RSA PKCS#1 signing: differs from OpenSSL's?

Werner Koch wk at
Wed Dec 5 16:21:09 CET 2007

On Wed,  5 Dec 2007 09:07, dos at said:

> <>, which runs without
> aborting and demonstrates that the signatures produced are different.
> Is this correct libgcrypt behaviour?  I'd have filed a bug but I'm
> unsure if I've just misinterpreted the API.

Yes, this is correct.  Libgcrypt expects that P < Q; whereas OpenSSL
expect Q < P.  Here is code to convert this.

  /* check that p is less than q */
  if (gcry_mpi_cmp (skey->p, skey->q) > 0)
      gcry_mpi_t tmp;

      log_info ("swapping secret primes\n");
      tmp = gcry_mpi_copy (skey->p);
      gcry_mpi_set (skey->p, skey->q);
      gcry_mpi_set (skey->q, tmp);
      gcry_mpi_release (tmp);
      /* and must recompute u of course */
      gcry_mpi_invm (skey->u, skey->p, skey->q);

The important thing here is to recompute U because  u = p^{-1} mod q.

I have a item on my todo list to allow for native OpenSSL parameters in
Libgrypt but this has not yet been done.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gcrypt-devel mailing list