Re: sign/verify kicking my ass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun wrote: | Ok, so then, do I still need to sign the data from seal and verify before I | open? Sign and verify are two different steps. When you do sign and when encrypt depends on your needs. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJNxQp2iGqZUF3qPYRAtoCAJ9YFgMQAslw6KPw1KOn2759osC6gwCcDiP1 7bqFtoDpWwbxUq8J+ynPIHA= =wKrS -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
Ok, so then, do I still need to sign the data from seal and verify before I open? ~Shaun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goetz Babin-Ebell Sent: Wednesday, December 03, 2008 2:02 PM To: openssl-users@openssl.org Subject: Re: sign/verify kicking my ass -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun R. wrote: | OK, i converted over to EVP_*, the sign/verify works but now i'm | confused about decrypt, for EVP_DecryptInit i need to tell it a CIPHER | but i dont see RSA in the cipher listings on | http://www.openssl.org/docs/crypto/EVP_EncryptInit.html# Looking closer | at the man page it looks like RSA isnt considered a cipher, what should | i be using to decrypt RSA messages? Ahem, I really should read the manuals for the functions I recommend ;-) EVP_Encrypt_* and EV_Decrypt_* are for encrypting / decrypting messages with symmetric ciphers. Using RSA to encrypt / decrypt is a little bit more complicated: You do not use RSA to encrypt/decrypt the message, you encrypt/decrypt your message with a symmetric cipher. But since you need the key for the symmetric cipher at both ends, you usually encrypt this key with RSA so the recipient having the private key can decrypt the RSA block to get the key and afterwards uses this key to decrypt the message. Naturally you could do all these steps on your own. But fortunately there is already a set of functions that do that for you: Encrypt: EVP_SealInit, EVP_SealUpdate and EVP_SealFinal Decrypt: EVP_OpenInit, EVP_OpenUpdate and EVP_OpenFinal With these you generate a message containing of at least 3 parts: * The asymmetric data blob (the session key encrypted with ~ the RSA public key of the recipient) * the IV * The data (encrypted with the session key stored in the ~ asymmetric data blob) It would be a good idea to also add some identifier about the recipient. How you store and transfer these datas is up to you. Alternatively you also could encrypt the data using PKCS#7 There you can use the functions PKCS7_encrypt and PKCS7_decrypt. The disadvantage with these functions is that all your data must fit into the memory of your device. This limit is not with all PKCS7 functions, There are PKCS7 functions working on streams, but the setup of these functions is a little bit more complicated... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJNwHe2iGqZUF3qPYRAmU4AJ9yQqCw3kXwiOKuN9wCF1X4x4ii6QCeNasE H29OHMunJ2KPmKMf+pacjkA= =DQSI -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sign/verify kicking my ass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun R. wrote: | OK, i converted over to EVP_*, the sign/verify works but now i'm | confused about decrypt, for EVP_DecryptInit i need to tell it a CIPHER | but i dont see RSA in the cipher listings on | http://www.openssl.org/docs/crypto/EVP_EncryptInit.html# Looking closer | at the man page it looks like RSA isnt considered a cipher, what should | i be using to decrypt RSA messages? Ahem, I really should read the manuals for the functions I recommend ;-) EVP_Encrypt_* and EV_Decrypt_* are for encrypting / decrypting messages with symmetric ciphers. Using RSA to encrypt / decrypt is a little bit more complicated: You do not use RSA to encrypt/decrypt the message, you encrypt/decrypt your message with a symmetric cipher. But since you need the key for the symmetric cipher at both ends, you usually encrypt this key with RSA so the recipient having the private key can decrypt the RSA block to get the key and afterwards uses this key to decrypt the message. Naturally you could do all these steps on your own. But fortunately there is already a set of functions that do that for you: Encrypt: EVP_SealInit, EVP_SealUpdate and EVP_SealFinal Decrypt: EVP_OpenInit, EVP_OpenUpdate and EVP_OpenFinal With these you generate a message containing of at least 3 parts: * The asymmetric data blob (the session key encrypted with ~ the RSA public key of the recipient) * the IV * The data (encrypted with the session key stored in the ~ asymmetric data blob) It would be a good idea to also add some identifier about the recipient. How you store and transfer these datas is up to you. Alternatively you also could encrypt the data using PKCS#7 There you can use the functions PKCS7_encrypt and PKCS7_decrypt. The disadvantage with these functions is that all your data must fit into the memory of your device. This limit is not with all PKCS7 functions, There are PKCS7 functions working on streams, but the setup of these functions is a little bit more complicated... