> From: owner-openssl-us...@openssl.org on behalf of aqueelmirza <aqueelmi...@gmail.com> > Sent: Thursday, October 10, 2013 06:43
> I tried replacing strlen(reply) with 20 but we are getting same result as > before. > Yes, a sha1 hash should be 20 bytes, but see below. > I am attaching reference files with this message. While trying this > solution, sometimes we were getting following error as well. > RSA operation error > 140735121490396:error:0406706C:rsa > routines:RSA_EAY_PUBLIC_DECRYPT:data > greater than mod len:rsa_eay.c:680: > > Can you please guide me? > That means there's something very wrong with your signature value, or you've got keys of different lengths confused. If you are only using one key, make sure the signature is the correct size (128 bytes for the key and data you linked) and byte for byte the same as when generated. Are you copying it as binary? If not, as your use of suffix .txt suggests, many methods for copying text change some bytes in some cases. > result.txt <http://openssl.6102.n7.nabble.com/file/n46847/result.txt> > signature.txt <http://openssl.6102.n7.nabble.com/file/n46847/signature.txt> > publicKey.pem <http://openssl.6102.n7.nabble.com/file/n46847/publicKey.pem> > me:~/ossx/play $ od -t x1 <result.txt 0000000 30 26 30 09 06 05 2b 0e 03 02 0b 05 00 04 19 54 0000020 6f 70 20 6f 66 20 74 68 65 20 6d 6f 72 6e 69 6e 0000040 67 20 74 6f 20 79 6f 75 0000050 me:~/ossx/play $ openssl asn1parse -inform der <result.txt 0:d=0 hl=2 l= 38 cons: SEQUENCE 2:d=1 hl=2 l= 9 cons: SEQUENCE 4:d=2 hl=2 l= 5 prim: OBJECT :rsaSignature 11:d=2 hl=2 l= 0 prim: NULL 13:d=1 hl=2 l= 25 prim: OCTET STRING :Top of the morning to you That is the usual encoding for an RSA signature on something that is not a SHA1 hash: definitely wrong length, and happens to be valid text which a hash value will only once in a zillion years. Except I don't understand why you got 1.3.14.3.2.11 rsaSignature; NID_sha1 should be 1.3.14.3.2.26 . I get ..26 for a simple test program also for dgst -sign and pkeyutl -sign -pkeyopt digest: using sha1 (in 1.0.1e, but it doesn't look like this has changed in many years). Before (or instead of) signing, please try char buf [40]; /* or some other buffer if handy */ nid = OBJ_sn2nid ("SHA1"); OBJ_obj2txt (buf,sizeof buf, OBJ_nid2obj(nid),1); fprintf (stderr, "const %d check %d is oid %s\n", NID_sha1, nid, buf); Looking back I see you called RSA_sign on something you say is 'sha1 hashed data'. You actually passed a 19-char text string, not any SHA1 hash. Check your hashing logic. But OpenSSL doesn't verify the length here and it just signs your text as if it were a hash. The standard (PKCS1) sequence for RSA signing is: 1 hash the data (SHA-1, MD-5, SHA-256, etc); 2 encode the hash with an 'algorithm identifier' in ASN.1 (since these hashes have no parameters, and produce fixed length results, this amounts to adding a fixed header); 3 pad the result to the size of the RSA key/modulus (classically by what is often still called PKCS1 padding but can be distinguished as PKCS1v1.5 or type1, or PSS also in PKCS1); 4 the mathematical RSA operation, modexp with private exponent. RSA_sign does 2 through 4, assuming you did 1, but you actually didn't. EVP_[Digest]Sign* does all of 1 through 4, handling the hash for you. Verification is basically the reverse: 4 RSA modexp with public exponent 3 check and remove padding 2 (check and) extract signer's hash from ASN.1 1 compare signer's hash to recomputed hash rsautl -verify, in spite of the name, does only 4 and 3, not 2 or 1. You can do 2 yourself, but easier to use pkeyutl -verifyrecover -inkey $keyfile -pkeyopt digest:sha1 which does 4 through 2. Or use dgst -verify or in code EVP_[Digest]Verify* to do everything, but only if you actually signed a hash. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
