Hello, When I had a problem with verifying a RSA signtaure, I was hinted by Bob Releya that the VFY_* functions are better to use than PK11_Verify when trying to verify a signature given the digest of what was actually signed.
I was intrigued by that (it helped solve a related problem I had), so I investigated further. Fair enough, the NSS documentation said the same thing - that the VFY_VerifyDigest is a higher level function and is, this, preferable to PK11_Verify. Can somebody elaborate a little more about why one is better then the other? I went to the VFY_VerifyDigest code and I saw in vfy_VerifyDigest that: - for signatures produced with the RSA encryption algorithm, it would decrypt the signature using the public key and simply compare the result to the digest given. - for DSA and EC signtures, however, vfy_VerifyDigest would delegate the task to PK11_Verify. (Reference: http://lxr.mozilla.org/security/source/security/nss/lib/cryptohi/secvfy.c#600) Why does vfy_VerifyDigest treat different signature algorithms differently? Is the reason the difference between the properties of the three signature algorithms, or is it some purely implementation reason? Why doesn't the PKCS#11 token handle verifying RSA signatures, too? Regards, Peter _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