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJNwHe2iGqZUF3qPYRAmU4AJ9yQqCw3kXwiOKuN9wCF1X4x4ii6QCeNasE H29OHMunJ2KPmKMf+pacjkA= =DQSI -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sign/verify kicking my ass
On Wed, Dec 03, 2008 at 10:59:44AM -0800, Shaun R. wrote: > OK, i converted over to EVP_*, the sign/verify works but now i'm confused > about decrypt, for EVP_DecryptInit i need to tell it a CIPHER but i dont > see RSA in the cipher listings on > http://www.openssl.org/docs/crypto/EVP_EncryptInit.html# Looking closer at > the man page it looks like RSA isnt considered a cipher, what should i be > using to decrypt RSA messages? Don't use RSA to encrypt. Only use it to Sign and Verify. For encryption use AES. You need to sign and encrypt the payload, but there are pitfalls: http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sign/verify kicking my ass
OK, i converted over to EVP_*, the sign/verify works but now i'm confused about decrypt, for EVP_DecryptInit i need to tell it a CIPHER but i dont see RSA in the cipher listings on http://www.openssl.org/docs/crypto/EVP_EncryptInit.html# Looking closer at the man page it looks like RSA isnt considered a cipher, what should i be using to decrypt RSA messages? ~Shaun "Goetz Babin-Ebell" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun wrote: | Is there another way in C to use openssl's sign/verify/encrypt/decrypt | without using the low-level api? I got my test prog working, I guess I need | to figure out how to do a SHA1 hash of my data next. Your friends are * to sign: EVP_SignInit, EVP_SignUpdate and EVP_SignFinal * to verify: EVP_VerifyInit, EVP_VerifyUpdate and EVP_VerifyFinal * to encrypt: EVP_EncryptInit, EVP_EncryptUpdate and EVP_EncryptFinal * to decrypt: EVP_DecryptInit, EVP_DecryptUpdate and EVP_DecryptFinal With your experience you really should not use the RSA_* functions directly. And beware: all these functions handle *binary* data, calling string functions on data generated by them is simply wrong. I think the RSA_sign man page should get a warning and a pointer to the EVP interface. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJLE0d2iGqZUF3qPYRAs2ZAJ9ie6ev4bXXWQxOTdBMNCjnQzjSHgCfSxGK tOE3jgsenLkcx4TNdNTVRXs= =yZKz -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sign/verify kicking my ass
Check out the PHP manual pages for openssl_seal() et al here: http://nl2.php.net/manual/en/function.openssl-sign.php There's no straight-through API offering the EVP functionality in PHP, AFAIK. ... though, personally, I'd rather code this kind of stuff in C (or C++) and then bind that through a fresh bit of API into PHP if it's got to appear in there, but that's probably just me. (I consider it a 'VB coder barrier' (after 15+ years in the biz, I have yet to meet the first 'VB software engineer'): generally speaking, if you can't handle 'C', well, then that /might/ be a hint you shouldn't try your hand at crypto unattended. Ah well, sometimes we have to make do... Best of luck with this! Ger On Wed, Nov 26, 2008 at 2:26 AM, Shaun <[EMAIL PROTECTED]> wrote: > EVP function in php... -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web:http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
EVP function in php... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saju Sent: Tuesday, November 25, 2008 5:15 PM To: openssl-users@openssl.org Subject: RE: sign/verify kicking my ass The EVP functions should be in OpenSSL's crypto library. some examples written in C http://www.nlnetlabs.nl/downloads/publications/hsm/hsm_node22.html http://www.nlnetlabs.nl/downloads/publications/hsm/hsm_node23.html Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shaun Sent: Tuesday, November 25, 2008 7:38 PM To: openssl-users@openssl.org Subject: RE: sign/verify kicking my ass Yes, that's required to use the openssl functions in php... but still doesn't explain where the EVP functions are... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saju Paul Sent: Tuesday, November 25, 2008 2:03 PM To: openssl-users@openssl.org Subject: RE: sign/verify kicking my ass when building php; include the --with-openssl= option - on unix/linux platforms it would look something like... ./configure --with-openssl=[DIR]; does a dynamic bind of libssl & libcrypto libraries. check the built php binary with the ldd command. Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Goetz Babin-Ebell Sent: Tuesday, November 25, 2008 4:52 PM To: openssl-users@openssl.org Subject: Re: sign/verify kicking my ass -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun wrote: | I'm really going to be using php to encrypt/sign ( | openssl_private_encrypt(), openssl_sign() ) I don't see any EVP functions | from php, Hm. There must be something wrong here. I'm almost sure that the EVP interface is available to PHP. Could any PHP user please shed some light ? | I'm assuming I can use EVP_* to decrypt/verify these? Is RSA just | a lower level api where as the EVP's are more for the beginner guys like me? Absolutely. The RSA low level encrypt / decrypt / sign functions are available for special cases for experienced users that really know what they are doing. For all normal operations there is the EVP (or even the SMIME/PKCS7) interface... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJLHNs2iGqZUF3qPYRAnuiAJ4nDjYApPZlZq6uuLtpKyDrlqgTnQCZAbRH sJ0e+meqa+pA8LYZABA6kck= =D6Oy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.10/1812 - Release Date: 11/25/2008 7:53 PM __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
The EVP functions should be in OpenSSL's crypto library. some examples written in C http://www.nlnetlabs.nl/downloads/publications/hsm/hsm_node22.html http://www.nlnetlabs.nl/downloads/publications/hsm/hsm_node23.html Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shaun Sent: Tuesday, November 25, 2008 7:38 PM To: openssl-users@openssl.org Subject: RE: sign/verify kicking my ass Yes, that's required to use the openssl functions in php... but still doesn't explain where the EVP functions are... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saju Paul Sent: Tuesday, November 25, 2008 2:03 PM To: openssl-users@openssl.org Subject: RE: sign/verify kicking my ass when building php; include the --with-openssl= option - on unix/linux platforms it would look something like... ./configure --with-openssl=[DIR]; does a dynamic bind of libssl & libcrypto libraries. check the built php binary with the ldd command. Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Goetz Babin-Ebell Sent: Tuesday, November 25, 2008 4:52 PM To: openssl-users@openssl.org Subject: Re: sign/verify kicking my ass -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun wrote: | I'm really going to be using php to encrypt/sign ( | openssl_private_encrypt(), openssl_sign() ) I don't see any EVP functions | from php, Hm. There must be something wrong here. I'm almost sure that the EVP interface is available to PHP. Could any PHP user please shed some light ? | I'm assuming I can use EVP_* to decrypt/verify these? Is RSA just | a lower level api where as the EVP's are more for the beginner guys like me? Absolutely. The RSA low level encrypt / decrypt / sign functions are available for special cases for experienced users that really know what they are doing. For all normal operations there is the EVP (or even the SMIME/PKCS7) interface... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJLHNs2iGqZUF3qPYRAnuiAJ4nDjYApPZlZq6uuLtpKyDrlqgTnQCZAbRH sJ0e+meqa+pA8LYZABA6kck= =D6Oy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.10/1812 - Release Date: 11/25/2008 7:53 PM __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
