How to sign a SSL3 hash

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to sign a SSL3 hash

Ruben Lagar
Hello,

I would like to sign a SSL3 hash (36bytes) with the PKCS11 library
from OpenSC. How can this be done?

For example, if I want to sign a SHA1 hash, what I do is

CK_MECHANISM mechanism = {CKM_RSA_PKCS, NULL_PTR, 0};
C_SignInit(hSession, &mechanism, hObject);
C_SignUpdate(hSession, data, 20);
C_SignFinal(hSession, signature, signatureLen);

where hObject is a reference to the private key to be used. In the
case of SSL3 (MD5 - SHA1 concatenated), which algorithm should I use?

CK_MECHANISM mechanism = {?, NULL_PTR, 0};
C_SignInit(hSession, &mechanism, hObject);
C_SignUpdate(hSession, data, 36);
C_SignFinal(hSession, signature, signatureLen);

I have tried using the same CKM_RSA_PKCS, but it is returning a non
valid signature.

Thank you!!
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: How to sign a SSL3 hash

Andreas Jellinghaus-2
Am Mittwoch 31 März 2010 11:23:40 schrieb Ruben Lagar:
> Hello,
>
> I would like to sign a SSL3 hash (36bytes) with the PKCS11 library
> from OpenSC. How can this be done?

what padding mechanism is specified in the specification?

you can then either:
a) build the whole block (rsa modulus_length) bytes and pass it to
the card for signing (or "decryption" (to use the raw rsa capability)).
b) ask the card to build the full block from the hash you give.
if it knows that padding mechanism.


but of course maybe you better use an existing SSL library,
most of them have an integration for smart card already
(e.g. engine in openssl and the signing callback in gnutls),
so the SSL is already fully implemented, and only the signing
is deferred to the card. should work best I guess.

> where hObject is a reference to the private key to be used. In the
> case of SSL3 (MD5 - SHA1 concatenated), which algorithm should I use?

read the ssl standard. or maybe check the ssl details, if there are
several alternatives, and the client and server handshake agreed on
one.

> I have tried using the same CKM_RSA_PKCS, but it is returning a non
> valid signature.

asymetric algorithm (e.g. rsa) and symetric hash algorithm (e.g. md5 or sha)
are only two parts of the recipe. you also need to know the padding -
how does the hash (e.g. 20 or 36 bytes) get blown up to modulus length
(e.g. 1024 bytes for 1024 rsa keys). there are many different mechanism
for that (I saw a list with 19 different ones), some as simple as
"zero-pad" (pad the first (1024/8)-32 bytes, then append the 32 byte hash),
and some very complex with parameters such as Labels (OAEP afaik) or
mask generating functions (e.g. MGF-1) and even parameters for them
(e.g. the hash algorithm to use in the mask generating function).

nobody claims crypto is easy. as you can see, it is very complex.

the rsa PKCS#1 standard is a nice introduction to the topic, quite
readable from my point of view. but of course it won't help you, as
you need to read the SSLv3 standard to find out how SSL exactly works
and what padding they expect. (and that might of course change from
connection to connection, depding on what client and server agree on,
if the standard has several options for that).

Good luck.

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: How to sign a SSL3 hash

Ruben Lagar
Hello,

thank you Andreas. I was trying to do the b) option you have
indicated, using the PKCS11 library provided by OpenSC, but it looks
like the card is doing the wrong padding, surely because I should tell
it how to pad the data I am sending.

What I was implicitily asking was how to tell the card how it has to
do the padding for the SSL3 schema.

Another option, as you say, is to do the padding myself and then ask
the card to "decrypt" it, so it uses the raw rsa, but I cannot find
how is the padding scheme for SSL3. Could anybody help me with this?

I cannot use a SSL engine because I am using a third party library for
accessing the card (via OpenSC), and my configuration doesn't seem to
work as a SSL engine (I get weird errors that I have not been able to
solve trying to use OpenSSL with OpenSC).

Thank you!


2010/4/2 Andreas Jellinghaus <[hidden email]>:

> Am Mittwoch 31 März 2010 11:23:40 schrieb Ruben Lagar:
>> Hello,
>>
>> I would like to sign a SSL3 hash (36bytes) with the PKCS11 library
>> from OpenSC. How can this be done?
>
> what padding mechanism is specified in the specification?
>
> you can then either:
> a) build the whole block (rsa modulus_length) bytes and pass it to
> the card for signing (or "decryption" (to use the raw rsa capability)).
> b) ask the card to build the full block from the hash you give.
> if it knows that padding mechanism.
>
>
> but of course maybe you better use an existing SSL library,
> most of them have an integration for smart card already
> (e.g. engine in openssl and the signing callback in gnutls),
> so the SSL is already fully implemented, and only the signing
> is deferred to the card. should work best I guess.
>
>> where hObject is a reference to the private key to be used. In the
>> case of SSL3 (MD5 - SHA1 concatenated), which algorithm should I use?
>
> read the ssl standard. or maybe check the ssl details, if there are
> several alternatives, and the client and server handshake agreed on
> one.
>
>> I have tried using the same CKM_RSA_PKCS, but it is returning a non
>> valid signature.
>
> asymetric algorithm (e.g. rsa) and symetric hash algorithm (e.g. md5 or sha)
> are only two parts of the recipe. you also need to know the padding -
> how does the hash (e.g. 20 or 36 bytes) get blown up to modulus length
> (e.g. 1024 bytes for 1024 rsa keys). there are many different mechanism
> for that (I saw a list with 19 different ones), some as simple as
> "zero-pad" (pad the first (1024/8)-32 bytes, then append the 32 byte hash),
> and some very complex with parameters such as Labels (OAEP afaik) or
> mask generating functions (e.g. MGF-1) and even parameters for them
> (e.g. the hash algorithm to use in the mask generating function).
>
> nobody claims crypto is easy. as you can see, it is very complex.
>
> the rsa PKCS#1 standard is a nice introduction to the topic, quite
> readable from my point of view. but of course it won't help you, as
> you need to read the SSLv3 standard to find out how SSL exactly works
> and what padding they expect. (and that might of course change from
> connection to connection, depding on what client and server agree on,
> if the standard has several options for that).
>
> Good luck.
>
> Regards, Andreas
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user