I'm doing the digest exactly like you are. The CSSM_DATA structure I get
back from CSSM_SignData is 128 bytes. This seems to imply that it's
simply the encrypted hash of the data signed with a 1024 bit key. This
is not a valid PKCS #7 signature. One of my issues is that I don't know
exactly what's coming back from CSSM_DATA. How is it encoded, etc,
etc...
If you're getting a 128-byte signature off a 1024-bit key, it pretty much
*has* to be a raw number, doesn't it? There's no room for any encoding or
framing. :-)
I've got to be able to do various other things with my PKCS7 signature as
well. Such as including the data, signer cert, issuer cert, etc. in the
P7 signature. I could use the OpenSSL PKCS7_sign function, but I have to
be able to use smart cards. I run into the problem of making a CSSM_KEY
look like an EVP_PKEY. I don't even know if such a thing is possible.
I don't either. Probably. How long a rope have you got, and how long are
you planning to suffer? :-)
In Mac OS X parlance, PKCS7 is handled at the "CMS" layer, which sits on
top of the Sec* layer. In Tiger, CMS is in Security.framework but isn't yet
an official API. So to use it, you'd have to accept calling SPI, with the
associated support hassle this causes. (The CMS SPI *will* change before
it becomes an API. Trust me on that.) There may also be nicer, simpler APIs
for CMS in future releases. But those hypothetical APIs would be
Leopard-only. Pay attention at the WWDC where such things would be
discussed.
For Tiger, if you need to do CMS, it's probably better to hop on the CMS
SPI train (even if the ride's rough) rather than rolling your own
openssl-inspired hybrid. At least you have proof of functionality (since
Mail.app successfully signs and encrypts emails using it, even with smart
cards). These are the SecCMS* headers in Security.framework's
PrivateHeaders (which you'll have to pull from the Open Source CVS or get
from developer relations).
Cheers
-- perry
On 5/22/06, Paul Nelson <email@hidden> wrote:
I believe I use the signature directly from CSSM_SignData as a PKCS7
signature. I do a bunch of signing in my PKINIT implementation of the
Kerberos PKINIT draft standard.
How are you using the digest mode? I'm having CSSM_SignData return a
signed
digest by using CSSM_ALGID_SHA1WithRSA for the algorithm, and
CSSM_ALGID_NONE for the digest algorithm.
Paul Nelson
Thursby Software Systems, Inc.
> From: Cole Barnes < email@hidden>
> Date: Mon, 22 May 2006 16:56:57 -0500
> To: Apple CDSA <email@hidden>
> Subject: Re: digital signatures
>
> Thanks tons for the help...
>
> I've got 'signatures' now from CSSM_SignData(), but now I've got to
> get to a PKCS7 signature. Not exactly sure how to go about that at
> this point.
>
> I guess I'm either going to need to encode it and build the PKCS7
> structure by hand or go with third-party APIs. I can't really find
> anything of use in Apple security framework that is going to help me
> from this point. Can anyone confirm or deny?
>
> Thanks...
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Apple-cdsa mailing list ( email@hidden)
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
>
> This email sent to email@hidden
>
---------------------------------------------------------------------------
Perry The Cynic email@hidden
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---------------------------------------------------------------------------
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
