[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem about the private key signing with SFL
One thing I found yesterday is that if the password on the PKCS#8 file
is < 8 characters it doesn't get saved during AddLogin and then you
can't access the private key later because getpassword (in
SMFREE3::SMIT_Sign()) returns "". So IF your password is less than 8
characters try it with more and see if that helps.
I assume this 8 character limit is by design?
Gianluca Ramunno wrote:
> Hi all,
> another problem. About private key.
> As I wrote, the goal of my application is
> * sign a blob
> * verify the signature over this blob
> (very innovative ... :-))
> I want to use Crypto++ 3.1 free token library, md5RSA or sha1RSA
> signature over that blob and produce a CMS object with or without
> with or without signer's certificate, with or without certification path
> Platform: Win32, Compiler VisualC++ 6.0 (within VisualStudio) Professional
> with SP3
> SFL version 1.6 (Free3 CTIL compiled with SM_FREE3_RSA_INCLUDED define)
> In order to try the application with a standard certificate,
> I got a trial certificate from Verisign
> (with automatic enrollment to the Microsoft
> Enhanced Cryptographic Service Provider, the one
> released with a High Encryption Pack for IE)
> Main features are:
> * Version3
> * Public key algorithm: RSA
> * Public key length: 1024 bit
> * Certificate Signature Algorithm: md5RSA
> Then I exported the certificate with a private key from MS local repository
> to a PKCS#12 object.
> Finally using openSSL 0.95a I performed following steps:
> 1) extraction of the private key from PKCS#12 to PEM format
> (I think base64 encoded RSA format, it is not specified in openSSL docs).
> The command used is:
> openssl pkcs12 -in mypkcs12.p12 -nocerts -out keytemp.pem
> Openssl requested password to open pkcs12 object and password
> to protect pem format private key file
> * transcoding from PEM format to PKCS#8 (protected with PKCS#5)
> DER encoded.
> The command used is:
> openssl pkcs8 -in keytemp.pem -inform pem -topk8 -outform der -out
> Openssl requested password to pem format key and password
> to protect PKCS#8 object
> Now the application. Some key source code line:
> * For login:
> SME(pES_AppLogin= (CSM_AppLogin *) new
> pCSMIME = (CSMIME *)pES_AppLogin;
> Following previous mails between Bob and Jonathan (about default alg - DSA -
> Free3 CTIL) I added following code
> pDigestAlgOID = new CSM_OID(md5);
> pDig_EncAlgOID = new CSM_OID(md5WithRSAEncryption);
> pCurr_CSInst->SetPreferredCSInstAlgs(pDigestAlgOID ,
> pDig_EncAlgOID , NULL, NULL);
> Because of the fact that the application had produced a PKCS#7 object
> containing SignedData without SignerInfos/SignerInfo data, I debugged the
> and I saw that before calling SMTI_Sign method it was controlled that
> Applicable bit value within CSM_CInst instance was true.
> So I added following code:
> * For instancing and preparing CSM_MsgToSign object
> CSM_Buffer *p;
> p= new CSM_Buffer(DATA_TO_BE_SIGNED_FILENAME);
> m_pESSignMsg= (CSM_MsgToSign *) new CSM_MsgToSign(p);
> // CMS (RFC 2630) OID definition for SignedData type
> m_pESSignMsg->m_bIssOrSki = false; //Usa IssuerAndSerialNumber
> // for the following flag: true->enveloping signature
> // false->detached signature
> * For signing
> if ((ret=m_pESSignMsg->Sign(pCSMIME))==SM_NO_ERROR)
> CSM_Buffer *pbufContent=m_pESSignMsg->GetEncodedContentInfo();
> delete pbufContent;
> The problem:
> The application return to me following exception:
> ERROR INFORMATION AND STACK:
> ERROR INFORMATION: PrivateKeyInfo::BDec: ERROR - wrong tag
> ERROR CODE: 34 SOURCE LINE NUMBER: 3054
> FILE: f:\tesi\smimer1.6\alg_libs\sm_free3\sm_free3.cpp
> FUNCTION: CSM_Free3::DecryptPrivateKey
> CSM_Free3::SMTI_Sign IN f:\tesi\smimer1.6\alg_libs\sm_free3\sm_free3.cpp,
> line 8
> CSM_SignBuf::SignBuf IN f:\tesi\smimer1.6\libcert\src\sm_signbuf.cpp, line
> ProduceSignerInfo IN F:\Tesi\smimeR1.6\libsrc\hilevel\sm_Sign.cpp, line 301.
