On 2010-09-06 08:17 PDT, Xavier Toth wrote: > I'm trying to verify the signature of a file I've signed but I don't > understand where to get the sigAlgorithm and hash to pass to > VFY_CreateContextWithAlgorithmID.
I presume you've read the description of these parameters in http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/cryptohi.h#227 In particular, note that the description tells us that the "hash" argument is "optional" (meaning that you can pass NULL as the argument value for this parameter) and that when present, it is the address into which the function returns (outputs) the type of hash that it found within the signature itself. Not all types of signatures embed that information, and for them, the hash info must be input, using one of the other variants of this function. > I've googled looking for some sample code using the VFY_ apis to verify > signatures but I haven't found anything that I could build off of. http://mxr.mozilla.org/security/search?string=VFY_CreateContext reveals that there are 3 variants of VFY_CreateContext, including VFY_CreateContextDirect and VFY_CreateContextWithAlgorithmID. It also reveals that, within the Mozilla code that uses NSS, there are NO callers of VFY_CreateContextDirect, and only one caller of VFY_CreateContextWithAlgorithmID. All the rest use the original VFY_CreateContext function. Still, I think that one example ought to suffice. > Shouldn't I be able to get these from the public key and/or signature > itself? Some public keys support multiple types of signature algorithms. You must tell the VFY function which of the signature algorithms to use. Many (most?) of the "standard" signature formats record that information explicitly in the form of an OID, but some do not. -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
