问题
I'm evaluating TurboPower LockBox library for digital signing. I've created a 1024 bit RSA key and tried to sign a 260 bytes of text with it. After changing one or two characters in the text the signature is still valid for it. Is that ok? Or maybe it's a problem with this library. Changing even one character has a crucial effect. Do I need to create a larger key?
UPDATE
To test the library I used the demo application that comes with it. I have generated a 1024 RSA key pair and then tried the digital signing functions. First I've tried with a real 260 bit text file and found out that I can change some characters in it and the signature was still valid. Then I narrowed it a bit to the followinf string:
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAA 8
And it still works when I'm changing the '8' character. I could probably narrow it even more.
The code that performs the validation is:
Signatory1: TSignatory;
....
var
  DocumentStream, SignatureStream: TStream;
....
DocumentStream  := TFileStream.Create( edtRSADocumentFile.Text, fmOpenread);
try
SignatureStream := TFileStream.Create( edtRSASignatureFile.Text, fmOpenread);
try
 Res := Signatory1.Verify( DocumentStream, SignatureStream)
finally
  SignatureStream.Free
end;
finally
  DocumentStream.Free;
end;
回答1:
First, I wouldn't assume anything wrong with the library as it's been used for years. You shouldn't be able to change the inputs and use the same signature to validate it and it work. Keysize wouldn't play a part.
To get real answers, I'd expand your question - what version of Delphi? Can you show some code?
回答2:
LockBox 3 has a bug in the implementation of digital signature component. LockBox 2.07 can correctly sign and verify signatures, but loading/saving keys doesn't work in Delphi 2010.
来源:https://stackoverflow.com/questions/4228224/lockbox-digital-signature-component-problem