RSA sign/verify and hash generation functions

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Dec 13 22:44:41 CET 2010


On 12/09/2010 07:13 PM, Murray S. Kucherawy wrote:
>> -----Original Message-----
>> From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos
>> Sent: Thursday, December 09, 2010 12:23 AM
>> To: Murray S. Kucherawy
>> Cc: help-gnutls at gnu.org
>> Subject: Re: RSA sign/verify and hash generation functions
>>
>>> I did.  By the looks of things, the *_sign_hash() functions look like
>>> they sign a hash that's already been computed, which is the case for
>>> me, so that's what I used.
>>
>> The current sign_hash function is not what you want. They are tricky to
>> use to generate correct signatures (for DSA they work ok, but for RSA
>> require one more step to generate a PKCS #1 compliant signature - i.e.
>> BER encode the hash as DigestInfo). I'll add a safer to use API for
>> 2.12.x and deprecate those functions.
> 
> OK.  If you would like me to try those out once they're available, just point me at the tarball.

Could you check:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=tree;h=refs/heads/master;hb=master

You can get a tarball by clicking on snapshot. I've added sign_hash2()
family of functions that should work as expected. For usage you can
also check the test program x509sign-verify.c.

regards,
Nikos





More information about the Gnutls-help mailing list