Sign/verify openssl RSA signatures

Daniel Roesler diafygi at gmail.com
Mon Oct 5 16:22:54 CEST 2015


Not exactly what you're asking, but I was able to verify signature packets
on an OpenPGP public key using openssl.

https://github.com/diafygi/openpgp-python/blob/master/README.md#openssl-signature-verification

In order to learn the format better, I've been hacking together a very
rough OpenPGP parser in Python without using gpg. To verify signatures with
only openssl, you need to extract and convert the raw public RSA key to
pem  format, then dump the raw signature and data payload concatenation.

My code is really terrible, but feel free to read through it to see how I
calculate the public key pem (without an ASN.1 parser) and raw data
payload. Maybe that can give you some ideas on how to make gpg signatures
compatible with openssl.

Daniel

On Oct 4, 2015 4:44 PM, <the2nd at otpme.org> wrote:
>
> Hi,
>
> i've googled a lot and i guess it is just not possible but i want to ask
this list before giving up.
>
> Is it possible to create (and verify) PKCS1_PSS signatures with gpg that
are compatible with openssl?
>
> The signatures are created with this commands:
> # Generate keys
> openssl genrsa -out priv.pem
> # Export public key
> openssl rsa -pubout -in priv.pem -out pub.pem
> # Create test file
> echo test123 > test.txt
> # Create signature
> openssl dgst -sha1 -sigopt rsa_padding_mode:pss -sigopt
rsa_pss_saltlen:-1 -sign priv.pem -out test.txt.sig test.txt
> # Verify signature
> openssl dgst -sha1 -sigopt rsa_padding_mode:pss -sigopt
rsa_pss_saltlen:-1 -verify pub.pem -signature test.txt.sig test.txt
>
> The reason for choosing openssl over gpg is the smooth support for RSA
signatures in python (pycrypto). Verifying a RSA (PKCS1 PSS) signature
requires just the public key which makes it easy to use especially when
verification of the signature must be done in a daemon.
>
> But there are also good reasons for using gpg on the client side because
its easy to use with smartcards (e.g. a yubikey). So my perfect setup would
be to be able to create signatures with gpg that can be verified with
openssl/pycrypto in my daemon.
>
> regards
> the2nd
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20151005/276d4f44/attachment.html>


More information about the Gnupg-users mailing list