Tcl
Tcl
RSASSA-PSS Sign String to Create Base64 PCKS7 Signature
See more Digital Signatures Examples
Signs a string to create a PKCS7 signature in the base64 encoding. The signature algorithm is RSASSA-PSS with SHA256.Chilkat Tcl Downloads
load ./chilkat.dll
set success 0
# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.
set crypt [new_CkCrypt2]
# Get a digital certificate with private key from a .pfx
# (Chilkat has many different ways to provide a cert + private key for siging.
# Using a PFX is just one possible option.)
set pfx [new_CkPfx]
set success [CkPfx_LoadPfxFile $pfx "qa_data/rsassa-pss/privatekey.pfx" "PFX_PASSWORD"]
if {$success == 0} then {
puts [CkPfx_lastErrorText $pfx]
delete_CkCrypt2 $crypt
delete_CkPfx $pfx
exit
}
# Get the certificate to be used for signing.
# (The typical case for a PFX is that it contains a cert with an associated private key,
# as well as other certificates in the chain of authentication. The cert with the private
# key should be in the first position at index 0.)
set cert [new_CkCert]
set success [CkPfx_CertAt $pfx 0 $cert]
if {$success == 0} then {
puts [CkPfx_lastErrorText $pfx]
delete_CkCrypt2 $crypt
delete_CkPfx $pfx
delete_CkCert $cert
exit
}
CkCrypt2_SetSigningCert $crypt $cert
# Indicate that RSASSA-PSS with SHA256 should be used.
CkCrypt2_put_SigningAlg $crypt "pss"
CkCrypt2_put_HashAlgorithm $crypt "sha256"
CkCrypt2_put_EncodingMode $crypt "base64"
# Sign a string and return the base64 PKCS7 detached signature
set originalText "This is a test"
set pkcs7sig [CkCrypt2_signStringENC $crypt $originalText]
puts "Detached Signature:"
puts "$pkcs7sig"
# This signature looks like this:
# MIIG5wYJKoZIhvcNAQcCoIIG2DCCBtQCAQExDzANBgl .. YToLqEwTdU87ox5g7rvw==
# The ASN.1 of the signature can be examined by browsing to https://lapo.it/asn1js/ ,
# then copy-and-paste the Base64 signature into the form and decode..
# The signature can be verified against the original data like this:
set success [CkCrypt2_VerifyStringENC $crypt $originalText $pkcs7sig]
puts "Signature verified: $success"
set success [CkCrypt2_VerifyStringENC $crypt "Not the original text" $pkcs7sig]
puts "Signature verified: $success"
# Now we'll create an opaque signature (the opposite of a detached signature).
# An opaque signature is a PKCS7 message that contains both the original data and
# the signature. The verification process extracts the original data.
set opaqueSig [CkCrypt2_opaqueSignStringENC $crypt $originalText]
puts "Opaque Signature:"
puts "$opaqueSig"
# The ASN.1 of the signature can be examined by browsing to https://lapo.it/asn1js/ ,
# then copy-and-paste the Base64 signature into the form and decode..
# We can verify and extract the original data:
set origTxt [CkCrypt2_opaqueVerifyStringENC $crypt $opaqueSig]
if {[CkCrypt2_get_LastMethodSuccess $crypt] != 1} then {
puts "Signature verification failed."
puts [CkCrypt2_lastErrorText $crypt]
delete_CkCrypt2 $crypt
delete_CkPfx $pfx
delete_CkCert $cert
exit
}
puts "Signature verified."
puts "Extracted text:$origTxt"
delete_CkCrypt2 $crypt
delete_CkPfx $pfx
delete_CkCert $cert