using the DSA signature algorithm of OpenSSL

Elmar Stellnberger estellnb at elstel.org
Mon Jun 14 09:20:45 UTC 2021


   I wanna use the DSA signature algorithms of OpenSSL to verify RRSIG 
and DNSKEY DNSSEC resource records. This is described in RFC2536 (a very 
short RFC).
   As far as I could try it out (see my attachement) there are two ways 
to sign and verify with OpenSSL/DSA: via the EVP interface and via the 
DSA interface directly. If I try to sign with one method and verify with 
the other that fails. What standards do these methods conform to, what 
is the difference between them and what do I need for my purpose? Also I 
have found two different ways to create a DSA key yielding apparently 
different results (see the sample code). Basically for me it is about 
verifying signatures, not about creating such signatures.

<<program output:>>
(pub)key: 
3081F13081A906072A8648CE38040130819D024100EECFDC5C3B730FE9D0A3D25C4B8EF27A7F93D7A8A0047065DB55D881A40CC11A620D65C5BD3A720D187300B25A59E051CCB203BBE13731FC7E65B6371D1CFDD9021500B6334A5665A680A9D017C760CFDEF2FD1FECF6A90241008D7623CF35A041F469B32EDA37ECF551485154047E11FE10DA003FEAB1DF88007860C1F0AE32990B29B52EE6DB6BAFDF1A7FF9FD76CFD5B417861ABE3782F4C3034300024019A7A450C6FE998742DF5D3E0F59C2E9D7D90D6861DA6E912AEB66BCA202FFBE981A381414213BB5504B582AC27A1ACFB8B203366A076BCCF179FC471C2E4CB7
asn1 repr of pubkey is the same
signed message: (method #1, DSA interface)
302C02146F4A174CF347EF3FD2796D1858CADBD4A033DA1F02147DA2FB1329E82509C699806D92BB0713272C1651
signed message: 46 Bytes
signature valid
signed message: (method #2, EVP interface)
302C02142F5296C21FA0956049F124A58621084ADF680BB402140BDD997234B82C901999FA096EFB697D864086BD
signed message: 46 Bytes
authentic  			(verified with the same method)
invalid signature		(verified with the other first method)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dsatest_nolib.c
Type: text/x-csrc
Size: 5191 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210614/a58a258e/attachment.c>


More information about the openssl-users mailing list