Problem resolved. I determined my signature algorithm isn't seasoned enough. Crypto++ requires the salt length to be 48 bytes with sha384.
On Thursday, October 13, 2016 at 11:18:52 AM UTC-4, Chris Rhoads wrote: > > I have a test application that is based on source code posted on > https://www.cryptopp.com/wiki/X.509. I've been unable to verify the > signature of an X.509 certificate that was signed with the following > algorithm: > > Signature Algorithm: rsassaPss > Hash Algorithm: sha384 > Mask Algorithm: mgf1 with sha384 > Salt Length: 0x14 (default) > Trailer Field: 0xBC (default) > > x509.exe (my test application) output: > > $ x509.exe rootcert.pem cacert.pem > Signature algorithm is RSASSA-PSS. > Hash algorithm is SHA384. > Signature verification failed. > > But it succeeds if the certificate signature used the following algorithm: > > Signature Algorithm: rsassaPss > Hash Algorithm: sha1 (default) > Mask Algorithm: mgf1 with sha1 (default) > Salt Length: 0x14 (default) > Trailer Field: 0xBC (default) > > x509.exe (my test application) output: > > $ x509.exe rootcert.pem cacert.pem > Signature algorithm is RSASSA-PSS. > Hash algorithm is SHA1. > The signature verified. > > The test keys and certificates that I'm using were generated with OpenSSL. > > If you can determine why I'm unable to verify the signature of my sha384 > certificates, I would greatly appreciate the help! > > === > > I'm using the following code versions: > > Operating System: Windows 7 Professional Service Pack 1 > Compiler: Microsoft Visual C++ 2008 (yes, I know we are now in 2016) > Crypto++ Library: version 5.6.5 > OpenSSL: version 1.1.0b > > > The scripts I used to create the keys and certificates with OpenSSL are > the attached; note I'm executing these commands in a Git Bash command shell > (MINGW64): > > sha1 certificates: sha1.zip\sha1\openssl_sha1.sh > sha384 certificates: sha384.zip\sha384\openssl_sha384.sh > > openSSL configuration files (used with both scripts above): > > root certificate configuration file: openssl_config_root.txt > CA certificate configuration file: openssl_config_ca.txt > > If you don't want to go through the process of creating your own > certificates, I've attached mine (and associated test keys) that were > generated with the scripts above: > > sha1 certificates: sha1.zip\sha1\rootcert.pem and > sha1.zip\sha1\cacert.pem > > sha384 certificates: sha384.zip\sha384\rootcert.pem and > sha384.zip\sha384\cacert.pem > My test application source code is attached: > > x509.cpp > > Thanks! > -Chris > > -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
