using the DSA signature algorithm of OpenSSL
Elmar Stellnberger
estellnb at elstel.org
Mon Jun 14 09:34:36 UTC 2021
Oops, forgot to sha1; now it works.
Am 14.06.21 um 11:20 schrieb Elmar Stellnberger via openssl-users:
> I wanna use the DSA signature algorithms of OpenSSL to verify RRSIG
> and DNSKEY DNSSEC resource records. This is described in RFC2536 (a very
> short RFC).
> As far as I could try it out (see my attachement) there are two ways
> to sign and verify with OpenSSL/DSA: via the EVP interface and via the
> DSA interface directly. If I try to sign with one method and verify with
> the other that fails. What standards do these methods conform to, what
> is the difference between them and what do I need for my purpose? Also I
> have found two different ways to create a DSA key yielding apparently
> different results (see the sample code). Basically for me it is about
> verifying signatures, not about creating such signatures.
>
> <<program output:>>
> (pub)key:
> 3081F13081A906072A8648CE38040130819D024100EECFDC5C3B730FE9D0A3D25C4B8EF27A7F93D7A8A0047065DB55D881A40CC11A620D65C5BD3A720D187300B25A59E051CCB203BBE13731FC7E65B6371D1CFDD9021500B6334A5665A680A9D017C760CFDEF2FD1FECF6A90241008D7623CF35A041F469B32EDA37ECF551485154047E11FE10DA003FEAB1DF88007860C1F0AE32990B29B52EE6DB6BAFDF1A7FF9FD76CFD5B417861ABE3782F4C3034300024019A7A450C6FE998742DF5D3E0F59C2E9D7D90D6861DA6E912AEB66BCA202FFBE981A381414213BB5504B582AC27A1ACFB8B203366A076BCCF179FC471C2E4CB7
>
> asn1 repr of pubkey is the same
> signed message: (method #1, DSA interface)
> 302C02146F4A174CF347EF3FD2796D1858CADBD4A033DA1F02147DA2FB1329E82509C699806D92BB0713272C1651
>
> signed message: 46 Bytes
> signature valid
> signed message: (method #2, EVP interface)
> 302C02142F5296C21FA0956049F124A58621084ADF680BB402140BDD997234B82C901999FA096EFB697D864086BD
>
> signed message: 46 Bytes
> authentic (verified with the same method)
> invalid signature (verified with the other first method)
More information about the openssl-users
mailing list