|
Tom,
The updated version of sm_free3_RSA.cpp solves the problem!
Thanks for the heads up on the certificate path validation as well. This is
the next task to work on... Thanks again for your help!
-Jon From: Horvath, Tom (US SSA) [mailto:tom.horvath@xxxxxxxxxxxxxx] Sent: Friday, May 18, 2007 1:52 PM To: Rupe, Jonathan C UTCFS; imc-sfl@xxxxxxxx Subject: RE: Problem(s) verifying signed message with detached content Jon, Here is a corrected
version of smp/SMIME/alg_libs/sm_free3/sm_free3_RSA.cpp that supports RSA with
SHA256 signature verification. Give it a try and let me know if it solves
your problem. P.S. I just want to
make sure that you know that certificate path validation does not occur when you
create the CSM_MsgToVerify object the way you did. If you did want the SFL
to use the CML for path validation, then you have to call the constructor that
takes the CML and ACL settings. For more information see the API documents
on the web at
http://www.digitalnet.com/knowledge/smime.htm. --Tom From: Rupe,
Jonathan C UTCFS [mailto:jrupe@xxxxxxxxx] Tom, Thank you very much for
your quick response! I added the code for SHA256 and this fixed the first
problem as you said. Thanks for looking into the second problem as well. I
appreciate your help! -Jon From: Horvath,
Tom (US SSA) [mailto:tom.horvath@xxxxxxxxxxxxxx] Jon, Your usage of the SFL looks
appropriate you have just found one bug and I am not sure yet about the second
problem. The first problem you
reported "encapsulated content digest !=
message digest attribute" happens because the SHA-256 message digest reference
algorithm that we use does not return the digest in platform independent
endianness, so the digest comparison fails. The first problem was easy to
fix, simply add the following code at line 4674 of
smp/SMIME/alg_libs/sm_free3/sm_free3.cpp:
} else if (oidDigest == SNACC::id_SHA256
||
oidDigest == SNACC::id_ecdsa_with_SHA256)
{
bool bLastBlock = false; // set to true when this is the last
block
CryptoPP::SHA256 sha256;
int bytesProcessed=0;
int loop = pData->Length() /
sha256.DigestSize();
SME(pData->Open(SM_FOPEN_READ));
while (!bLastBlock)
{ SME(pchData =
pData->nRead(sha256.DigestSize(),
(SM_SIZE_T&)lBytesRead));
if ((lBytesRead !=
sha256.DigestSize()) || (pchData == NULL))
bLastBlock =
true;
sha256.Update((const unsigned
char *)pchData, lBytesRead);
}
CryptoPP::SecByteBlock digest(sha256.DigestSize());
sha256.Final(digest);
SME(pDigest->Open(SM_FOPEN_WRITE)); // open the digest
buffer
SME(pDigest->Write((char *)digest.data(), digest.m_size));
status = 0;
} If you do this then the SFL Free 3
CTIL will use crypto++ SHA-256 message digest algorithm which works correctly
and returns the digest in the correct endianness. I am still looking into the second
problem and will get back to your shortly. --Tom From:
owner-imc-sfl@xxxxxxxxxxxx [mailto:owner-imc-sfl@xxxxxxxxxxxx] On Behalf Of Rupe, Jonathan C
UTCFS I
am having a problem (or two) verifying a signed message that has detached
content. I am getting the error "encapsulated content digest != message digest
attribute". However, I have been able to successfully verify the message with
another API (that I cannot use). If I skip past where this exception is thrown
(in sm_msgsignerinfo.cpp) I also get the following error: "RSA OID Unknown or
Not Handled Yet!" The hashing algorithm is SHA-256 and signature algorithm is
RSA. Is this supported? Below is my code and attached are the sample
files. I'm
new with all this stuff so any help (especially sample code :)) will be greatly
appreciated! Thanks! CSM_AppLogin
appLogin; CSM_Buffer
contentInfoBuf("./CHUIDSig.bin"); CSM_ContentInfoMsg
contentInfoMsg(&contentInfoBuf);
CSM_MsgToVerify msgToVerify;
//(&contentInfoMsg);
CSM_Buffer
encapContent("./CHUIDData.bin");
if( (retVal =
msgToVerify.Verify(&appLogin)) == SM_NO_ERROR )
<<TestData.zip>>
|