[openssl-users] RSA sign using SHA256 with mgf1 padding

[Dr. Stephen Henson]

On Mon, Aug 29, 2016, Moshe Wiener (mowiener) wrote:

> Hello,
> I'm running an application which runs an authentication session with a server. The server provides some random data, and my application needs to sign it with its private key, and send back the signature. The server which knows the public key verifies the signature, and it good then the client which runs my application is authenticated.
> This session used to run OK, until the server was changed so instead of using PKCS#1_v1.5 now it uses PKCS#1_v2.1
> Now, the server uses signature algorithm of SHA256 WITH RSA AN DMGF1.
> In my application I use OpenSSL.
> I think that I need to use 'RSA_padding_add_PKCS1_OAEP_mgf1' but couldn't figure out what to put in each of its arguments.
> Is there somewhere a sample code which implements RSA signature with mgf1 padding and a SHA256 hash?

While you can call the low level RSA padding functions directly that is not
recommended.

You should instead use the EVP functions to sign the data with the padding
mode switched to PSS.

In outline:

Call EVP_DigestSignInit(), set digest, and key and get the EVP_PKEY_CTX
associated with the operation.

Use the EVP_PKEY_CTX to change the padding mode to PSS. You do this with:
EVP_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING).

(optional)use the EVP_PKEY_CTX to change other parameters such as the salt
length.

Call EVP_DigestSignUpdate() with the data to be hashed.

Obtain the signature with EVP_DigestSignFinal().

If that isn't clear I can come up with some sample code.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org