> From: owner-openssl-us...@openssl.org On Behalf Of Rui Francisco > Sent: Monday, 20 December, 2010 10:07 (Also on -dev, answering -users only, this is not a -dev question.)
> I'm trying to implement the following code to substitute the > following > openssl command > > openssl dgst -sha1 -sign myKey.pem something.txt | openssl enc -base64 > > I'm using Delphi and the Opensll lib developed by Marco Ferrante > (http://www.disi.unige.it/person/FerranteM/delphiopenssl/) > > The code is producing the hash > '6676627A363352673862555A4D69464432376969' > > instead of > > Am1K5+CP4LDNVDZYvcLYGpnu8/1b+WWkzgoe8sbZhvk6QFzFvNN77Zsq+cHNm5 > 2jCVSEDgWL > Am1K5+GHgPS1wcT8ZG7w6KgVq+2/VgOU+xKNt0lcC3gouyarZvcZpZclIReDgL h6m3nv8DYY > Am1K5+HKAOQc+eCi/BQ4LqUnuJrca+7emgb/kpU= > Aside: is that correct? Could you have miscopied that, or it been corrupted somewhere? I find it *very* unlikely that the same 4+ bytes (~6chars) recur at exactly 54-byte (72-char) intervals, giving a signature that is 137 bytes long. Also my Outlook broke the lines differently in quoting; perhaps this is just some kind of mail glitch? > Does anybody have any suggestions on what i am doing wrong ? > > Thank you > Rui Francisco > Assuming Delphi is not materially different from Pascal and that library/adapter doesn't do anything too silly: > var > mdLength, b64Length: integer; > Len: cardinal; > mdctx: EVP_MD_CTX; > inbuf, outbuf: array [0..1023] of char; > memout, b64: pBIO; > mdValue: array [0..EVP_MAX_MD_SIZE] of byte; > If you really wanted a hash you only need MAX_MD_SIZE-1 (i.e. for N bytes numbered from 0 the highest is N-1) but as below you actually want a signature not a hash. The size of a signature depends on your private key, and there is no absolute maximum, although for both RSA and DSA sizes over 4096 bits = 512 bytes are currently impractical and rarely if ever used, especially if you need/want to interoperate with other software. If you control the generation/issuance of the key(s) used here, you may have tighter bounds. But except ECDSA, it will still be significantly larger than any plausible hash. > key: pEVP_PKEY; > msg : String; > begin > msg:='2010-05-18;2010-05-18T11:22:19;FAC 001/14;3.12; '; > StrPCopy(inbuf, msg); > InitOpenSSL; > key:=ReadPrivateKey('private_key.txt',''); > EVP_DigestInit(@mdctx, EVP_sha1()); Why is this written with empty arglist () when others aren't? I thought Pascal always omits the unneeded (). > EVP_DigestUpdate(@mdctx, @inbuf, StrLen(inbuf)); > EVP_DigestFinal(@mdctx, @outbuf, Len); > This ignores the key and does a hash, not a signature. Use the EVP_Sign* routines instead. > > b64 := BIO_new(BIO_f_base64); > memout := BIO_new(BIO_s_mem); > b64 := BIO_push(b64, memout); > BIO_write(b64, @outbuf, Len); > BIO_flush(b64); > b64Length := BIO_read(memout, @outbuf, 1024); > outbuf[b64Length-1] := #0; > This will clobber the last newline (linebreak) in the base64-ed data but not the earlier ones. That's a very unusual and rather confusing format. > FreeOpenSSL; > > BinToHex(outbuf, inbuf,Len); > inbuf[2*Len]:=#0; > result:= StrPas(inbuf); Assuming that converts binary-outbuf to hex-inbuf, that's a very odd thing to do, and certainly not what your reference openssl commands above do. The whole point of base64 is that it is printable, so converting it further to hex makes no sense. And the length of the base64-ed data in output is b64Length or b64Length-1 (depending) NOT Len (which is very different); read your own code. Your (sample) output does look like the hex of some base64 value truncated to 20 chars (though not one I can reproduce from your data). Finally, I see no error checking in your code. Unless the adapter and/or Delphi handles this for you, you should check and do at least minimal reporting; if something ever does go wrong, it's much better to catch it as close to the point of problem as possible. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
