1. Forum
  2. Newsgroups
  3. comp.lang.tcl

  • RS256 with TWAPI

    From Harald Oehlmann@wortkarg3@yahoo.com to comp.lang.tcl on Thu Oct 23 14:27:28 2025
    From Newsgroup: comp.lang.tcl

    Dear experts,

    I need RS256 signing for MMQT message signing (yeah!).
    SHA256 hash and then RSA - ok.

    What I normally do:

    set hKey [twapi::crypt_keypair $hCrypt signature]
    set hHash [twapi::capi_hash_create $hCrypt sha]
    twapi::capi_hash_string $hHash $DataIn
    set sig [twapi::capi_hash_sign $hHash signature -nohashoid 1] twapi::capi_hash_free $hHash
    return [binary encode base64 $sig]

    Theoretically, these are the same steps as RS256.
    But there is the PKCS#1 packaging.
    TWAPI only has PKCS#7 high level functions.

    Is there any way to solve this?

    Any answer welcome!
    Harald
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Ashok@apnmbx-public@yahoo.com to comp.lang.tcl on Wed Oct 29 08:36:07 2025
    From Newsgroup: comp.lang.tcl

    Harald, I suggest looking at the pki module in tcllib as it might be
    simpler though slower.

    If your code below is not working as you expect, two things to try -

    - remove the -nohashoid option. I think the hash oid inclusion is
    required for PKCS#1 but not entirely sure.

    - reverse the signature bytes. MS CryptoAPI uses little endian format
    while most implementations (including, I think, MS Crypto NG) use big
    endian.

    I remember running into similar questions a long time ago but sorry
    cannot recall the details.

    /Ashok

    On 10/23/2025 5:57 PM, Harald Oehlmann wrote:
    Dear experts,

    I need RS256 signing for MMQT message signing (yeah!).
    SHA256 hash and then RSA - ok.

    What I normally do:

    set hKey [twapi::crypt_keypair $hCrypt signature]
    set hHash [twapi::capi_hash_create $hCrypt sha]
    twapi::capi_hash_string $hHash $DataIn
    set sig [twapi::capi_hash_sign $hHash signature -nohashoid 1] twapi::capi_hash_free $hHash
    return [binary encode base64 $sig]

    Theoretically, these are the same steps as RS256.
    But there is the PKCS#1 packaging.
    TWAPI only has PKCS#7 high level functions.

    Is there any way to solve this?

    Any answer welcome!
    Harald

    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Harald Oehlmann@wortkarg3@yahoo.com to comp.lang.tcl on Wed Oct 29 08:56:04 2025
    From Newsgroup: comp.lang.tcl

    Thanks Ashok, I appreciate !
    Take care,
    Harald

    Am 29.10.2025 um 04:06 schrieb Ashok:
    Harald, I suggest looking at the pki module in tcllib as it might be
    simpler though slower.

    If your code below is not working as you expect, two things to try -

    - remove the -nohashoid option. I think the hash oid inclusion is
    required for PKCS#1 but not entirely sure.

    - reverse the signature bytes. MS CryptoAPI uses little endian format
    while most implementations (including, I think, MS Crypto NG) use big endian.

    I remember running into similar questions a long time ago but sorry
    cannot recall the details.

    /Ashok

    On 10/23/2025 5:57 PM, Harald Oehlmann wrote:
    Dear experts,

    I need RS256 signing for MMQT message signing (yeah!).
    SHA256 hash and then RSA - ok.

    What I normally do:

    set hKey [twapi::crypt_keypair $hCrypt signature]
    set hHash [twapi::capi_hash_create $hCrypt sha]
    twapi::capi_hash_string $hHash $DataIn
    set sig [twapi::capi_hash_sign $hHash signature -nohashoid 1]
    twapi::capi_hash_free $hHash
    return [binary encode base64 $sig]

    Theoretically, these are the same steps as RS256.
    But there is the PKCS#1 packaging.
    TWAPI only has PKCS#7 high level functions.

    Is there any way to solve this?

    Any answer welcome!
    Harald


    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Harald Oehlmann@wortkarg3@yahoo.com to comp.lang.tcl on Wed Oct 29 09:52:18 2025
    From Newsgroup: comp.lang.tcl

    And it is a pity, that your blog about TWAPI encription stopped before
    RSA encryption...

    Is there a chance to switch in TWAPI to the new crypto API?
    We have dropped Vista compatibility?
    I don't miss anything, all works great, just a question...

    Thanks for all,
    Harald

    Am 29.10.2025 um 08:56 schrieb Harald Oehlmann:
    Thanks Ashok, I appreciate !
    Take care,
    Harald

    Am 29.10.2025 um 04:06 schrieb Ashok:
    Harald, I suggest looking at the pki module in tcllib as it might be
    simpler though slower.

    If your code below is not working as you expect, two things to try -

    - remove the -nohashoid option. I think the hash oid inclusion is
    required for PKCS#1 but not entirely sure.

    - reverse the signature bytes. MS CryptoAPI uses little endian format
    while most implementations (including, I think, MS Crypto NG) use big
    endian.

    I remember running into similar questions a long time ago but sorry
    cannot recall the details.

    /Ashok

    On 10/23/2025 5:57 PM, Harald Oehlmann wrote:
    Dear experts,

    I need RS256 signing for MMQT message signing (yeah!).
    SHA256 hash and then RSA - ok.

    What I normally do:

    set hKey [twapi::crypt_keypair $hCrypt signature]
    set hHash [twapi::capi_hash_create $hCrypt sha]
    twapi::capi_hash_string $hHash $DataIn
    set sig [twapi::capi_hash_sign $hHash signature -nohashoid 1]
    twapi::capi_hash_free $hHash
    return [binary encode base64 $sig]

    Theoretically, these are the same steps as RS256.
    But there is the PKCS#1 packaging.
    TWAPI only has PKCS#7 high level functions.

    Is there any way to solve this?

    Any answer welcome!
    Harald



    --- Synchronet 3.21a-Linux NewsLink 1.2