[EXTERNAL] Using openssl-rsautl for verifying signatures.
philipp_subx at redfish-solutions.com
Fri May 6 17:51:04 UTC 2022
Ah, that worked, thanks.
> On May 6, 2022, at 12:43 AM, Tomas Mraz <tomas at openssl.org> wrote:
> Please look at
> If you want to use the old PKCS1 v1.5 padding then just replace
> RSA_PKCS1_PSS_PADDING with RSA_PKCS1_PADDING.
> On Thu, 2022-05-05 at 10:35 -0600, Philip Prindeville wrote:
>> Bonjour. Et milles mercis.
>> That was helpful.
>> One more question: if I want to reproduce RSA_sign() (and
>> RSA_verify()) using evp_key_sign() and evp_key_verify() then I'll
>> need add code to do the ASN.1 marshaling, right? There's no
>> convenience function to do that (seems like an oversight if that's
>> the case)?
>>> On May 4, 2022, at 3:45 AM, Erwann Abalea
>>> <Erwann.Abalea at docusign.com> wrote:
>>> The ASN.1 structure (it's a DigestInfo) is part of the PKCS#1 v1.5
>>> padding for signature operations.
>>> PKCS#1v1.5 is rewritten in RFC2313.
>>> Using the command line tool, you can reproduce this:
>>> echo -n "Mary had a little lamb." > datatosign
>>> either one of the following can be used to sign data:
>>> openssl dgst -sha1 -sign tests/keys/rsa_key1.key datatosign >
>>> openssl pkeyutl -inkey tests/keys/rsa_key1.key -in <(openssl dgst
>>> -sha1 -binary datatosign) -sign -pkeyopt digest:sha1 > signing
>>> and you can display the signature either way (this will not
>>> "verify", it will only perform the RSA verify operation with
>>> PKCS#1v1.5 padding, without checking the validity or even if what
>>> has been signed is a DigestInfo structure, and output the result of
>>> the RSA operation):
>>> openssl rsautl -verify -inkey tests/keys/rsa_key1.pub -pubin -in
>>> signing -asn1parse
>>> openssl pkeyutl -verifyrecover -inkey tests/keys/rsa_key1.pub -
>>> pubin -in signing -asn1parse
>>> or you can actually verify the thing without displaying the result
>>> of the RSA verify crypto operation:
>>> openssl pkeyutl -verify -inkey tests/keys/rsa_key1.pub -pubin -in
>>> <(openssl dgst -sha1 -binary datatosign) -sigfile signing -pkeyopt
>>> openssl dgst -verify tests/keys/rsa_key1.pub -signature signing -
>>> sha1 datatosign
> Tomáš Mráz, OpenSSL
More information about the openssl-users