> UpdateSignedDataSIs IN F:\Tesi\smimeR1.6\libsrc\hilevel\sm_Sign.cpp, line
> Sign IN F:\Tesi\smimeR1.6\libsrc\hilevel\sm_Sign.cpp, line -1.
> sign IN f:\tesi\es\escmd\src\escmd.cpp, line -1.
> I can't debug the application within SMTI_Sign (CSM_TokenInterface
> class or, better, CSM_Free3 class) method because
> for the following code in sm_SignBuf.cpp
> pSigBuf, // returned result
> pDigest)); // data digest (Hash of Content)
> the behavior of F11(step into) debug command is similar to F10 (step over),
> so I can't see values of various structures within the objects (from
> CSM_AppLogin and
> CSM_MsgToSign classes) just before exception is generated.
> I thinked I have compiled SFL with bad options, so
> I tried to verify key management
> using command
> auto_hid.exe lolevel\crypto.cfg:
> it returned to me no message (The meaning is:
> Test passed?).
> I tried to change randomly password in
> a free3 section of the crypto.cfg file
> ant it returned to me no message ...
> So I can't understand if SFL libraries have been built
> Finally trying to generate a certificate using
> 1) Using dialog box I can generate
> certificate only with DSA public key
> (which way for storing generated private key?)
> 2) Using a config file (e.g. DaisyRSA.cfg included
> in SFL package) CertificateBuilder returns an error
> (in libcert)
> Now the questions:
> 1) Is my usage of pCurr_CSInst->SetApplicable(true)
> method correct or the use it's not mandatory (and I
> had to use it because I forgot something else?)
> 2) Did I do something wrong while estracting private key
> from PKCS#12 and converting to PKCS#8? Which is the
> right way for obtaining a private key file suitable for
> SFL Free3 CTIL ?
> There is some requirement for the password
> (length and others)?
> 3) Which way can I generate a couple private-public key
> RSA and a public key certificate signed using md5RSA
> or sha1RSA algorithms using CertificateBuilder (either
> using dialog windows or config file)?
> I tried to do the above operations but I wasn't able to force
> CertificateBuilder to use RSA algorithm and store private
> key somewhere into a file.
> The following questions aren't related to private key problem
> 3) Using the constructor
> (with DLLBuildParam="SM_FREE3DLL certsign.der keysign.p8 password sm_FREE3")
> the last parameter, token ID (sm_FREE3), is ininfluent, because is the
> *CSM_Free3::AddLoginStatic method which copies ID string (FREE3) to a buffer
> pointed by the pointer passed as parameter, in the above case pointer to
> The only need is passing a string with length equal or greather than FREE3
> in order to allocate string buffer memory large enough for th copy made
> by AddLoginStatic method
> It's true? If yes, why?
> 4) What's the difference between sha_1WithRSAEncryption
> and sha_1WithRSAEncryption_ALT AsnOid contants?
> 5) Have you (Wang) planned a CTIL for a MSCryptoAPI?
> Someone else had developed it?
> Gianluca Ramunno (ramunno@xxxxxxxxx)
Jonathan C. Schulze-Hewett Email: schulze-hewett@xxxxxxxxxxxxxxx
Information Security Corporation Voice: 708-445-1704
1011 W. Lake Street, Suite 212 Fax: 708-455-9705
Oak Park, IL 60301 WWW: http://www.infoseccorp.com