Re: HELP: VerifySignature
From: Tariq (Tariq_at_asd.com)
Date: 08/25/04
- Next message: Pablo: "Re: How secure is personal certificate store in W2K?"
- Previous message: yang: "The cryptacquirecontext return NTE_PROVIDER_DLL_FAIL in some case."
- In reply to: Pablo J. Royo: "RE: HELP: VerifySignature"
- Next in thread: Pablo J. Royo: "RE: HELP: VerifySignature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Aug 2004 12:36:09 +0500
I reploied you previously too, that problem may be reversing the bites. get
the signature from CAPI reverse the bites so that first bite comes on last
place, 2nd on 2nd last place and so on so forth. try to compare this value
with openssl signature. hope ir will solve the issue.
Regards
Tariq
"Pablo J. Royo" <PabloJRoyo@discussions.microsoft.com> wrote in message
news:AE6435E5-7B86-403C-84CB-79B5BC4D2471@microsoft.com...
> I canīt...Did you had to reverse the signature blobs or something?
>
> I can see that the encrypted digest retrieved with
> CryptMsgGetParam(hMsg,CMSG_ENCRYPTED_DIGEST) is exactly the same OpenSSL
> produces, and I can verify signature in OpenSSL.I sign a simple buffer
> "0123456789" so I'm sure the plain text is ok.
>
> I sincerely appreciate your interest.
>
> "Param" wrote:
>
> > I could verify the openssl generated sig with the same function.
> > Ur original data could be different(u need to check binary or plain text
> > kind of things)
> >
> > "Pablo J. Royo" wrote:
> >
> > > Hi:
> > >
> > > Thanks again for your response.
> > > So, the buffers are the plain text to check. I have managed to verify
a
> > > detached signature created by CryptoAPI using this
> > > CryptVerifyDetachedMessageSignature() function, but OpenSSL and Java
created
> > > signatures give always "hash value not correct", as other methods (see
> > > messages below) did.
> > >
> > > I suppose I must reverse the hash some way, but after this three
methods of
> > > sign verification I donīt know what more to test.
> > > Should I build a CryptoAPI pkcs7 with its reversed hash from the
original,
> > > then use that to verify?...
> > >
> > > for(i=0;i<10;i++)
> > > puts("Thanks!!");
> > >
> > > Pablo
> > >
> > > "Param" wrote:
> > >
> > > > Here is a sample code...........
> > > > CRYPT_VERIFY_MESSAGE_PARA VerifyParams;//fill this structure
> > > > const BYTE *pbSignedMessageBlob = NULL;
> > > > const BYTE* MessageArray[]=
> > > > DWORD MessageSizeArray
> > > > CryptVerifyDetachedMessageSignature(
> > > > &VerifyParams, // Verify parameters
> > > > dwSignerIndex, // Signer index
> > > > pbSignedMessageBlob, // Pointer to signed blob
> > > > cbSignedMessageBlob, // Size of signed blob
> > > > 1, // Number of elements in the message array
> > > > MessageArray, // Message array
> > > > MessageSizeArray, // Array of sizes of messages
> > > > NULL); // Pointer to signer cert(not needed)
> > > >
> > > > // if not detached the verify the signature
> > > > CryptVerifyMessageSignature(
> > > > &VerifyParams, // Verify parameters
> > > > dwSignerIndex, // Signer index
> > > > pbSignedMessageBlob, // Pointer to signed blob
> > > > cbSignedMessageBlob, // Size of signed blob
> > > > NULL, // Buffer for decoded msg(Not needed)
> > > > NULL, // Size of buffer(Not needed)
> > > > NULL); // Pointer to signer cert
> > > >
> > > > "Pablo J. Royo" wrote:
> > > >
> > > > >
> > > > > Thank you very much for your help.
> > > > >
> > > > > CryptVerifyDetachedMessageSignature() was the first attemp I made,
but its a
> > > > > complex function to use. From its declaration I donīt know what
should I pass
> > > > > in rgpbToBeSigned buffers: clear text so it can check the
signature? ,the
> > > > > hash of the clear text?
> > > > > Do you know what are the meaning of this parameters?
> > > > >
> > > > > Thank you
> > > > >
> > > > > "Param" wrote:
> > > > >
> > > > > > Try this one . This should work.....
> > > > > > CryptMsgUpdate(...,TRUE)
> > > > > > //Check whether signature is a detached signature
> > > > > > CryptMsgGetParam(....,CMSG_CONTENT_PARAM,0,NULL,..);
> > > > > > CryptVerifyDetachedMessageSignature()
> > > > > >
> > > > > >
> > > > > > "Pablo J. Royo" wrote:
> > > > > >
> > > > > > > I posted this message a days ago, with no answer, so i will
try one more
> > > > > > > before leaving. Has anybody verified signatures generated with
OpenSSL using
> > > > > > > CryptoAPI?
> > > > > > >
> > > > > > > In few words: I tried to do this using
CryptVerifyDetachedSignature() but I
> > > > > > > read I had to reverse signature hash bytes, so I tried other
ways because
> > > > > > > with that function I have no access to hash, to reverse it.
> > > > > > >
> > > > > > > I have now two ways to verifign signatures:
> > > > > > >
> > > > > > > - using the CryptMsg functions to open the PKCS7, extract its
signer
> > > > > > > certificate with CryptMsgGetParam(hMsg,CMSG_CERT_PARAM),
> > > > > > > update the message with the cleartext data and then verify the
sign with
> > > > > > >
CryptMsgControl(CMSG_CTRL_VERIFY_SIGNATURE,pSignerCertInfo).This allways
> > > > > > > works Ok for detached PKCS7 generated with CryptoAPI
> > > > > > >
> > > > > > > - The other way, is to create a hash object with
CryptCreateHash, supply the
> > > > > > > content with CryptHashData(), get the PKCS7 signature bytes
with
> > > > > > > CryptMsgGetParam(CMSG_ENCRYPTED_DIGEST) and then verify with
> > > > > > > VerifySignature(signature) . For this to work WITH CryptoAPI I
MUST REVERSE
> > > > > > > the signature passed to this function. ŋDo you know why?
> > > > > > >
> > > > > > > My goal is to verify OpenSSL detached signatures, and several
persons told
> > > > > > > me I had to reverse the signature buffer to do this, but it
doesn't work.
> > > > > > > Also, I can assure that the signature buffer obtained from
PKCS7 with
> > > > > > > CryptoAPI is EXACTLY the same that was created in OpenSSL,
without reversing
> > > > > > > order.
> > > > > > > So, signature verification doesnīt works in any order.
> > > > > > >
> > > > > > > I thought this would be easier (and Iīm beggining to lose my
hair), so any
> > > > > > > help would be appreciated.
> > > > > > >
> > > > > > > Thank you very much
> > > > > > >
> > > > > > >
> > > > > > >
- Next message: Pablo: "Re: How secure is personal certificate store in W2K?"
- Previous message: yang: "The cryptacquirecontext return NTE_PROVIDER_DLL_FAIL in some case."
- In reply to: Pablo J. Royo: "RE: HELP: VerifySignature"
- Next in thread: Pablo J. Royo: "RE: HELP: VerifySignature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
