Hash signing

[AndrewS]

Hello,
Is there an easy way to sign a hash in order to produce a PKCS #1 signature? I'm asking because the Signature class automatically hashes the input. I want to sign the documents, and can not send files to the card due to the limited amount of memory
Sending the data in portions to the smartcard for signing is ineffective. Sending only the hash seems to be the only solution, but unfortunately, the Java Card Standard doesn't support it
One solution could be to create the PKCS #1 signature structure by hand (RFC2313) and encrypt it with the private key. I guess ALG_RSA_NOPAD must be used for the latter. But how do it I don't know.

[mabel]

Hello,
Is there an easy way to sign a hash in order to produce a PKCS #1 signature? I'm asking because the Signature class automatically hashes the input. I want to sign the documents, and can not send files to the card due to the limited amount of memory
Sending the data in portions to the smartcard for signing is ineffective. Sending only the hash seems to be the only solution, but unfortunately, the Java Card Standard doesn't support it
One solution could be to create the PKCS #1 signature structure by hand (RFC2313) and encrypt it with the private key. I guess ALG_RSA_NOPAD must be used for the latter. But how do it I don't know.

You can get a java card that supports java card 3.0.4
Then use this method

short signPreComputedHash(byte[] hashBuff, short hashOff, short hashLength, byte[] sigBuff, short sigOffset)

to generate the signature of the pre-computed hash data.

Here is the details about this function described in Java CardTM application programming interface (API), Version 3.0.4, Classic Edition.

signPreComputedHash
public abstract short signPreComputedHash(byte[] hashBuff,
short hashOff,
short hashLength,
byte[] sigBuff,
short sigOffset)
throws CryptoExceptionGenerates the signature of the precomputed hash data.
A call to this method also resets this Signature object to the state it was in when previously initialized via a call to init(). That is, the object is reset and available to sign another precomputed hash.

Note:
This method throws an exception if the underlying signature algorithm does not compute a distinct message digest value prior to applying cryptographic primitives. These algorithms throw exception - DES, triple DES, AES, and KOREAN SEED.
Any data previously accumulated from previous calls to the update method are discarded.
The hash and output buffer data may overlap.

Parameters:
hashBuff - the input buffer of precomputed hash to be signed
hashOffset - the offset into the buffer where the hash begins
hashLength - the byte length of the hash
sigBuff - the output buffer to store signature data
sigOffset - the offset into sigBuff at which to begin signature data

Returns:
number of bytes of signature output in sigBuff

Throws:
CryptoException - with the following reason codes:
CryptoException.UNINITIALIZED_KEY if key not initialized.
CryptoException.INVALID_INIT if this Signature object is not initialized or initialized for signature verify mode.
CryptoException.ILLEGAL_USE if one of the following conditions is met:
if the hashLength value is not equal to the length of the algorithm's message digest length.
if this Signature algorithm includes message recovery functionality.
if the Signature algorithm does not compute a distinct message digest value prior to applying cryptographic primitives