openssl Signature Verification Failure : “RSA_padding_check_PKCS1_type_1:block type is not 01”
I am trying to verify the signature of a sample downloaded from NIST . But I am getting the following output: retval=0 err='error:0407006A:lib(4):func(112):reason(106)' When I collected the detailed description I found: openssl errstr 0407006A error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 The signature verification is expected to pass as per the data input I have provided. Something might be wrong in my code. Any help is appreciated. The data and the example code that I used is , in http://stackoverflow.com/q/10927586/986020 thanks for help
Re: openssl Signature Verification Failure : “RSA_padding_check_PKCS1_type_1:block type is not 01”
Here is the vector and code that is provided in the link:
/*
VECTOR SOURCE: csrc.nist.gov/groups/STM/cavp/documents/dss/RSAVS.pdf
B.1.3 SigVerRSA.req., it's Result = P as per B.3.3 SigVerRSA.rsp
# CAVS 3.2
# SigVer RSA (X9.31) information for testshas
# Mod sizes selected: 1024 1536
# SHA Algorithm selected:SHA1 SHA256 SHA384 SHA512
# Generated on Wed Apr 28 08:35:11 2004
[mod = 1024]
n =
9ec4d483330916b69eee4e9b7614eafc4fbf60e74b5127a3ff5bd9d48c7ecf8418d94d1e60388bb68546f8bc92deb1974b9def6748fbb4ec93029ea8b7bea36f61c5c6aeedfd512a0f765846fad5edacb08c3d75cf1d43b48b394c94323c3f3e9ba6612f93fe2900134217433afb088b5ca33fc4e6b270194df077d2b6592743
SHAAlg = SHA1
e =
0003
Msg =
b915e774b083e8cec80929cfbc89d87bd046f65cb43e5e78acba0380ee23794a4b17b78112bc1b9c3254ae0c9e12aabaf62c39b063328016c39edc6106ac6bc7d76ccff67f152e05079c7dab9d85ffaf3afa089f811a07c5e993c3571e73e5eea53bb739bf352bf391081f12818adf42e3d5ec91d59dfc6c67c141ca001feea7
S =
1c886e8041a0bfa57320c2033ac37eb2f8d8a96d42f3187b0f9164f37a0ce270ba35602a1e27c96fb6e2fdcfb25b00da1cceeb146f6a3320de97594d6de8664d3055142d408fc28c47dd380847d92450fad37535d366aabced070cc1fff6a6e023e2ce64e9e1914e82f384688c63beada87dd0ab7117b5d4c1129e39b40d2440
*/
int verfiysignature (void)
{
int retval;
EVP_PKEYpkey;
EVP_MD_CTX ctx;
RSA *rsa;
chartestbuffer[512];
unsigned char testN[128] =
{0x9e,0xc4,0xd4,0x83,0x33,0x09,0x16,0xb6,0x9e,0xee,0x4e,0x9b,0x76,0x14,0xea,0xfc,0x4f,0xbf,0x60,0xe7,0x4b,0x51,0x27,0xa3,0xff,0x5b,0xd9,0xd4,0x8c,0x7e,0xcf,0x84,0x18,0xd9,0x4d,0x1e,0x60,0x38,0x8b,0xb6,0x85,0x46,0xf8,0xbc,0x92,0xde,0xb1,0x97,0x4b,0x9d,0xef,0x67,0x48,0xfb,0xb4,0xec,0x93,0x02,0x9e,0xa8,0xb7,0xbe,0xa3,0x6f,0x61,0xc5,0xc6,0xae,0xed,0xfd,0x51,0x2a,0x0f,0x76,0x58,0x46,0xfa,0xd5,0xed,0xac,0xb0,0x8c,0x3d,0x75,0xcf,0x1d,0x43,0xb4,0x8b,0x39,0x4c,0x94,0x32,0x3c,0x3f,0x3e,0x9b,0xa6,0x61,0x2f,0x93,0xfe,0x29,0x00,0x13,0x42,0x17,0x43,0x3a,0xfb,0x08,0x8b,0x5c,0xa3,0x3f,0xc4,0xe6,0xb2,0x70,0x19,0x4d,0xf0,0x77,0xd2,0xb6,0x59,0x27,0x43};
unsigned char testE[1] = {0x03};
unsigned char testMsg[128] =
{0xb9,0x15,0xe7,0x74,0xb0,0x83,0xe8,0xce,0xc8,0x09,0x29,0xcf,0xbc,0x89,0xd8,0x7b,0xd0,0x46,0xf6,0x5c,0xb4,0x3e,0x5e,0x78,0xac,0xba,0x03,0x80,0xee,0x23,0x79,0x4a,0x4b,0x17,0xb7,0x81,0x12,0xbc,0x1b,0x9c,0x32,0x54,0xae,0x0c,0x9e,0x12,0xaa,0xba,0xf6,0x2c,0x39,0xb0,0x63,0x32,0x80,0x16,0xc3,0x9e,0xdc,0x61,0x06,0xac,0x6b,0xc7,0xd7,0x6c,0xcf,0xf6,0x7f,0x15,0x2e,0x05,0x07,0x9c,0x7d,0xab,0x9d,0x85,0xff,0xaf,0x3a,0xfa,0x08,0x9f,0x81,0x1a,0x07,0xc5,0xe9,0x93,0xc3,0x57,0x1e,0x73,0xe5,0xee,0xa5,0x3b,0xb7,0x39,0xbf,0x35,0x2b,0xf3,0x91,0x08,0x1f,0x12,0x81,0x8a,0xdf,0x42,0xe3,0xd5,0xec,0x91,0xd5,0x9d,0xfc,0x6c,0x67,0xc1,0x41,0xca,0x00,0x1f,0xee,0xa7};
