using the DSA signature algorithm of OpenSSL

Elmar Stellnberger estellnb at
Mon Jun 14 09:34:36 UTC 2021

Oops, forgot to sha1; now it works.

Am 14.06.21 um 11:20 schrieb Elmar Stellnberger via openssl-users:
>    I wanna use the DSA signature algorithms of OpenSSL to verify RRSIG 
> and DNSKEY DNSSEC resource records. This is described in RFC2536 (a very 
> short RFC).
>    As far as I could try it out (see my attachement) there are two ways 
> to sign and verify with OpenSSL/DSA: via the EVP interface and via the 
> DSA interface directly. If I try to sign with one method and verify with 
> the other that fails. What standards do these methods conform to, what 
> is the difference between them and what do I need for my purpose? Also I 
> have found two different ways to create a DSA key yielding apparently 
> different results (see the sample code). Basically for me it is about 
> verifying signatures, not about creating such signatures.
> <<program output:>>
> (pub)key: 
> 3081F13081A906072A8648CE38040130819D024100EECFDC5C3B730FE9D0A3D25C4B8EF27A7F93D7A8A0047065DB55D881A40CC11A620D65C5BD3A720D187300B25A59E051CCB203BBE13731FC7E65B6371D1CFDD9021500B6334A5665A680A9D017C760CFDEF2FD1FECF6A90241008D7623CF35A041F469B32EDA37ECF551485154047E11FE10DA003FEAB1DF88007860C1F0AE32990B29B52EE6DB6BAFDF1A7FF9FD76CFD5B417861ABE3782F4C3034300024019A7A450C6FE998742DF5D3E0F59C2E9D7D90D6861DA6E912AEB66BCA202FFBE981A381414213BB5504B582AC27A1ACFB8B203366A076BCCF179FC471C2E4CB7 
> asn1 repr of pubkey is the same
> signed message: (method #1, DSA interface)
> 302C02146F4A174CF347EF3FD2796D1858CADBD4A033DA1F02147DA2FB1329E82509C699806D92BB0713272C1651 
> signed message: 46 Bytes
> signature valid
> signed message: (method #2, EVP interface)
> 302C02142F5296C21FA0956049F124A58621084ADF680BB402140BDD997234B82C901999FA096EFB697D864086BD 
> signed message: 46 Bytes
> authentic              (verified with the same method)
> invalid signature        (verified with the other first method)

More information about the openssl-users mailing list