Thanks TIM, it works as expected.
On 6/5/10 2:20 AM, Tim Hudson t...@cryptsoft.com wrote:
On 5/06/2010 12:56 AM, Fares Gianluca wrote:
Hi all,
I¹m try to figure out why my X509_REQ signature is always not verified.
I¹m using openssl-1.0.0 and gclib.dll provided by gemalto.
It is helpful to actually provide a complete working example rather than just
a
subset. However in this case the simple fix to the code is to pass in the
correct information to C_Sign:
just change:
if ((rv = (C_Sign(hSession, m, m_len, buf_out, outl))) != CKR_OK) {
to the following:
if ((rv = (C_Sign(hSession, p, inl, buf_out, outl))) != CKR_OK) {
You can remove the manual digest calls in the block before that as they are
not
required.
Basically the C_Sign operation wants the whole data passed to it (the request)
and not a pre-calculated digest.
After doing that the code will work on devices where that template is
accepted.
Generally you require additional information in the template when creating
keys
making it clear which of the various operations are permitted.
http://www.cryptsoft.com/pkcs11doc/v220/ contains the documentation for the
current version of the PKCS#11 standard which also helps when working with
various vendor devices.
The bad signature is a rather accurate and precise error return - you were
presenting a signature for different data (a digest) for verification against
the request.
Tim.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org