hi Peter, On Tue, Oct 15, 2002 at 12:43:24PM +0200, Peter de Vroomen wrote: > Hi Vadim, > > I have forwarded this message to the OpenSSL group as well, maybe somebody > else can give me some good advice too. For people reading this, there was a > conversation going on before. I have troubles verifying a key using the > OpenSSL library. The RSA_public_decrypt() function returns an error about > padding, while I think this function (a) should not know anything about > padding,
let me repeat it, it should. It expects padded-hash after applying public key to signature value. It will extract message hash (yes, any 160-bit value) from padded-hash. Padded-hash structure is defined by PKCS1 and it cant be of any value. To verify the message, one need message hash anyway Please consider RSA_NO_PADDING in case you do know what are you doing. It should be considered dangerous and the old ISO padding scheme would be an example > and (b) is buggy, this function did verify lots of signatures for my projects already > as the padding was calculated by exactly the same > library on exactly the same machine (signing and verifying is done on the > same machine for testing purposes). > > > While verifying that signature, public key is applied to get padded-hash > > and message hash is extracted then. If wrong public key was used, > > message hash cant be extracted. > > Ok, I understand this. What I have is a Perl script that uses the > Crypt::OpenSSL::RSA library. In that script I use the sign() function to > sign some data. The following is done: > > 1) In the sign() function, an MD5 hash is created from the data, then the > hash is padded from 160 bits to 1023 bits (wasn't 1024?), and encrypted with > a private key. This is all in one go and is done in the Perl library. > 2) I then transform the encrypted data into an octet-string. > 3) The sign and the data is then returned in a webpage to a user. > > The user can post the form on the webpage to a FCGI program that is written > in C++. > > For the C++ program, I have written my own sign() and verify() functions. > The verify() function does the following: > > 4) It converts the octet-string coded sign back to binary representation. > 5) It decrypts the sign with a corresponding public key (using > RSA_public_decrypt()). > 6) It unpads the sign, which gives me back the MD5 hash. > 7) It then computes it's own MD5 hash over the sent data. > 8) I compares the computed MD5 hash to the decrypted MD5 hash and returns > true if they are the same. > > The problem is that step 5 sometimes returns the error: "RSA_public_decrypt: > error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not > 01". > > I don't understand why this error is generated while I am only decrypting > the message. The decryption process should just return the padded sign, and > not check for padding. Decrypting should make no assumptions about what is > encrypted, shouldn't it? > > I should check the padding myself with a call to > RSA_padding_check_PKCS1_type_1()... > > So, is this a bug in the OpenSSL RSA encryption/decryption libraries? this is definitely not an OpenSSL bug. The best advise here could be to determine whether PKCS1 padding fits your project security requirements and, if yes, follow specifications. yours, Vadim -- Naina library: http://www.unity.net/~vf/naina_r1.tgz ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