unsigned char testSig[128] =
{0x1c,0x88,0x6e,0x80,0x41,0xa0,0xbf,0xa5,0x73,0x20,0xc2,0x03,0x3a,0xc3,0x7e,0xb2,0xf8,0xd8,0xa9,0x6d,0x42,0xf3,0x18,0x7b,0x0f,0x91,0x64,0xf3,0x7a,0x0c,0xe2,0x70,0xba,0x35,0x60,0x2a,0x1e,0x27,0xc9,0x6f,0xb6,0xe2,0xfd,0xcf,0xb2,0x5b,0x00,0xda,0x1c,0xce,0xeb,0x14,0x6f,0x6a,0x33,0x20,0xde,0x97,0x59,0x4d,0x6d,0xe8,0x66,0x4d,0x30,0x55,0x14,0x2d,0x40,0x8f,0xc2,0x8c,0x47,0xdd,0x38,0x08,0x47,0xd9,0x24,0x50,0xfa,0xd3,0x75,0x35,0xd3,0x66,0xaa,0xbc,0xed,0x07,0x0c,0xc1,0xff,0xf6,0xa6,0xe0,0x23,0xe2,0xce,0x64,0xe9,0xe1,0x91,0x4e,0x82,0xf3,0x84,0x68,0x8c,0x63,0xbe,0xad,0xa8,0x7d,0xd0,0xab,0x71,0x17,0xb5,0xd4,0xc1,0x12,0x9e,0x39,0xb4,0x0d,0x24,0x40};
rsa = RSA_new();
rsa-n = BN_bin2bn(testN, 128, rsa-n);
rsa-e = BN_bin2bn(testE, 1, rsa-e);
rsa-d = 0;
rsa-p = 0;
rsa-q = 0;
pkey.type = EVP_PKEY_RSA;
pkey.pkey.rsa = rsa;
EVP_MD_CTX_init (ctx);
ctx.flags |= EVP_MD_CTX_FLAG_PAD_X931;
if (EVP_VerifyInit_ex (ctx, EVP_sha1(), NULL))
{
if (EVP_VerifyUpdate (ctx, testMsg, 128))
{
retval = EVP_VerifyFinal (ctx, testSig, 128, pkey);
memset(testbuffer,0,sizeof(testbuffer));
printf(retval=%d err='%s', retval,
ERR_error_string(ERR_get_error(), testbuffer));
}
else
{
retval = -1;
}
}
else
{
retval = -1;
}
EVP_MD_CTX_cleanup (ctx);
RSA_free (rsa);
return retval;
}
On Thu, Jun 7, 2012 at 1:58 PM, Lunar Mushrooms
lunar.mushro...@gmail.comwrote:
I am trying to verify the signature of a sample downloaded from NIST . But
I am getting the following output:
retval=0 err='error:0407006A:lib(4):func(112):reason(106)'
When I collected the detailed description I found:
openssl errstr 0407006A
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not
01
The signature verification is expected to pass as per the data input I
Re: openssl Signature Verification Failure : “RSA_padding_check_PKCS1_type_1:block type is not 01”
I typically divide the problem in two. Do a raw public key operation. If you see something that looks random, then the public key doesn't match the private key used to generate the signature, or either the public key or signature has been altered. If it looks like padding + OID + hash, then either the padding or digest you expect is wrong. On 6/7/2012 4:28 AM, Lunar Mushrooms wrote: I am trying to verify the signature of a sample downloaded from NIST . But I am getting the following output: retval=0 err='error:0407006A:lib(4):func(112):reason(106)' When I collected the detailed description I found: |openssl errstr 0407006A error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 | The signature verification is expected to pass as per the data input I have provided. Something might be wrong in my code. Any help is appreciated. The data and the example code that I used is , in http://stackoverflow.com/q/10927586/986020 thanks for help __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
error in using EC/DSA cert as server cert
