[EXTERNAL] Using openssl-rsautl for verifying signatures.
Tomas Mraz
tomas at openssl.org
Fri May 6 06:43:40 UTC 2022
Please look at
demos/signature/rsa_pss_direct.c
If you want to use the old PKCS1 v1.5 padding then just replace
RSA_PKCS1_PSS_PADDING with RSA_PKCS1_PADDING.
Tomas
On Thu, 2022-05-05 at 10:35 -0600, Philip Prindeville wrote:
> Bonjour. Et milles mercis.
>
> That was helpful.
>
> One more question: if I want to reproduce RSA_sign() (and
> RSA_verify()) using evp_key_sign() and evp_key_verify() then I'll
> need add code to do the ASN.1 marshaling, right? There's no
> convenience function to do that (seems like an oversight if that's
> the case)?
>
> -Philip
>
>
> > On May 4, 2022, at 3:45 AM, Erwann Abalea
> > <Erwann.Abalea at docusign.com> wrote:
> >
> > Bonjour,
> >
> > The ASN.1 structure (it's a DigestInfo) is part of the PKCS#1 v1.5
> > padding for signature operations.
> > PKCS#1v1.5 is rewritten in RFC2313.
> >
> > Using the command line tool, you can reproduce this:
> >
> > echo -n "Mary had a little lamb." > datatosign
> >
> > either one of the following can be used to sign data:
> > openssl dgst -sha1 -sign tests/keys/rsa_key1.key datatosign >
> > signing
> > openssl pkeyutl -inkey tests/keys/rsa_key1.key -in <(openssl dgst
> > -sha1 -binary datatosign) -sign -pkeyopt digest:sha1 > signing
> >
> > and you can display the signature either way (this will not
> > "verify", it will only perform the RSA verify operation with
> > PKCS#1v1.5 padding, without checking the validity or even if what
> > has been signed is a DigestInfo structure, and output the result of
> > the RSA operation):
> > openssl rsautl -verify -inkey tests/keys/rsa_key1.pub -pubin -in
> > signing -asn1parse
> > openssl pkeyutl -verifyrecover -inkey tests/keys/rsa_key1.pub -
> > pubin -in signing -asn1parse
> >
> > or you can actually verify the thing without displaying the result
> > of the RSA verify crypto operation:
> > openssl pkeyutl -verify -inkey tests/keys/rsa_key1.pub -pubin -in
> > <(openssl dgst -sha1 -binary datatosign) -sigfile signing -pkeyopt
> > digest:sha1
> > openssl dgst -verify tests/keys/rsa_key1.pub -signature signing -
> > sha1 datatosign
> >
>
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list