[EXTERNAL] Using openssl-rsautl for verifying signatures.

Philip Prindeville philipp_subx at redfish-solutions.com
Fri May 6 17:51:04 UTC 2022 

Ah, that worked, thanks.

https://gerrit.asterisk.org/c/asterisk/+/18534



> On May 6, 2022, at 12:43 AM, Tomas Mraz <tomas at openssl.org> wrote:
> 
> Please look at 
> demos/signature/rsa_pss_direct.c
> 
> If you want to use the old PKCS1 v1.5 padding then just replace
> RSA_PKCS1_PSS_PADDING with RSA_PKCS1_PADDING.
> 
> Tomas
> 
> On Thu, 2022-05-05 at 10:35 -0600, Philip Prindeville wrote:
>> Bonjour.  Et milles mercis.
>> 
>> That was helpful.
>> 
>> One more question: if I want to reproduce RSA_sign() (and
>> RSA_verify()) using evp_key_sign() and evp_key_verify() then I'll
>> need add code to do the ASN.1 marshaling, right?  There's no
>> convenience function to do that (seems like an oversight if that's
>> the case)?
>> 
>> -Philip
>> 
>> 
>>> On May 4, 2022, at 3:45 AM, Erwann Abalea
>>> <Erwann.Abalea at docusign.com> wrote:
>>> 
>>> Bonjour,
>>> 
>>> The ASN.1 structure (it's a DigestInfo) is part of the PKCS#1 v1.5
>>> padding for signature operations.
>>> PKCS#1v1.5 is rewritten in RFC2313.
>>> 
>>> Using the command line tool, you can reproduce this:
>>> 
>>> echo -n "Mary had a little lamb." > datatosign
>>> 
>>> either one of the following can be used to sign data:
>>>   openssl dgst -sha1 -sign tests/keys/rsa_key1.key datatosign >
>>> signing
>>>   openssl pkeyutl -inkey tests/keys/rsa_key1.key -in <(openssl dgst
>>> -sha1 -binary datatosign) -sign -pkeyopt digest:sha1 > signing
>>> 
>>> and you can display the signature either way (this will not
>>> "verify", it will only perform the RSA verify operation with
>>> PKCS#1v1.5 padding, without checking the validity or even if what
>>> has been signed is a DigestInfo structure, and output the result of
>>> the RSA operation):
>>>   openssl rsautl -verify -inkey tests/keys/rsa_key1.pub -pubin -in
>>> signing -asn1parse
>>>   openssl pkeyutl -verifyrecover -inkey tests/keys/rsa_key1.pub -
>>> pubin -in signing -asn1parse
>>> 
>>> or you can actually verify the thing without displaying the result
>>> of the RSA verify crypto operation:
>>>   openssl pkeyutl -verify -inkey tests/keys/rsa_key1.pub -pubin -in
>>> <(openssl dgst -sha1 -binary datatosign) -sigfile signing -pkeyopt
>>> digest:sha1
>>>   openssl dgst -verify tests/keys/rsa_key1.pub -signature signing -
>>> sha1 datatosign
>>> 
>> 
> 
> -- 
> Tomáš Mráz, OpenSSL
> 
>

More information about the openssl-users mailing list