Hi, I am trying to use an ECDSA certificate as the server cert, basically I created an EC_KEY and loaded it into SSL_CTX using SSL_CTX_use_PrivateKey(), after the cert is loaded using SSL_CTX_use_certificate(). The problem I am facing is that during SSL handshaking, the correct cipher suite is not being chosen (in ssl3_choose_cipher) because the key exchange algorithm (algorithm_mkey) masks is being set based on the value of dh_tmp, ecdh_tmp and their callback functions in the CERT structure, which don't seem to be set anywhere during the SSL_CTX_use calls above. Is some code missing in SSL_CTX_use_PrivateKey() or these dh_tmp, ecdh_tmp values should be set by the application, and how? Any help is greatly appreciated. Regards, -binlu
RE: error in using EC/DSA cert as server cert
From: owner-openssl-us...@openssl.org On Behalf Of Bin Lu Sent: Thursday, 07 June, 2012 14:53 I am trying to use an ECDSA certificate snip the correct cipher suite is not being chosen snip dh_tmp, ecdh_tmp and their callback functions snip not set Is some code missing in SSL_CTX_use_PrivateKey() or these dh_tmp, ecdh_tmp values should be set by the application, and how? The latter. You can set them on SSL_CTX (and use for one or more connections) or on SSL for one connection (before handshaking, or possibly renegotiation). SSL_[CTX_]set_tmp_dh or set_tmp_dh_callback for DH (but there are no suites that use DH with ECDSA) SSL_[CTX_]set_tmp_ecdh or set_tmp_ecdh_callback for ECDH Also SSL_[CTX_]set_tmp_rsa or set_tmp_rsa_callback if you use the export suites (which you should avoid) and I think if you have a sign-only (i.e. not key-wrap) RSA cert (but I doubt anybody does that nowadays). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: error in using EC/DSA cert as server cert
But for a DSA key, what DH do I suppose to use? Thanks, -binlu -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Thursday, June 07, 2012 2:39 PM To: openssl-users@openssl.org Subject: RE: error in using EC/DSA cert as server cert From: owner-openssl-us...@openssl.org On Behalf Of Bin Lu Sent: Thursday, 07 June, 2012 14:53 I am trying to use an ECDSA certificate snip the correct cipher suite is not being chosen snip dh_tmp, ecdh_tmp and their callback functions snip not set Is some code missing in SSL_CTX_use_PrivateKey() or these dh_tmp, ecdh_tmp values should be set by the application, and how? The latter. You can set them on SSL_CTX (and use for one or more connections) or on SSL for one connection (before handshaking, or possibly renegotiation). SSL_[CTX_]set_tmp_dh or set_tmp_dh_callback for DH (but there are no suites that use DH with ECDSA) SSL_[CTX_]set_tmp_ecdh or set_tmp_ecdh_callback for ECDH Also SSL_[CTX_]set_tmp_rsa or set_tmp_rsa_callback if you use the export suites (which you should avoid) and I think if you have a sign-only (i.e. not key-wrap) RSA cert (but I doubt anybody does that nowadays). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: error in using EC/DSA cert as server cert
