> From: Matt Caswell [mailto:fr...@baggins.org] > Sent: Wednesday, January 22, 2014 18:01
Second pass with some minor improvements: > On 22 January 2014 22:40, Dave Thompson <dthomp...@prinpay.com> wrote: > > > The general public-key sign and verify processes are: > > S1. compute hash of data (or for CMS, hash of data-hash plus some other bits) > > S2. generate signature for hash S1 using private key (RSA, DSA, or ECDSA) > > S3. send signature with or linked to data, and cert(s) if needed > > V0. receive signature and data, and receive or otherwise obtain certs if used [even more general: get trustworthy public key, *usually* by means of cert(s)] > > V1. compute hash of data (or for CMS as above) - should always be same as S1 > > V2. verify received signature for hash V1 using public key > > > > For RSA only (and with minor exceptions) S2 breaks down as: > > S21. encode hashvalue plus OID for hash in ASN.1 > > S22. "pad" S21, classically PKCS#1(v1.5) which truly just pads; an alternative > > now is PSS which mixes up S21 in a complicated way but is still called padding > > S23. modexp S22 to private exponent d mod n > > and V2 breaks down as: > > V21. modexp signature to public exponent [e] mod n, which recovers S22 > > V22. "unpad" V21 using the same method as S22, which recovers S21 > > V23. un-encode V22=S21 and match to expected hashvalue and OID > > > > (old) EVP_Sign/Verify* does all of these steps, [except CMS first hash] > [and so does new EVP_DigestSign/Verify* but not EVP_PKEY_sign/verify] > Good answer! Just for clarity, it does not do S3 or V0. Sending and > receiving the data is up to you if you use these functions. > Right, none of the EVP_level (or lower) calls do S3 and V0. I first wrote that message with only S1,S2 and V1,V2 to explain the difference of the EVP_PKEY calls; then I thought it would help to include how sign links to verify so I added S3 and V0 but forgot to fix the wording. S3 and V0 are sometimes handled by other parts of openssl, such as SSL protocol or CMS, and sometimes elsewhere like openssh or a custom application (which might be as simple as 'dgst -sign', file copy, and 'dgst -verify'). But while fixing your quoting, I also noticed some small errors and one incompleteness, fixed. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
