This is the code I used to test the signing mechanism:
void sign_test (const pkcs11h_certificate_t cert) {
string hash = "67Vz7or3fAge1eo0ahO/S1YiCmo="; //test base64 encoded hash
value
unsigned char* sha1_data2;
sha1_data2 = (unsigned char*)malloc(sizeof(char)*4096);
base64_decode_block(hash.c_str(),strlen(hash.c_str()),(char*)sha1_data2);
CK_RV rv;
unsigned char *blob;
//----------Hoort bij manier 2 en 3 en 4---------------
pkcs11h_openssl_session_t session = pkcs11h_openssl_createSession(cert);
RSA* rsa = pkcs11h_openssl_session_getRSA(session);
blob=(unsigned char*)malloc(RSA_size(rsa));
//----------Manier 4---------------
unsigned int blobRsaSize;
int ok =
RSA_sign(NID_sha1WithRSA,sha1_data2,sizeof(sha1_data2),blob,&blobRsaSize,rsa);
int verifyOK =
RSA_verify(NID_sha1WithRSA,sha1_data2,sizeof(sha1_data2),blob,blobRsaSize,rsa);
string result = "";
if(blob!=NULL){
result = base64_encode(blob,blobRsaSize);
}
cout << "Gesignde data: " << result << endl;
pkcs11h_openssl_freeSession(session);
free (blob);
}
David,
When I sign the same hash with the same certificate I should get the same
signature. That sounds pretty logical to me. The company I'm doing this
project for also told me that I should get the same result as the one
CryptSignHash gives me, that's why I'm trying to get 2 identical results.
The PKCS#1 signature generated by RSA_sign is to be used for XML signing. I
passed the result signature (base64 encoded) to the component (created by
the company) that signs an XML document, but when I validate the signed XML
using the same component, it says the signature is not valid, so it's
definitely a wrong result.
RSA_sign creates a signature according to PKCS #1 v2.0. CryptSignHash uses
PKCS #1 v1.5. That's what I've been told, but I don't know more about this.
David Schwartz wrote:
>
>
>> After lots and lots of testing, trying and debugging I still
>> haven't managed
>> to get the same results from RSA_sign and CryptSignHash. I've discovered
>> a
>> problem with the base64 decoding function i use to decode the
>> hash i want to
>> sign, so now i get a different signature from RSA_sign but it's still not
>> the same as CryptSignHash. I've tried reversing the byte order with all
>> methods described above but nothing gave me the same result.
>
> Umm, what do you mean by "same result"? No two signatures should ever be
> identical. That doesn't mean they can't both be valid.
>
>> I'm pretty desperate about finding the solution, could someone
>> who has tried
>> this before please post the code where RSA_sign gives the same result as
>> CryptSignHash after signing the same hash with the same
>> certificate? I'd be
>> really greatful.
>
> You are operating under an incorrect assumption that there is a one-to-one
> correspondence between pairs of data/key and signatures. This is
> completely
> false. There are a very large number of valid signatures for any given
> data/key pair.
>
> DS
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
>
--
View this message in context:
http://www.nabble.com/Difference-between-RSA_sign-and-CryptSignHash-signature-tp22575898p22782920.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