Ok well if the EVP interface and the RSA interface pretty much do the same thing I would imagine that the php openssl_sign and openssl_private_encrypt functions will generate a signature/encrypted data that EVP can verify/decrypt? At the moment I can get openssl_sign and RSA_sign to generate the same output. ~Shaun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goetz Babin-Ebell Sent: Tuesday, November 25, 2008 1:52 PM To: openssl-users@openssl.org Subject: Re: sign/verify kicking my ass -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun wrote: | I'm really going to be using php to encrypt/sign ( | openssl_private_encrypt(), openssl_sign() ) I don't see any EVP functions | from php, Hm. There must be something wrong here. I'm almost sure that the EVP interface is available to PHP. Could any PHP user please shed some light ? | I'm assuming I can use EVP_* to decrypt/verify these? Is RSA just | a lower level api where as the EVP's are more for the beginner guys like me? Absolutely. The RSA low level encrypt / decrypt / sign functions are available for special cases for experienced users that really know what they are doing. For all normal operations there is the EVP (or even the SMIME/PKCS7) interface... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJLHNs2iGqZUF3qPYRAnuiAJ4nDjYApPZlZq6uuLtpKyDrlqgTnQCZAbRH sJ0e+meqa+pA8LYZABA6kck= =D6Oy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
Yes, that's required to use the openssl functions in php... but still doesn't explain where the EVP functions are... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saju Paul Sent: Tuesday, November 25, 2008 2:03 PM To: openssl-users@openssl.org Subject: RE: sign/verify kicking my ass when building php; include the --with-openssl= option - on unix/linux platforms it would look something like... ./configure --with-openssl=[DIR]; does a dynamic bind of libssl & libcrypto libraries. check the built php binary with the ldd command. Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Goetz Babin-Ebell Sent: Tuesday, November 25, 2008 4:52 PM To: openssl-users@openssl.org Subject: Re: sign/verify kicking my ass -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun wrote: | I'm really going to be using php to encrypt/sign ( | openssl_private_encrypt(), openssl_sign() ) I don't see any EVP functions | from php, Hm. There must be something wrong here. I'm almost sure that the EVP interface is available to PHP. Could any PHP user please shed some light ? | I'm assuming I can use EVP_* to decrypt/verify these? Is RSA just | a lower level api where as the EVP's are more for the beginner guys like me? Absolutely. The RSA low level encrypt / decrypt / sign functions are available for special cases for experienced users that really know what they are doing. For all normal operations there is the EVP (or even the SMIME/PKCS7) interface... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJLHNs2iGqZUF3qPYRAnuiAJ4nDjYApPZlZq6uuLtpKyDrlqgTnQCZAbRH sJ0e+meqa+pA8LYZABA6kck= =D6Oy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
when building php; include the --with-openssl= option - on unix/linux platforms it would look something like... ./configure --with-openssl=[DIR]; does a dynamic bind of libssl & libcrypto libraries. check the built php binary with the ldd command. Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Goetz Babin-Ebell Sent: Tuesday, November 25, 2008 4:52 PM To: openssl-users@openssl.org Subject: Re: sign/verify kicking my ass -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun wrote: | I'm really going to be using php to encrypt/sign ( | openssl_private_encrypt(), openssl_sign() ) I don't see any EVP functions | from php, Hm. There must be something wrong here. I'm almost sure that the EVP interface is available to PHP. Could any PHP user please shed some light ? | I'm assuming I can use EVP_* to decrypt/verify these? Is RSA just | a lower level api where as the EVP's are more for the beginner guys like me? Absolutely. The RSA low level encrypt / decrypt / sign functions are available for special cases for experienced users that really know what they are doing. For all normal operations there is the EVP (or even the SMIME/PKCS7) interface... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJLHNs2iGqZUF3qPYRAnuiAJ4nDjYApPZlZq6uuLtpKyDrlqgTnQCZAbRH sJ0e+meqa+pA8LYZABA6kck= =D6Oy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sign/verify kicking my ass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun wrote: | I'm really going to be using php to encrypt/sign ( | openssl_private_encrypt(), openssl_sign() ) I don't see any EVP functions | from php, Hm. There must be something wrong here. I'm almost sure that the EVP interface is available to PHP. Could any PHP user please shed some light ? | I'm assuming I can use EVP_* to decrypt/verify these? Is RSA just | a lower level api where as the EVP's are more for the beginner guys like me? Absolutely. The RSA low level encrypt / decrypt / sign functions are available for special cases for experienced users that really know what they are doing. For all normal operations there is the EVP (or even the SMIME/PKCS7) interface... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJLHNs2iGqZUF3qPYRAnuiAJ4nDjYApPZlZq6uuLtpKyDrlqgTnQCZAbRH sJ0e+meqa+pA8LYZABA6kck= =D6Oy -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
I'm really going to be using php to encrypt/sign ( openssl_private_encrypt(), openssl_sign() ) I don't see any EVP functions from php, I'm assuming I can use EVP_* to decrypt/verify these? Is RSA just a lower level api where as the EVP's are more for the beginner guys like me? :) ~Shaun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goetz Babin-Ebell Sent: Tuesday, November 25, 2008 11:08 AM To: openssl-users@openssl.org Subject: Re: sign/verify kicking my ass -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun wrote: | Is there another way in C to use openssl's sign/verify/encrypt/decrypt | without using the low-level api? I got my test prog working, I guess I need | to figure out how to do a SHA1 hash of my data next. Your friends are * to sign: EVP_SignInit, EVP_SignUpdate and EVP_SignFinal * to verify: EVP_VerifyInit, EVP_VerifyUpdate and EVP_VerifyFinal * to encrypt: EVP_EncryptInit, EVP_EncryptUpdate and EVP_EncryptFinal * to decrypt: EVP_DecryptInit, EVP_DecryptUpdate and EVP_DecryptFinal With your experience you really should not use the RSA_* functions directly. And beware: all these functions handle *binary* data, calling string functions on data generated by them is simply wrong. I think the RSA_sign man page should get a warning and a pointer to the EVP interface. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJLE0d2iGqZUF3qPYRAs2ZAJ9ie6ev4bXXWQxOTdBMNCjnQzjSHgCfSxGK tOE3jgsenLkcx4TNdNTVRXs= =yZKz -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sign/verify kicking my ass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun wrote: | Is there another way in C to use openssl's sign/verify/encrypt/decrypt | without using the low-level api? I got my test prog working, I guess I need | to figure out how to do a SHA1 hash of my data next. Your friends are * to sign: EVP_SignInit, EVP_SignUpdate and EVP_SignFinal * to verify: EVP_VerifyInit, EVP_VerifyUpdate and EVP_VerifyFinal * to encrypt: EVP_EncryptInit, EVP_EncryptUpdate and EVP_EncryptFinal * to decrypt: EVP_DecryptInit, EVP_DecryptUpdate and EVP_DecryptFinal With your experience you really should not use the RSA_* functions directly. And beware: all these functions handle *binary* data, calling string functions on data generated by them is simply wrong. I think the RSA_sign man page should get a warning and a pointer to the EVP interface. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJLE0d2iGqZUF3qPYRAs2ZAJ9ie6ev4bXXWQxOTdBMNCjnQzjSHgCfSxGK tOE3jgsenLkcx4TNdNTVRXs= =yZKz -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
Is there another way in C to use openssl's sign/verify/encrypt/decrypt without using the low-level api? I got my test prog working, I guess I need to figure out how to do a SHA1 hash of my data next. ~Shaun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Monday, November 24, 2008 7:11 PM To: openssl-users@openssl.org Subject: RE: sign/verify kicking my ass > > I used fwrite(signature,1,strlen(signature),fp) and got the > > same results. You seem to have a fundamental misunderstanding about how strings work in C. That's not good for someone writing security software. The 'strlen' function computes the length of a C-style string. The signature *IS* *NOT* a C-style string. It *MUST* *NOT* be passed to 'strlen'. Also, this code has a problem: if(RSA_sign(NID_sha1, (unsigned char*) message, strlen(message), signature, &slen, private_key) != 1) { You are telling RSA_sign that you are using it to sign a SHA1 hash, but the message is not a SHA1 hash. I believe this will currently sort of work, but it's very bad practice. You should not be using low-level RSA functions unless you really understand RSA. You have already gotten, in the previous round, perfectly clear explanations of this: "RSA_sign() and RSA_verify() don't sign arbitrary data they expect the digest of the data being signed/verified. If you want an API that does sign arbitrary data use EVP_Sign*() and EVP_Verify*() instead." You are still neither calling the EVP_* functions nor generating a hash. and "The signature is not a NUL terminated C-string, so using "printf" is not the right way to save it to a file. You are throwing away "slen", don't." You are still treating the signature as if it was a C-style string and throwing away slen. What's the point of asking questions if you ignore the answers? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
