[openssl-users] RES: RES: Testing OpenSSL based solution

Wed May 13 10:09:07 UTC 2015

On 12/05/2015 22:50, Marcus Vinicius do Nascimento wrote:
>
> I did some quick research and found this: 
> http://en.wikipedia.org/wiki/Digital_Signature_Algorithm
>
> If my understanding is correct, the public key is (p, q, g, y).
>
> The private key would be x, such that y = g^x mod p.
>
> Is there some way to generate both public and private keys using 
> OpenSSL, based on p, q, g and y?
>
Not without finding a way to breaking DSA.
The whole point is you cannot get x from y.

However for your library to be any use at all,
it needs to already support that the
computer/user that runs it to verify
signatures don't know the private key
either.

So somewhere you should already have a way
to input ((p, q, g), y) and use that to
verify a signature.

> *De:*openssl-users [mailto:openssl-users-bounces at openssl.org] *Em nome 
> de *Marcus Vinicius do Nascimento
> *Enviada em:* terça-feira, 12 de maio de 2015 17:06
> *Para:* openssl-users at openssl.org
> *Assunto:* [openssl-users] RES: Testing OpenSSL based solution
>
> Thanks for both answers.
>
> I tried using Y as the public key, but ssl seems not to accept that.
>
> Here is the error scenario:
>
> From the FIP file:
>
> [mod = 1024]
>
> P = 
> fda5442483ccf7a12399d6c13d56ff882d689524f1885fcb7424e26da2d200a1657b631dcc74c73ecbd89fe42cc554b7062835c73d7203161e09742392b2b7c75253eea04a0b55d511646fbe2e81a9d80463e956527f8d6d42f4193984d5dcc6a8dadff80f31e44405840828581f013e074859b885908aaab30d87660bbaf8cb
>
> Q = dc678f95c673538f74dcbf67a80454c843937795
>
> G = 
> efd89f2dcf6e6a6a77cf18f238b2419de127864218eb4550c9e1a73085f97d7988322d7eea91590646373aa66f7a3d0994cb5ac741a19874eb9e79862b000e5978f3305bb70be4f987a12a686167316e663f4de995b36e74062e39a79a4b30e4d36977276e3d33c5165911d303d5682f8e0a96c510e1d9606d09b5573a675362
>
> Msg = 
> 58b7b3639a8d99babfe57f814024c5e7a0893bcf47b692768e6c11561796894b5f898bf5968ad85dae9019dbb24cd13759678f0edb0b687703a4a4e785e8b85293157593ab797e0eb338ff94474a9c8752c3a83edb5798aa221db73aec931bfd1be3d70781647215f6649874a825101eb325ee27f2a20a57145eb019f2a09993
>
> Y = 
> 808998aecbc5ab4679bf215e2166b371d249bb6e4bfc3404f2bcd2aaf61770851d236668252a11f061fb54067ddaa97ed7bf5a5c836db02e5b1f9f1a627ac1eb2dcfa484ed5fef383f4bae7aa18a3ef9ea94bab83439ccf261ec52529f298050b27df185eecccf8caa44b529c8fcbd88c6a33cc42b5b17244ea9e1099686a92b
>
> R = 33bf9a15b6823e7c5583f94bcea2f0439a881f8c
>
> S = 48feaff1ec4803fb88fdc70773d9ac7b84905d3a
>
> Result = P
>
> So I tried reformatting Y to pass it to PEM_read_bio_DSAPrivateKey.
>
> Converting Y to Base64 = 
> "gImYrsvFq0Z5vyFeIWazcdJJu25L/DQE8rzSqvYXcIUdI2ZoJSoR8GH7VAZ92ql+179aXINtsC5bH58aYnrB6y3PpITtX+84P0uueqGKPvnqlLq4NDnM8mHsUlKfKYBQsn3xhe7Mz4yqRLUpyPy9iMajPMQrWxckTqnhCZaGqSs="
>
> Reformatting in PEM format = "-----BEGIN DSA PRIVATE KEY-----
>
> gImYrsvFq0Z5vyFeIWazcdJJu25L/DQE8rzSqvYXcIUdI2ZoJSoR8GH7VAZ92ql+
>
> 179aXINtsC5bH58aYnrB6y3PpITtX+84P0uueqGKPvnqlLq4NDnM8mHsUlKfKYBQ
>
> sn3xhe7Mz4yqRLUpyPy9iMajPMQrWxckTqnhCZaGqSs=
>
> -----END DSA PRIVATE KEY-----
>
> "
>
> Code that matters:
>
> BIO * keybio = BIO_new_mem_buf(const_cast<char *>(key.c_str()), -1);
>
> if (keybio == NULL)
>
> {
>
> errormsg = "Can not create DSA key";
>
> return 0;
>
> }
>
> DSA *dsa = PEM_read_bio_DSAPrivateKey(keybio, &dsa, NULL, NULL);
>
> if (dsa == NULL)
>
> {
>
> errormsg = "Can not read DSA key";
>
> }
>
> return dsa;
>
> PEM_read_bio_DSAPrivateKey fails.
>
> Am I missing something here?
>
> *De:*openssl-users [mailto:openssl-users-bounces at openssl.org] *Em nome 
> de *Jakob Bohm
> *Enviada em:* terça-feira, 12 de maio de 2015 15:42
> *Para:* openssl-users at openssl.org
> *Assunto:* Re: [openssl-users] Testing OpenSSL based solution
>
> On 12/05/2015 20:10, Salz, Rich wrote:
>
>     You can't easily have test vectors for DSA signatures since they include a random.  Any test vector would have to include the random, and any API would have to be able to accept the random as part of the "sign" API.  Verification should be okay.
>
>       
>
>       
>
>
> What Mr. Salz refers to by "Verification should be okay"
> is probably this:
>
> You can have test vectors in the form of known good
> signatures with public keys listed in the test vector.
> For DSA, those would be the (message, y, r, s) quads
> mentioned by the OP (y is the public key, (r, s) is the
> signature), depending on his class library, it might be
> possible to reformat those vectors to the format used
> by his code for real messages.
>
> The importance of such test vectors is to detect if an
> implementation is accidentally implementing a different
> signature algorithm (such as accidentally appending a 0
> byte to each message both during signing and
> verification).  This would not be detected by signing
> and verifying sample messages with random parameters.
>

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded