(Tcl) DSA Signature Create and Verify

Shows how to create a DSA (DSS) signature for the contents of a file. The first step is to create an SHA-1 hash of the file contents. The hash is signed using the Digital Signature Algorithm and the signature bytes are retrieved as a hex-encoded string.

The 2nd part of the example loads the signature and verifies it against the hash.

Chilkat Tcl Extension Downloads Chilkat Tcl Extension Downloads

load ./chilkat.dll

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

set crypt [new_CkCrypt2]

CkCrypt2_put_EncodingMode $crypt "hex"
CkCrypt2_put_HashAlgorithm $crypt "sha-1"

# Return the SHA-1 hash of a file.  The file may be any size.
# The Chilkat Crypt component will stream the file when 
# computing the hash, keeping the memory usage constant
# and reasonable.
# The 20-byte SHA-1 hash is returned as a hex-encoded string.
set hashStr [CkCrypt2_hashFileENC $crypt "hamlet.xml"]

set dsa [new_CkDsa]

# Load a DSA private key from a PEM file.  Chilkat DSA
# provides the ability to load and save DSA public and private
# keys from encrypted or non-encrypted PEM or DER.
# The LoadText method is for convenience only.  You may
# use any means to load the contents of a PEM file into
# a string.

set pemPrivateKey [CkDsa_loadText $dsa "dsa_priv.pem"]
set success [CkDsa_FromPem $dsa $pemPrivateKey]
if {$success != 1} then {
    puts [CkDsa_lastErrorText $dsa]
    delete_CkCrypt2 $crypt
    delete_CkDsa $dsa
    exit
}

# You may optionally verify the key to ensure that it is a valid
# DSA key.
set success [CkDsa_VerifyKey $dsa]
if {$success != 1} then {
    puts [CkDsa_lastErrorText $dsa]
    delete_CkCrypt2 $crypt
    delete_CkDsa $dsa
    exit
}

# Load the hash to be signed into the DSA object:
set success [CkDsa_SetEncodedHash $dsa "hex" $hashStr]
if {$success != 1} then {
    puts [CkDsa_lastErrorText $dsa]
    delete_CkCrypt2 $crypt
    delete_CkDsa $dsa
    exit
}

# Now that the DSA object contains both the private key and hash,
# it is ready to create the signature:
set success [CkDsa_SignHash $dsa]
if {$success != 1} then {
    puts [CkDsa_lastErrorText $dsa]
    delete_CkCrypt2 $crypt
    delete_CkDsa $dsa
    exit
}

# If SignHash is successful, the DSA object contains the
# signature.  It may be accessed as a hex or base64 encoded
# string.  (It is also possible to access directly in byte array form via
# the "Signature" property.)
set hexSig [CkDsa_getEncodedSignature $dsa "hex"]
puts "Signature:"
puts "$hexSig"

# -----------------------------------------------------------
# Step 2: Verify the DSA Signature
# -----------------------------------------------------------

set dsa2 [new_CkDsa]

# Load the DSA public key to be used for verification:

set pemPublicKey [CkDsa_loadText $dsa2 "dsa_pub.pem"]
set success [CkDsa_FromPublicPem $dsa2 $pemPublicKey]
if {$success != 1} then {
    puts [CkDsa_lastErrorText $dsa2]
    delete_CkCrypt2 $crypt
    delete_CkDsa $dsa
    delete_CkDsa $dsa2
    exit
}

# Load the hash to be verified against the signature.
set success [CkDsa_SetEncodedHash $dsa2 "hex" $hashStr]
if {$success != 1} then {
    puts [CkDsa_lastErrorText $dsa2]
    delete_CkCrypt2 $crypt
    delete_CkDsa $dsa
    delete_CkDsa $dsa2
    exit
}

# Load the signature:
set success [CkDsa_SetEncodedSignature $dsa2 "hex" $hexSig]
if {$success != 1} then {
    puts [CkDsa_lastErrorText $dsa2]
    delete_CkCrypt2 $crypt
    delete_CkDsa $dsa
    delete_CkDsa $dsa2
    exit
}

# Verify:
set success [CkDsa_Verify $dsa2]
if {$success != 1} then {
    puts [CkDsa_lastErrorText $dsa2]
} else {
    puts "DSA Signature Verified!"
}


delete_CkCrypt2 $crypt
delete_CkDsa $dsa
delete_CkDsa $dsa2