Ahh, ok... When you first said that you where just saying printf was wrong to use because it was not a string, it makes sense that strlen wouldn't work either, i just missed that. I know I'm throwing away slen in the example, I'm curious how I would pass it along though in my tests with two separate programs, I would have to pass the size along too somehow right? Couldn't I use RSA_size(pubkey) to set slen? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Monday, November 24, 2008 6:41 PM To: openssl-users@openssl.org Subject: Re: sign/verify kicking my ass On Mon, Nov 24, 2008 at 05:59:39PM -0800, Shaun wrote: > I used fwrite(signature,1,strlen(signature),fp) and got the same results. Which part of length of signature != strlen(signature) because signature is not a NUL terminated C-string is not clear? Which part of 'you are throwing away "slen"' is not clear? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni > Sent: Saturday, November 22, 2008 1:25 PM > To: openssl-users@openssl.org > Subject: Re: sign/verify kicking my ass > > On Sat, Nov 22, 2008 at 10:38:18AM -0800, Shaun R. wrote: > > > Can anybody help me out, not sure whats going wrong. My test case right > > now is the following > > > >signature = (unsigned char*) malloc(RSA_size(private_key)); > >if(RSA_sign(NID_sha1, (unsigned char*) message, strlen(message), > > signature, &slen, private_key) != 1) { > >ERR_print_errors_fp(stdout); > >} > > > >printf("%s", signature); > > The signature is not a NUL terminated C-string, so using "printf" is > not the right way to save it to a file. You are throwing away "slen", > don't. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
> > I used fwrite(signature,1,strlen(signature),fp) and got the > > same results. You seem to have a fundamental misunderstanding about how strings work in C. That's not good for someone writing security software. The 'strlen' function computes the length of a C-style string. The signature *IS* *NOT* a C-style string. It *MUST* *NOT* be passed to 'strlen'. Also, this code has a problem: if(RSA_sign(NID_sha1, (unsigned char*) message, strlen(message), signature, &slen, private_key) != 1) { You are telling RSA_sign that you are using it to sign a SHA1 hash, but the message is not a SHA1 hash. I believe this will currently sort of work, but it's very bad practice. You should not be using low-level RSA functions unless you really understand RSA. You have already gotten, in the previous round, perfectly clear explanations of this: "RSA_sign() and RSA_verify() don't sign arbitrary data they expect the digest of the data being signed/verified. If you want an API that does sign arbitrary data use EVP_Sign*() and EVP_Verify*() instead." You are still neither calling the EVP_* functions nor generating a hash. and "The signature is not a NUL terminated C-string, so using "printf" is not the right way to save it to a file. You are throwing away "slen", don't." You are still treating the signature as if it was a C-style string and throwing away slen. What's the point of asking questions if you ignore the answers? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sign/verify kicking my ass
Shaun wrote: > I used fwrite(signature,1,strlen(signature),fp) and got the same results. > > Ok - strlen does the same thing as printf - it stops at a NULL. Since the signature is NOT guaranteed to not contain a NULL, you can't use any function that keys off of a NULL character. Which means that you need to use read() and write() directly. Either that, or convert the unsigned char * buffer that you have the signature in to be in a form that is "string" friendly (base64 or simple hexify) and then print THAT out. Have fun. Patrick. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sign/verify kicking my ass
