RSA PKCS#1 signing: differs from OpenSSL's?
Simon Josefsson
simon at josefsson.org
Wed Dec 5 21:50:07 CET 2007
Dean Scarff <dos at scarff.id.au> writes:
> On Wed, 05 Dec 2007 16:21:09 +0100, Werner Koch said:
>> Yes, this is correct. Libgcrypt expects that P < Q; whereas OpenSSL
>> expect Q < P. Here is code to convert this.
> [snip]
>> The important thing here is to recompute U because u = p^{-1} mod q.
>
> Aha. I saw that the primes had been reversed but I missed this.
I had the same experience when porting libssh2 from OpenSSL to
libgcrypt, and this caused quite some confusion and a long debugging
session.
Is there a normal standard for this in the literature? I'm too tired to
look it up..
PKCS#1 calls the first prime P and the second one Q, and uses
coeff=p^{-1} mod q, which would suggest that libgcrypt got this
backwards.
/Simon
More information about the Gcrypt-devel
mailing list