Thanks TIM, it works as expected.
On 6/5/10 2:20 AM, "Tim Hudson" <t...@cryptsoft.com> wrote:
> On 5/06/2010 12:56 AM, Fares Gianluca wrote:
>> Hi all,
>> I¹m try to figure out why my X509_REQ signature is always not verified.
>> I¹m using openssl-1.0.0 and gclib.dll provided by gemalto.
>
> It is helpful to actually provide a complete working example rather than just
> a
> subset. However in this case the simple fix to the code is to pass in the
> correct information to C_Sign:
>
> just change:
> if ((rv = (C_Sign(hSession, m, m_len, buf_out, &outl))) != CKR_OK) {
> to the following:
> if ((rv = (C_Sign(hSession, p, inl, buf_out, &outl))) != CKR_OK) {
>
> You can remove the manual digest calls in the block before that as they are
> not
> required.
>
> Basically the C_Sign operation wants the whole data passed to it (the request)
> and not a pre-calculated digest.
>
> After doing that the code will work on devices where that template is
> accepted.
> Generally you require additional information in the template when creating
> keys
> making it clear which of the various operations are permitted.
>
> http://www.cryptsoft.com/pkcs11doc/v220/ contains the documentation for the
> current version of the PKCS#11 standard which also helps when working with
> various vendor devices.
>
> The "bad signature" is a rather accurate and precise error return - you were
> presenting a signature for different data (a digest) for verification against
> the request.
>
> Tim.
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