On Mon, Nov 24, 2008 at 05:59:39PM -0800, Shaun wrote: > I used fwrite(signature,1,strlen(signature),fp) and got the same results. Which part of length of signature != strlen(signature) because signature is not a NUL terminated C-string is not clear? Which part of 'you are throwing away "slen"' is not clear? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni > Sent: Saturday, November 22, 2008 1:25 PM > To: openssl-users@openssl.org > Subject: Re: sign/verify kicking my ass > > On Sat, Nov 22, 2008 at 10:38:18AM -0800, Shaun R. wrote: > > > Can anybody help me out, not sure whats going wrong. My test case right > > now is the following > > > >signature = (unsigned char*) malloc(RSA_size(private_key)); > >if(RSA_sign(NID_sha1, (unsigned char*) message, strlen(message), > > signature, &slen, private_key) != 1) { > >ERR_print_errors_fp(stdout); > >} > > > >printf("%s", signature); > > The signature is not a NUL terminated C-string, so using "printf" is > not the right way to save it to a file. You are throwing away "slen", > don't. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
Well in this case I'm signing blah but I'm really trying to sign a base64 string. I'm just trying to use sign/verify to ensure that what was sent (a base64 encoded message that's maybe 1024 chars long max) is real -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Saturday, November 22, 2008 1:45 PM To: openssl-users@openssl.org Subject: Re: sign/verify kicking my ass On Sat, Nov 22, 2008, Shaun R. wrote: > Can anybody help me out, not sure whats going wrong. My test case right > now is the following > > gcc sign.c -o sign -lcrypto > gcc verify.c -o verify -lcrypto > ./sign > blah.sig > ./verify > > RSA_sign() and RSA_verify() don't sign arbitrary data they expect the digest of the data being signed/verified. If you want an API that does sign arbitrary data use EVP_Sign*() and EVP_Verify*() instead. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sign/verify kicking my ass
I used fwrite(signature,1,strlen(signature),fp) and got the same results. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Saturday, November 22, 2008 1:25 PM To: openssl-users@openssl.org Subject: Re: sign/verify kicking my ass On Sat, Nov 22, 2008 at 10:38:18AM -0800, Shaun R. wrote: > Can anybody help me out, not sure whats going wrong. My test case right > now is the following > >signature = (unsigned char*) malloc(RSA_size(private_key)); >if(RSA_sign(NID_sha1, (unsigned char*) message, strlen(message), > signature, &slen, private_key) != 1) { >ERR_print_errors_fp(stdout); >} > >printf("%s", signature); The signature is not a NUL terminated C-string, so using "printf" is not the right way to save it to a file. You are throwing away "slen", don't. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sign/verify kicking my ass
On Sat, Nov 22, 2008, Shaun R. wrote: > Can anybody help me out, not sure whats going wrong. My test case right > now is the following > > gcc sign.c -o sign -lcrypto > gcc verify.c -o verify -lcrypto > ./sign > blah.sig > ./verify > > RSA_sign() and RSA_verify() don't sign arbitrary data they expect the digest of the data being signed/verified. If you want an API that does sign arbitrary data use EVP_Sign*() and EVP_Verify*() instead. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sign/verify kicking my ass
On Sat, Nov 22, 2008 at 10:38:18AM -0800, Shaun R. wrote: > Can anybody help me out, not sure whats going wrong. My test case right > now is the following > >signature = (unsigned char*) malloc(RSA_size(private_key)); >if(RSA_sign(NID_sha1, (unsigned char*) message, strlen(message), > signature, &slen, private_key) != 1) { >ERR_print_errors_fp(stdout); >} > >printf("%s", signature); The signature is not a NUL terminated C-string, so using "printf" is not the right way to save it to a file. You are throwing away "slen", don't. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
sign/verify kicking my ass
