- From: Brian LaMacchia <bal@microsoft.com>
- Date: Mon, 16 Apr 2001 09:36:16 -0700
- To: "??" <harada@prs.cs.fujitsu.co.jp>
- Cc: <w3c-ietf-xmldsig@w3.org>
You probably have a byte-ordering problem -- the bignums exported by
CryptoAPI are in little-endian format, and I bet your Java APIs require
the integers in big-endian format. You likely need to reverse the r and
s values of the DSA signature before feeding it to your Java routines.
Same for exported public key values.
--bal
-----Original Message-----
From: harada@prs.cs.fujitsu.co.jp [mailto:harada@prs.cs.fujitsu.co.jp]
Sent: Monday, April 16, 2001 6:04 AM
To: w3c-ietf-xmldsig@w3.org
Subject: MS crypto API and Java security API (KeyValue)
How do you do? I am a signature beginner.
I wonder whether I may ask the following question
in this mailing-list, but I hope some answer which
will solve it.
My question is :
How to convert a DSA key value byte array obtained
by Microsoft Cryprto API to a W3C DSAKeyValue?
I get a signature DSAKeyValue by MS Crypto API
such as CryptoExportKey and struct PUBLICKEYSTRUC,
DSSPUBKEY, and so on.
And I can verify a XML signature which is created
by MS crypto API as above, but I cannot verify it
by neither IBM xss4j nor our signature processor
on Java security API.
The MS crypto API SignatureValue byte array's size is 40,
and it seems to be right size of SignatureValue.
So I think I need to convert the DSAKeyValue array.
In xss4j, I try to verify the signature below and get
java.lang.ArithmeticException: BigInteger not invertible.
at java.math.MutableBigInteger.mutableModInverse(Unknown Source)
at java.math.BigInteger.modInverse(Unknown Source)
at sun.security.provider.DSA.generateW(Unknown Source)
at sun.security.provider.DSA.engineVerify(Unknown Source)
at java.security.Signature.verify(Unknown Source)
at
com.ibm.xml.dsig.SignatureMethod$SignatureMethodImpl.verify(Unknown S
ource)
Are there anybody who tried signing in MS crypto API
and verifing in Java2 security API?
P.S.
My other questions are
- Certificates got by MS crypto API are many many
certificates and seems not to have the user's
self-signed certificate.So XML signature by
MS crypto API should have no X509Certificate data
in default state. Is it right?
- At my glance on GPKI (the Japanese Government Public
Key Infrastructure), I recognized each certificate
of trust chain has a CRL.
How should I represent each CRL for each certificate?
[XML signature created by using MS crypto API]
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2000/CR-xml-c14n-20001026"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference URI="file:///G:\src\dom\signature\tool\xmlsig\test.txt">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>h6zsF82dzSCnFsws9nQXtxyKcBY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>KoknVleqm4cE6iN00FL5ZMXqKtlU//uNNZ3Gcvd9FuiOc0Nsuo97mg==
</SignatureValue>
<KeyInfo>
<KeyValue><DSAKeyValue><P>T3DaFZP7c9/myxbhU+Mk4j5g7hu+aiU3zEN90Hs2vQO3Z2
EibL0itC+G72+5cVZ+SefmVtwtyBds
zMnX9kSwquUelBwcmvsFyylZBcMMBwmNpXFjz7Ur1DFGO2XgryfVG5Ns1U6A/ULAACGCy67b
Y55b
XFVKrHw30J9X4U99eIA=</P><Q>PW3icYRgGmmCxDnyr2UdK9pDRtw=</Q><G>HQRf4wE4NV
ilsy5ekfv1vJvpjkRz2l9/FwimXtzUWKMPoaEmjPuNcfX/WJTvoxg13j+05j
+nls/z
9GCwaVojeY+5DIldGoRv/I91zlDPIxamHRBwA7GxYhM1xEbs4IgXJMqp7fiXz1K8pNzENDoo
9GCwaVojeY+KBL6
MRaq1u2SlQUgrnYGCoA=</G><Y>TaXw7JTXexkkhz26q5BSCjYiUDQBQCGOid/gPEaPCcRjk
6hJ7OdnjHiv5gHgebBCaDVSLR/dlDwf
hFBFRCecDrJ47EeO3XQ7hyr6Wt8ZpoxikRGRmNVrFYbytZ9/t3L2xFS5oUEBFVppzC4XItOU
bJ+I
drMfucs/69MGKmgeQHk=</Y></DSAKeyValue></KeyValue>
</KeyInfo></Signature>
Received on Monday, 16 April 2001 12:54:10 UTC