3

Are there any free libraries that implement digital signature? I need it to work in Delphi 2010 and to be portable. By portable I mean that the library implements the actual algorithms, rather than uses Windows API.

TurboPower LockBox doesn't work for me: here's an expalantion.

Community
  • 1
  • 1
Max
  • 19,654
  • 13
  • 84
  • 122
  • I'm not sure if it was tlockbox, but one free Delphi library created very low quality key-pairs. This once again shows that it's a good idea to use well reviewed code like OpenSSL for crypto. – CodesInChaos Nov 24 '10 at 15:15
  • The bug in Lockbox 3 has been fixed. It should work for you now. I presume that CodeInChaos is referring to Lockbox 2. Lockbox 3 goes to a lot of effort to create high quality key-pairs. – Sean B. Durkin Nov 26 '10 at 01:12
  • Looked into the code again. Seems to be LockBox 2.07. And the problem is that(on windows) the PRNG is seeded with the current time in a way that obtains about 16 bits of entropy / 60000 distinct seeds. And thus only about 60000 distinct RSA keys are created for each set of settings. On Linux it's slightly better(but still broken) with 32 bits of entropy from `/dev/random`. – CodesInChaos Nov 27 '10 at 11:52
  • Agreed about LB2. LB3 does things differently. You can choose between providing your own PRNG seed (and a demo program is provided to show how to get a true random seed with 64 bits of entropy), or use the default means, which is to call the MS CryptAPI (Microsoft Base Cryptographic Provider)'s CryptGenRandom function. If not available, then the RDTSC instruction will be used. This should give close to 64 bits of entropy. I agree, 32 bits of entropy is a completely broken implementation. – Sean B. Durkin Nov 29 '10 at 04:42

3 Answers3

4

OpenSSL should work. It's free and runs on many different platforms. It isn't a "Delphi" library but rather just an API, but it could be called from a Delphi application.

Mark Wilkins
  • 40,729
  • 5
  • 57
  • 110
  • The main problem with OpenSSL is that the API is horribly complicated. All the support for it is biased towards C++, so its really hard for a Delphi programmer to get useful help from thier mailing list. Its just too steep a learning curve when you are a Delphi programmer with just some basic encryption needs. – Sean B. Durkin Nov 26 '10 at 01:15
  • @Sean: I do agree it is complicated to use ... but I don't agree that the API is complicated. It's more an issue of the documentation being, ummm, "challenging". Once you figure out what to do, it is generally pretty simple and obvious (in retrospect). I ended up buying [an O'Reilly book](http://oreilly.com/catalog/9780596002701) to help. It was definitely worth the money. – Mark Wilkins Nov 27 '10 at 22:37
  • @Eugene: Heh - I guess not quite free. But $40 for a book is quite reasonable. But that does bring up the other side of this. One aspect about "free" software is the amount of one's own time invested in making something work. If it takes 50 hours of extra development time to make a "free" solution work over a moderately priced package that is well-documented, then the free route might not be such a good idea. In the case of OpenSSL, though, I have found it to be an extremely good value. – Mark Wilkins Nov 29 '10 at 16:53
2

You've got a free and fast implementation available at http://sourceforge.net/projects/openstrsecii

I'm not sure it will work as is with Delphi 2010...

OpenSSL is a great project, and you've got a Delphi use at http://www.ararat.cz/synapse/doku.php/public:howto:sslplugin

Arnaud Bouchez
  • 42,305
  • 3
  • 71
  • 159
1

Not exactly free, but signing functions of our SecureBlackbox product need just any license for any package, and prices for some packages are below $100.

Note, that for this price you get quite extensive functionality that covers PKCS#1 and PKCS#7 signing and encryption using RSA, DSA (signing only) and Elliptic Curves, as well as symmetric encryption, extensive certificate support and much more.

Alternatively you can use interface to OpenSSL, which also offers wide range of functions and is free. However, it's API is far from easy to understand, and as with any free software, support is questionable.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121