Can anybody help me out, not sure whats going wrong. My test case right now is the following gcc sign.c -o sign -lcrypto gcc verify.c -o verify -lcrypto ./sign > blah.sig ./verify [EMAIL PROTECTED] openssl]# cat sign.c #include #include #include #include #include #include #include #include int main(void) { char* message = "blah"; unsigned char* signature; unsigned int slen; unsigned int verified; static char *privkey = "-BEGIN RSA PRIVATE KEY-\nMIIJKAIBAAKCAgEAwm3C2PotN3uzg6pUqpLMkxa9xsgA/V3TrfG9RbrriIVr5xF7\n8rqtPTgzXUhcYAkEd2ROjtrI4WfZ91G3e9d5sR/1275UD0KAxkzxwOcWWMfZ0Yul\nlcwYQayd4Ke2msLaXbm65Gd0BfmGSCMX7fWHEWUCwSklXEFI0I2Zz7fZsCdeynaL\nGnZupsmKGa+t7XsgiVWfDGsQPcFee7285tnWxEgNUlaahySbLsNh11UAyqdKtDif\nSDUSuuPxnE+tvi3r2O17Yj77m9fnDAbRYHta+wTtKlPoD9iuV5bCoOpMejxBVNNK\nG6ganp117ivMC6OPYs+QxSM5FNOikIETZoLBBZV2M1T84i0pTat901OQZkhwTAPu\niwxSdWPFqHUBwp30g8i/NvhCelWh+pVPhbodn14r8DXMU/arw5EpEqmcj3IPFapr\ncrRRrpsPSiMqo5rdC5CH6Y1+Cel1W4IJp7lo6cgpSjAuNTvLIcJDpAFnImWy/Zr9\nUbGOh5mkF5PsVN9chc1gLjTPbgSQUcN0oX+rQjx0bqT7Tt6Y66W5wCrKLrL5blHq\nm08pAzEiFKb5srEK6ouvoGUv9DnoC9GwbXJq9RJDIwi4SW3LduQ2/vmFyj00LyaL\nOKL6mI3sAS9p8Vkl6KabjY8BdnKp7dnuEmJtQicZVAJkvHy8aThkF/NtfOMCAwEA\nAQKCAgAP4Xk90clps7/o7Du4Jv9wsDXWC7YQ+93zYkBsdqUQZJ14pTPzko3d5z5C\ny0tISNRFkDrebj5kMuBZ1CHhiqsU7aBeT4B8MplkGRrR/84SeFhxRi/DOYVtr9TB\nadF/eJTvfOEoEM8oQcZXFA67UAe1QwPjlSHJFEgHSNmcXs74FW8nqGEaSzwkgWe3\nS2Mwd5MjxIuWLxSHhsjZ4JiSXo6tP5le9VXv3eyS+ECAnx/ObbWrXMid 1D/wZffx\nJYzycLvH3zXpw203wH3NvKzTbZ/zyuY4Q9w7lx4+Z0EEdb7DaTKI5C00bxmlhQUB\n7C/hb32hu4R+pa7e5Z5soS5dfCaZ0qFJRDAgM2h19zSkbXV/XtMOdbk6sZdAhYOD\nqlpRfdKXuFeeBrffY/zxmjetgv1bJnvIsCG9x92p6ocfd3k7GE5GMnRkCuh3uVQT\nE6rjQty4pwOt+dHg0AV8SLFDZ6T8Vm4rw6BhZDiZO12DKhrAjCTeeLHewsy5owcW\nt/EMpqv5m9eSk81+PmFhuXlUB4NXBVXeRXW5hEyAf99wZ+7ErxaaN2kDNxiJ56PU\nbhm3Bu6tb0atrPYBPWKxToWARJ9VS/GIrXE5l1X9QbJDn9RrMW7ypKYOYZEBxpNX\nUz/t+hENVqrC0h/7qE3VtypQQ6H1t6RM+vK6DFMKx254h4m+sQKCAQEA7peT+fuv\ni/965IwRn4CAs1J6u8ow4+eknivWoiolOvaoEBTyCdTm3GUtB3db2wDNkQDvd/Pr\n9ZnjxwWfMDRz2h6jPRf2+maFmcw9cxEgd5NZcWX9Uir6UB5eue/WHLejWjmOK4nn\nUh+g2zjU14rnCR4wCoapRHi+6YvkKvUE3AQa17UfzkH1k/jeHsmFPBcvTfPsWWVw\nOarVBAb23TU5YMRzQPhEyM2/qZyl/0LDcGsrMFit4TcH640V8rRviJvF/JA+DO7v\nu44jz8463l2TkeEKbo0VV3eocMyGflk3qRbo4dETURVop4b3Qw3kucsdGQnvBJj2\nvcZhxNU7n6I9OwKCAQEA0J1M4oSlefbTUbMTz82rUWC1jfq5xBX4koYDFpvwNePQ\n9tHZgN5vRxoyvcASyeKciJeN68iIcoi587IDfZTwblCk5NtsEtifSFZmFScY+zZl\n84Bf/SkjHadRCdULMjfmSLSROcRYZ7vKK4m1Nq5We40S7fFBhoEIEOc ZGwZNA3V7\nLjwiFgOj9yMv+svYdSdkoUWoJ+i/zABFYp82j/PoFLEqB0Z6Sq8xuv3+CKVszm9t\nlKCAneh2TnRGG99/v6XeP+MqqerHCsf8GoF5vF5ZTPZEKH0DOS0sfLeD8PIPPpJZ\n7gKZYWqnSy9NAbZcJVjEOygvasCU9p+bWOiIKELkeQKCAQB1hmCzsJBGK7BDR+Oe\nZ9P9gNFIE06F1KK37uwosQ3pv3oFgeu/gAm/4m6N0POEKx8XIBjVQ2elcQpMDK7f\nNdcjSBgsjdNwgHOq0HosZfFSNVjHjO99PAJU2MDcYhFbz/E9DkDDnYg+YaoAkjv1\neExZp28OoEpcmgWgUPIxXsPoBHWcb3GdTcxD+UCgda+Va+43PcHcPyVKoqWO+Ec9\nq2v6CIqlJCXtq7uPNsRlumM+yutZQzVTTKIwGy0Ggm62IdUilYKbKE8aWee2AuXo\nhrucDffvgLtUfHKSLYzKS/Qo7EoGgdA8Domgi9DcTMmv4ycQIF6GKzrPPBsIs+hM\nt8PlAoIBAFneugWHkWYGcCjtFaba+mfXWr9seOTBdlFhDCmMSiJdH2OFKcc7jAK8\nhYl7Gl0Ak+DAMXKW9DkrL7iNQrWyGRXdBfxVjqxbx9q45cdNDZUDbU5GSpPcSfV3\nZBDxR559uGYv67RQIqmlm8W/0GJbHoShVLtOyKSyJ5Bojkc3IqxPyx4y55hGPzez\nX/MSKBDoRJC5WmS+/wlaQIno/u9q6tsnK2zw7rQH30uoKez9nu8bz8BMmLvuLjFE\nJAPT98vPH/yz12hV7SN23eNpTdFZb+0Y1mn+2QmjrVuZD20YSnrxP26qjfsKoEFi\ngjEvp2irYfX+LNc3WbUZMypNGoMFtjkCggEBAOqIVYAdeRnvlmvzHc9FX2sqyTMS\n8BpwqpNXDh0ThecSnJfxPZvv51gJjToW18i3yu2LrEmVbvzL5MNU27 Mp7aLxCKl1\nDw2ZDCSByRqTvisiLfPRjY+EQ5H8haiP3mnXldIEceH8/U5B2tFWi0K9W1CT7IDw\nlyfBthZEzTSbbwD5we9OPreM5YYbOketa+FVS7MjxHGYkHYdwZICka1H4OTnQlZn\nAA6O6inwpG5pvj/tE1CFGZFd27VWDyWGB6wqA3so9NzFiKe4EZIxh7qvIiERanZy\nSmdo5+hY6/He2ImkH0LzY/GPd8t8CJelvtmtiW6Su3Ko4bQWFWGkOxIaoNw=\n-END RSA PRIVATE KEY-"; RSA *private_key; BIO *private_bio; / private_bio = BIO_new_mem_buf(privkey, -1); if(private_bio == NULL) { ERR_print_errors_fp(stdout); return 1; } private_key = PEM_read_bio_RSAPrivateKey(private_bio, NULL, NULL, NULL); if(private_key == NULL) { ERR_print_errors_fp(stdout); } signature = (unsigned char*) malloc(RSA_size(private_key)); if(RSA_sign(NID_sha1, (unsigned char*) message, strlen(message), signature, &slen, private_key) != 1) { ERR_print_errors_fp(stdout); } printf("%s", signature); RSA_free(private_key); return 0; } [EMAIL PROTECTED] openssl]# cat verify.c #include #include #include #include #include #include #include #include int main(void) { unsigned char *message = "blah"; unsigned char signature[4096]; unsigned int slen; unsigned int verified; static char *pubkey = "-BEGIN PUBLIC KEY-\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwm3C2PotN3uzg6pUqpLM\nkxa9xsgA/V3TrfG9RbrriIVr5xF78rqtPTgzXUhcYAkEd2ROjtrI4WfZ91G3e9d5\nsR/1275UD0KAxkzxwOcWWMfZ0YullcwYQayd4Ke2msLaXbm65