[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: How to verify?

Step 5 is not appropriate.  If the signing certifcate is already contained
in the message, pre-proc has already loaded it into the appropriate place
for the verify functionality to process the public key.  The only
application interaction necessary in the verification is if the certificate
is not in the message; in this case it would be necessary to access the SID
from the SignerInfo(s) and lookup the certificate (from ldap, or local
storage???).  In this case, the certificate would have to be added to the
CSM_MsgToVerify certificate bucket before calling the Verify method.
The login certificate is only used to load the signer's certificate on
origination of a signed message.
Bob Colestock

-----Original Message-----
From: Erik Rissanen [mailto:Erik.Rissanen@xxxxxxx]
Sent: Thursday, March 22, 2001 6:56 AM
To: 'Colestock, Robert'; Erik Rissanen
Cc: imc-sfl@xxxxxxx
Subject: SV: How to verify?

Thank you for your reply.
So now I have a CSM_CSInst to use for the verification. But I still don't
understand how I should put the public key in it.
I assume that my application has to do as follows:
1) Instantiate a CSM_Applogin with the sm_free3 NULL login as descibed in
your reply.
2) Instantiate a CSM_MsgToVerify with my SMIME message and call PreProc().
3) Extract the signer certificate from the CSM_MsgToVerify
4) Validate the certificate (with CML).
5) Insert the certificate into the CSM_CSInst contained in the
6) Call CSM_MsgToVerify::Verify.
Is this correct and how do I perform step 5?
Regards, Erik

-----Ursprungligt meddelande-----
Från: Colestock, Robert [mailto:Robert.Colestock@xxxxxxxxxxxxxxxx]
Skickat: den 21 mars 2001 17:07
Till: Erik Rissanen
Kopia: imc-sfl@xxxxxxx
Ämne: RE: How to verify?

There were some problems with NULL logins, depending on your release.  The
original intent was that the application would use the same logins (always
present) for verification that are used for signing.  Since our original
design, our own uses of the library dictate that we many times generate a
login only when we need it.  You can use the CSM_CSInst with a private key
for verification.
As to the NULL logins, it should work fine in the newest version; for DSA
verification it is now built-in, you no longer need to use the Free3 CTIL
(assuming SHA1 and DSA).  You do not have to link directly, the BuildArgs
should be "sm_free3DLL NULL NULL NULL sm_FREE3" (it no longer needs a
certificate).  You should be able to copy the init logic from the
sm_free3.cpp/h files on your release.  I have included just these source
files.  Sorry about the confusion in our APIs, actual usage of the SFL
library is very different from our original design intentions causing undue
complexity.  Some issues are being corrected (like the NULL login with no
certificate, and the newest built-in instance for SHA1, SHA2, AES, and DSA
Bob Colestock

-----Original Message-----
From: Erik Rissanen [mailto:Erik.Rissanen@xxxxxxx]
Sent: Wednesday, March 21, 2001 10:07 AM
To: 'imc-sfl@xxxxxxx'
Subject: SFL: How to verify?

I am trying to use SFL to verify a signed SMIME message. The message has one
signerinfo with a security label and nothing  else. The signers PKC is
included in the SignerInfo.

I don't understand how to initialize the sm_free3 CTIL to use for
verification. I have successfully used SFL and sm_free3 to sign messages.
For signing I initialized a SM_Applogin with the sm_free3 DLL and a PKCS#12
file. The resulting CSM_CSInst is  associated with the private key and
signing works fine.

But having each CSM_CSInst instance to represent a private key doesn't make
sense for verify, since there is no associated private key for the
opperation. So how do I initialize a CSM_CSInst instance in this case? I
don't understand the API  documentation on this point.

The approach I have tried is to compile time link with the sm_free3 DLL and

CSM_CSInst *pInst = pSMIME->m_pCSInsts->AppendL(); 
CSM_Free3 *pFree3 = new CSM_Free3(); 
pFree3->AddLogin(certBuffer, NULL, NULL, "NULL"); 

Where certBuffer contains the certificate from the SMIME message SignerInfo.

This causes a crash in the destructor of a CSM_Buffer when
CSM_DataToVerify::Verify returns, so I guess I am doing something wrong. Is
the code above the correct approach?

Any help would be greatly appreciated. 

Regards, Erik Rissanen