using the DSA signature algorithm of OpenSSL

Elmar Stellnberger estellnb at
Mon Jun 14 09:20:45 UTC 2021

   I wanna use the DSA signature algorithms of OpenSSL to verify RRSIG 
and DNSKEY DNSSEC resource records. This is described in RFC2536 (a very 
short RFC).
   As far as I could try it out (see my attachement) there are two ways 
to sign and verify with OpenSSL/DSA: via the EVP interface and via the 
DSA interface directly. If I try to sign with one method and verify with 
the other that fails. What standards do these methods conform to, what 
is the difference between them and what do I need for my purpose? Also I 
have found two different ways to create a DSA key yielding apparently 
different results (see the sample code). Basically for me it is about 
verifying signatures, not about creating such signatures.

<<program output:>>
asn1 repr of pubkey is the same
signed message: (method #1, DSA interface)
signed message: 46 Bytes
signature valid
signed message: (method #2, EVP interface)
signed message: 46 Bytes
authentic  			(verified with the same method)
invalid signature		(verified with the other first method)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dsatest_nolib.c
Type: text/x-csrc
Size: 5191 bytes
Desc: not available
URL: <>

More information about the openssl-users mailing list