OpenSSL / java / wiki bits

[Ken Horn]

OK, I have my hacked java server running but am still struggliing with 
the signature being accepted by the demo site. It's not particularly 
surprising cos I'm stumbing around a bit with the crypto formats / java 
apis etc.

My current Java code does the following:
        KeyPairGenerator keypairgenerator;
        try {
            keypairgenerator = KeyPairGenerator.getInstance("DSA");
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
        keypairgenerator.initialize(1024, new SecureRandom());

        keyPair = keypairgenerator.generateKeyPair();

       // for genpubkey call:
       //       
       return "-----BEGIN PUBLIC KEY-----\r\n"+
            base64(keyPair.getPublic().getEncoded())+
            "\r\n-----END PUBLIC KEY-----\r\n";


       // for signature generation:
       // token is the 
[timestamp]::assert_identity::[assert_identity]::[return_to]
        base64(dsa(sha1(token)));

where sha1:

            MessageDigest messagedigest = MessageDigest.getInstance("SHA1");
            byte[] digest = messagedigest.digest(token.getBytes());
            return digest;

and dsa:
            PrivateKey privatekey = getPrivateKey();
            Signature signature = Signature.getInstance("DSA");
            signature.initSign(privatekey);
            signature.update(token);
            return signature.sign();

      
Error from demo page:
*    **Error:* Error in DSA_verify: error:0D07209B:asn1 encoding 
routines:ASN1_get_object:too long at 
/usr/share/perl5/Net/OpenID/Consumer.pm line 401.
/[runtime_error]/

Questions for whoever:
* Is the key gen in the right format?
* Is the sha1 necessary? (I read someplace that DSA digest in Java 
always does a sha1 anyway)
      If I miss out the sha1, I get: *Error:* DSA signature verification 
failed /[verify_failed]  --  is this any better?/
* Are all steps possible from Java built in libs, or do I have to use 
others / openssl to format keys etc in the correct format?
* On the demo, sometimes I receive the error "no return_to", but 
rerunning the request, takes me on to the PEM error above -- nothing 
changes afaict in my response. Could this be a caching issue someplace?

While there's a lot of info bouncing around on the mail list, I think 
it's time the Specs page was expanded a bit, to include the body of 
knowledge hidden in the lists. As has been commented, the specs page is 
pretty informal and there's a lot more info that could be supplied. I 
think a wiki would be the best solution in the short term so that more 
people could contribute to the docs (eg the bounce diagram from the 
other day). As to the hosting , I'm not suggesting any place / tool in 
particular (though confluence seems to be pretty popular in the java world).

In addition to a wiki, I think a version number/changes list for the 
core spec would be useful, it's getting to the point where you have to 
check it very carefully to find what's new (if anything) etc.

One item i didn't catch was the sig format line:
    
BASE64(DSA(SHA1("[timestamp]::assert_identity::[assert_identity]::[return_to]")))
does not mean to include the []'s around the filled in values.


Thanks for any help,

Ken