Re: How to make PKCS#7 signature using CryptoAPI?
- From: maryzhang <maryzhang@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 12 Apr 2006 13:55:02 -0700
Mitch,
In fact, I only need verify the client does have the private key by signing
some data sent from Server.
Do you think I can simply use CryptSignHash, and send the signed hash to
Linux Server and use "openssl dgst -verify pubkey -md5 -signature
signed-hash"? Do I need convert the format of the signed-hash for openssl?
Thank you very much!
Mary
"Miltch Gallant" wrote:
I'm sure the OpenSSL Crypto lib supports pkcs7 in there somewhere..
I haven't used it personally. I don;t think the openssl tool itself can
do this though. Maybe someone can correct me.
- Mitch
"maryzhang" <maryzhang@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EDCA585E-EBCF-4AEB-89E0-DE3650123BD9@xxxxxxxxxxxxxxxx
Mitch,
Can openssl extract the pkcs1 signature from the pkcs7 signed msg?
I've the signed msg on Linux already, want to try it out ASAP.
Thanks a lot!
Mary
"Mitch Gallant" wrote:
OpenSSL command like you use takes a pkcs1.5 signature (i.e. the raw encrypted hash),
not a CMS / pkcs #7 signed messages as you create with CryptSignMessage.
You can extract the pkcs1 signature from your capi CMS signedmessage blob using:
CryptMsgGetParam() with CMSG_Encyrpted_Digest.
- Mitch
"maryzhang" <maryzhang@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5AFE3E47-799D-4188-BD67-CFD8E1ED4A9C@xxxxxxxxxxxxxxxx
Hi, Mitch
I used CryptSignMessage to created a signature and can verify successfully by
CryptVerifyMessageSignature OR CryptVerifyDetachedMessageSignature. However,
I need send the signature to a Linux box and use openssl to verify it, I used
""openssl dgst -md5 -verify pubkey -signature signed-msg orig-msg", but the
verification always fail. Do you have any idea or clue about what's wrong?
For CryptSignMessage, I used RSA_MD5 for hash, the default format of
signature is DER? How can I get PEM(b64) format directly? What's the expected
format for openssl?
Thank you very much in advance!
Mary
"Mitch Gallant" wrote:
In CryptoAPI, you can use the "Simplified" message functions to automatically
take care of generating the hash. You provide data buffer, set a few struct
members and then invoke the fns:
http://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/example_c_program_signing_a_message_and_verifying_a_message_signature.asp
Procedure is described schematically here:
http://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/procedure_for_signing_data.asp
You could use lower-level capi functions, but better to use simplified functions unless
you really need some capabiilty not provided in simplified fns.
General info on CryptoAPI and pkcs #7:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/pkcs__7_concepts.asp
- Mitch Gallant
<deadlock@xxxxxxxx> wrote in message news:1144048997.067714.144680@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
So how can I create PKCS#7 signature signing a hash?
- Follow-Ups:
- Re: How to make PKCS#7 signature using CryptoAPI?
- From: Mitch Gallant
- Re: How to make PKCS#7 signature using CryptoAPI?
- From: Mitch Gallant
- Re: How to make PKCS#7 signature using CryptoAPI?
- References:
- Re: How to make PKCS#7 signature using CryptoAPI?
- From: deadlock
- Re: How to make PKCS#7 signature using CryptoAPI?
- From: deadlock
- Re: How to make PKCS#7 signature using CryptoAPI?
- From: Mitch Gallant
- Re: How to make PKCS#7 signature using CryptoAPI?
- From: Mitch Gallant
- Re: How to make PKCS#7 signature using CryptoAPI?
- From: maryzhang
- Re: How to make PKCS#7 signature using CryptoAPI?
- From: Mitch Gallant
- Re: How to make PKCS#7 signature using CryptoAPI?
- Prev by Date: Re: How to make PKCS#7 signature using CryptoAPI?
- Next by Date: Re: How to install and test custom CSP
- Previous by thread: Re: How to make PKCS#7 signature using CryptoAPI?
- Next by thread: Re: How to make PKCS#7 signature using CryptoAPI?
- Index(es):
