[xmlsec] Troubles using XMLSec with Smart Cards

Aleksey Sanin aleksey at aleksey.com
Wed Jul 23 13:48:23 PDT 2003

When you are calculating RSA signature usualy you RSA encrypt
not the plain SHA1 digest (20 bytes) but some additional
data too. For example, the XMLDSig spec [1] says that for XMLDSig
the  RSA signature should be calculated as follows (this is
called PKCS1_v1_5 format btw):

where CRYPT means RSA encryption and DIGEST is the 20 bytes
SHA1 digest. The total size of encrypted data should match
the RSA key size.

In xmlsec-openssl case (I am guessing that you are using it from
the RSA_private_encrypt function name :) ), all the "wrapping" is
done by openssl. It knows about PKCS 1.5 RSA signatures and xmlsec
simply calls an openssl function and says "do it for me".

I am not sure about the details about your particular crypto device
integration with OpenSSL. I would guess that there are 2 possible
    1) Your crypto device also knows about PKCS-1.5 RSA signatures
    and can produce desired signature format from 20 bytes digest.
    Then it seems like there is a bug in OpenSSL driver for your
    crypto device. The code should not call "encrypt" method but
    rather call the native crypto device "sign" method.
    2) Your crypto device only can do 20 bytes RSA encryption.
    Well, you probably out of luck. I don't think you can do something
    about that.


[1] http://www.w3.org/TR/xmldsig-core/#sec-SignatureAlg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20030723/608a9b9c/attachment.htm

More information about the xmlsec mailing list