David E. Ross wrote:
This is the way most RSA signing works. The hash is encoded in a PKCS #1 block. If you want to recover the hash, you use PK11_VerifyRecover() (because you are doing a signature verification with recovery).On 10/19/2007 9:49 AM, Wan-Teh Chang wrote:On 10/19/07, David E. Ross <[EMAIL PROTECTED]> wrote:On 10/19/2007 5:35 AM, [EMAIL PROTECTED] wrote:I am currently trying to convert from OpenSSL to NSS (seemed like a good idea at the time). The code that I currently have an issue with is essentially ...key=RSA_new(); if (key) { key->n=BN_bin2bn(IssPubKey,IssPubKeyLgth,NULL); key->e=BN_bin2bn(PubKeyExponent->value,PubKeyExponent->lgth,NULL); decrypt_lgth=RSA_public_decrypt(lgth, value, (unsigned char *)recovered, key, RSA_NO_PADDING); } RSA_free(key); but the key is a public key.Here, X.509 keys are used very much like OpenPGP keys. Public keys encrypt; private keys decrypt. See my <http://www.rossde.com/PGP/pgp_encrypt.html#basic>.The RSA_public_decrypt man page indicates that this is a low-level signature function. You use a public key to decrypt an RSA signature so that you can verify the recovered hash. The NSS function PK11_PubEncryptRaw performs the same mathematical operation as RSA_public_decrypt(..., RSA_NO_PADDING), even though PK11_PubEncryptRaw is originally intended for RSA encryption. Wan-TehYes. That's described at my <http://www.rossde.com/PGP/pgp_signatures.html#generate>. The content is neither encrypted nor decrypted. The content is hashed, creating a hashed digest. The digest is then encrypted by the private key to create the signature. To verify the signature, the signature is decrypted to recover the hashed digest. The content is again hashed and compared against the decrypted digest.
If the code is using PKCS #1, Then this would be the best function to call, Whenever I see RSA_NO_PADDING, (which translates to the raw functions), I get a bit worried because there is not longer any control on the key itself... you can't separate signing/verify and decrypt/encrypt key pairs. There are also subtle issues that come up based on the encoding.
Anyway what function you use depends on how 'standards compliant' the signature scheme is. If you stick with DER AlgorithmID structure, you can make your code completely signature algorithm agnostic, as NSS will automatically find the correct algorithm and apply it.
bob
For digital signatures with RSA keys, the private key is used to encrypt the hashed digest, and the public key is used to recover (decrypt) the digest. This is the reverse of encrypting for security, in which the public key encrypts and the private key decrypts. In OpenPGP with DSS/DH keys, the DSS portion of the key is used for signature encryption, and the DH portion is used for security encryption.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
