >     >
>> > > >     >
>> > > >     > _______________________________________________
>> > > >     > botan-devel mailing list
>> > > >     > botan-devel at randombit.net <mailto:botan-devel at randombit.net>
>> > > >     > http://lists.randombit.net/mailman/listinfo/botan-devel
>> > > >     <http://lists.randombit.net/mailman/listinfo/botan-devel>
>> > > >     >
>> > > >     _______________________________________________
>> > > >     botan-devel mailing list
>> > > >     botan-devel at randombit.net <mailto:botan-devel at randombit.net>
>> > > >     http://lists.randombit.net/mailman/listinfo/botan-devel
>> > > >     <http://lists.randombit.net/mailman/listinfo/botan-devel>
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > _______________________________________________
>> > > > botan-devel mailing list
>> > > > botan-devel at randombit.net
>> > > > http://lists.randombit.net/mailman/listinfo/botan-devel
>> > > >
>> > > _______________________________________________
>> > > botan-devel mailing list
>> > > botan-devel at randombit.net
>> > > http://lists.randombit.net/mailman/listinfo/botan-devel
>> > >
>>
>> > _______________________________________________
>> > botan-devel mailing list
>> > botan-devel at randombit.net
>> > http://lists.randombit.net/mailman/listinfo/botan-devel
>>
>> _______________________________________________
>> botan-devel mailing list
>> botan-devel at randombit.net
>> http://lists.randombit.net/mailman/listinfo/botan-devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20170327/9d9c43bd/attachment.html>


More information about the botan-devel mailing list