For ecdh_tmp, should it be the same as what is set in the pkey in CTX-CERT? What is the purpose of these _tmp keys? Regards, -binlu -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bin Lu Sent: Thursday, June 07, 2012 4:04 PM To: openssl-users@openssl.org Subject: RE: error in using EC/DSA cert as server cert But for a DSA key, what DH do I suppose to use? Thanks, -binlu -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Thursday, June 07, 2012 2:39 PM To: openssl-users@openssl.org Subject: RE: error in using EC/DSA cert as server cert From: owner-openssl-us...@openssl.org On Behalf Of Bin Lu Sent: Thursday, 07 June, 2012 14:53 I am trying to use an ECDSA certificate snip the correct cipher suite is not being chosen snip dh_tmp, ecdh_tmp and their callback functions snip not set Is some code missing in SSL_CTX_use_PrivateKey() or these dh_tmp, ecdh_tmp values should be set by the application, and how? The latter. You can set them on SSL_CTX (and use for one or more connections) or on SSL for one connection (before handshaking, or possibly renegotiation). SSL_[CTX_]set_tmp_dh or set_tmp_dh_callback for DH (but there are no suites that use DH with ECDSA) SSL_[CTX_]set_tmp_ecdh or set_tmp_ecdh_callback for ECDH Also SSL_[CTX_]set_tmp_rsa or set_tmp_rsa_callback if you use the export suites (which you should avoid) and I think if you have a sign-only (i.e. not key-wrap) RSA cert (but I doubt anybody does that nowadays). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: error in using EC/DSA cert as server cert
From: owner-openssl-us...@openssl.org On Behalf Of Bin Lu
Sent: Thursday, 07 June, 2012 19:25
For ecdh_tmp, should it be the same as what is set in the
pkey in CTX-CERT? What is the purpose of these _tmp keys?
Sent: Thursday, June 07, 2012 4:04 PM
But for a DSA key, what DH do I suppose to use?
man [openssl-3] SSL_{,CTX_}set_tmp_dh{,_callback) or
http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html#
and substitute ECDH for DH (and ECDSA for DSA) since those apparently
don't have a man page written (but ignore small subgroup for EC).
For DH you can use OpenSSL's 'canned' params like dh_get1024()
(but not dh_get512 except for 'export' suites, 512 is too small)
or you can get and use other known ones like IPSEC 'Oakley',
or you can generate your own (but in my opinion the man page
overstresses the desirability of generating your own).
You can convert your DSA privatekey to DH with DSA_dup_DH() and
use the full key, or set SINGLE_DH_USE to use only the parameters.
For ECDH use one of the 'named' (standardized) curves from
EC_KEY_new_by_curve_name(int nid), or similarly your privatekey
if it's in a named curve which it most likely is; OpenSSL
uses the same EC_KEY structure for both ECDSA and ECDH.
The protocol spec allows nonstandard (ad-hoc) ECDHE params,
but OpenSSL doesn't implement this and other systems may not.
See apps/s_server.c for code that implements some of these options.
Note: on reviewing this man page which I hadn't for a while,
I don't understand the warning about DSA. First, if you use
DSA *parameters* (not a full key), SINGLE_DH_USE is irrelevant,
the code will always need to generate a key per negotiation.
If you use a DSA *key* converted to DH, how is this weaker than
any other static DH key? You've discarded the exact subgroup
order, but you do know it's big enough to resist guessing,
and you know the group is big enough to resist discrete-log.
There are drawbacks to static DH, but as far as I can see they
apply equally whether generated as DH or converted from DSA.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
