openssl-1.0.1e RSA signature verification fails
Hi Openssl developers, In our product we are using openssl source to some of the security development. In our old product we were using openssl-0.9.8l and the product is now in market. In our new product we upgraded our source base with openssl-1.0.1e, we didnt change any thing in our application but the RSA signature verification is failing when I comment the following portion of code in p_verify.c file, it started working, May I have to clue what should be set in our application to solve the issue with our modifying the openssl code. if (ctx-digest-flags EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) { i = -1; pkctx = EVP_PKEY_CTX_new(pkey, NULL); if (!pkctx) goto err; if (EVP_PKEY_verify_init(pkctx) = 0) goto err; if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx-digest) = 0) goto err; i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: EVP_PKEY_CTX_free(pkctx); return i; } In the above mention code is commented now, in result RSA_Signature verification is passing now. In this portion of code EVP_PKEY_CTX_new - int_ctx_new -EVP_PKEY_meth_find -OBJ_bsearch_pmeth is the failure path. OBJ_bsearch_pmeth returns zero,(openssl error is unsupported algorithms) but OpenSSL_add_all_algorithms is already called in our application. To add to this when I debugged type value received in EVP_PKEY_meth_find seems high value 1179403647(in decimal), this is derived from the pkey-ameth-pkey_id where as we dont set this value in our application. In our application do we need to set something to avoid the failure. Thanks in Advance. Thanks, Lavanya -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-1-0-1e-RSA-signature-verification-fails-tp45250.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Hi
Hi Jakob, Thanks for your reply, please find the details given below and also please look topic which I have posted in the same forum today with the title openssl-1.0.1e RSA signature verification fails which will some more details. 1. How many bits are your RSA public key (the modulus), this is also the number of bits in the signature. It is 128 bits 2. Which hash algorithm (such as MD5 or SHA-256) is used by the signature you are trying to verify? It is SHA1 not sure whether it SHA-256(as such I am searching for the right algorithm string to pass to EVP_PKEY_asn1_find_str(tmpeng, algname, -1) function. 3. Which RSA padding scheme is used when converting the raw hash value into RSA input? For example are you using PKCS#1 v. 1.x padding, PSS (PKCS#1 v. 2.1), or one of the ISO 9796 schemes. Padding method is EVP_MD_CTX ctx EVP_MD_CTX_FLAG_PAD_PKCS1 Hope to get the answer for this. Thanks, Lavanya -- View this message in context: http://openssl.6102.n7.nabble.com/Hi-tp45235p45258.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Hi
Hi Openssl developers, In our product we are using openssl source to some of the security development. In our old product we were using openssl-0.9.8l and the product is now in market. In our new product we upgraded our source base with openssl-1.0.1e, we didnt change any thing in our application but the RSA signature verification is failing when I comment the following portion of code in p_verify.c file, it started working, May I have to clue what should be set in our application to solve the issue with our modifying the openssl code. if (ctx-digest-flags EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) { i = -1; pkctx = EVP_PKEY_CTX_new(pkey, NULL); if (!pkctx) goto err; if (EVP_PKEY_verify_init(pkctx) = 0) goto err; if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx-digest) = 0) goto err; i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: EVP_PKEY_CTX_free(pkctx); return i; } In the above mention code is commented now, in result RSA_Signature verification is passing now. In this portion of code EVP_PKEY_CTX_new - int_ctx_new -EVP_PKEY_meth_find -OBJ_bsearch_pmeth is the failure path. OBJ_bsearch_pmeth returns zero,(openssl error is unsupported algorithms) but OpenSSL_add_all_algorithms is already called in our application. To add to this when I debugged type value received in EVP_PKEY_meth_find seems high value 1179403647(in decimal), this is derived from the pkey-ameth-pkey_id where as we dont set this value in our application. In our application do we need to set something to avoid the failure. Thanks in Advance. -- View this message in context: http://openssl.6102.n7.nabble.com/Hi-tp45235p45274.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Hi
Hi, I am Lavanya working for Mistral solution, I am using openssl code in our project, the function in pmeth_lib.c OBJ_bsearch_pmeth returns 0, May I know the possible reasons for it, In FIPS mode our product fails on RSA signature verification throwing out unsupported algorithm, while tracing the code I found the above mention function returns 0. Help me fixing this issue. I am using openssl-1.0.1e version. Thanks, Lavanya __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org