Thanks TIM, it works as expected.
On 6/5/10 2:20 AM, "Tim Hudson" <t...@cryptsoft.com> wrote: > On 5/06/2010 12:56 AM, Fares Gianluca wrote: >> Hi all, >> I¹m try to figure out why my X509_REQ signature is always not verified. >> I¹m using openssl-1.0.0 and gclib.dll provided by gemalto. > > It is helpful to actually provide a complete working example rather than just > a > subset. However in this case the simple fix to the code is to pass in the > correct information to C_Sign: > > just change: > if ((rv = (C_Sign(hSession, m, m_len, buf_out, &outl))) != CKR_OK) { > to the following: > if ((rv = (C_Sign(hSession, p, inl, buf_out, &outl))) != CKR_OK) { > > You can remove the manual digest calls in the block before that as they are > not > required. > > Basically the C_Sign operation wants the whole data passed to it (the request) > and not a pre-calculated digest. > > After doing that the code will work on devices where that template is > accepted. > Generally you require additional information in the template when creating > keys > making it clear which of the various operations are permitted. > > http://www.cryptsoft.com/pkcs11doc/v220/ contains the documentation for the > current version of the PKCS#11 standard which also helps when working with > various vendor devices. > > The "bad signature" is a rather accurate and precise error return - you were > presenting a signature for different data (a digest) for verification against > the request. > > Tim. > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org