Re: Problem with DSA signing/verification

Wed, 04 Dec 2013 15:36:24 -0800 

On 4 December 2013 22:38, Dave Thompson <dthomp...@prinpay.com> wrote:
> In addition to the misplaced paren already noted, and also a surplus paren,
>
> which I’ll assume were typos since they wouldn’t have compiled,
>

I think it could compile (unless there is another surplus paren I
haven't seen?):

EVP_SignInit(ctx, EVP_sha256() == 1)

As EVP_sha_256() is not equal to 1, this is the same as

EVP_SignInit(ctx, 0)

So effectively a NULL digest is being passed. This should fail
although the OP omitted to show the actual code for printing the error
in this case. In any case the return value from the OP's do_sign
method is not being checked.




> your test program won’t ever succeed, because you aren’t verifying
>
> the same data you signed. You memset ver_data to all zero bytes,
>
> and then use strlen(ver_data) bytes of it, which is always no bytes at all.
>

Actually ver_data is memset is set to zero bytes and then strlen(data)
is calculate (not ver_data)...but it amounts to the same thing. The OP
needs to pass the original data to be verified.



>
>
> However, this wouldn’t cause the error you show, it would cause “not
> verified”
>
> i.e. EVP_VerifyFinal returns 0 with no error queue.
>
>
>
> All of the places I can see dsa_do_verify sets that error look like
>
> “should never happen” cases, unless there is something wrong with
>
> your (public)key structure. And the command you showed (dsa –pubout)
>
> should have generated a valid publickey file.
>

Well looking at the code where this error is raised:

    /* XXX: surely this is wrong - if ret is 0, it just didn't verify;
       there is no error in BN. Test should be ret == -1 (Ben) */
    if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);

Reading the code suggests there is a bug in OpenSSL - helpfully
pointed out in a comment!! :-)

This looks like not an error at all. Just a verify failure.

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to