[Help-gnutls] Re: verify signed data

[Simon Josefsson]

Volker Steiß <vsteiss at web.de> writes:

> Hello everybody,
>
> I am on a project using public-private-key methods and just tried using GnuTLS for this.
> I am stuck at this point and hope someone can help me out:
> First I created a public private key (it's long ago, so I cant tell you how I did it exactly).
> I have created a signature with gnutls_x509_privkey_sign_data(PRIV_KEY), converted it to readable text with gnutls_hex_encode() and stored the result (Data + Signature) into a file.
> Now I want to verify the created data: I read the data and the signature, decode the signature with gnutls_hex_decode() and try to verify it with gnutls_x509_privkey_verify_data(PUB_KEY). But here I get return code 0, which means no success.
>
> Verification overview:
>>>>> - somecode
> init_gnutls ()
> ...
> gnutls_hex_decode (&temp, signature.data, &signature.size)
> ...
> gnutls_x509_privkey_init (&key)
> gnutls_x509_privkey_import (key, &key_datum, GNUTLS_X509_FMT_PEM)
> result = gnutls_x509_privkey_verify_data (key, flags, &uid, &signature)
> //result = 0
> ...
> <<<< - end of somecode
>
>
> Btw: What I realize at "gnutls_hex_decode (&temp, signature.data, &signature.size)" is that temp.size is 512 bytes and signature.size also is 512. Am I wrong when I say: It should be smaller after decoding?

Did you check errors from all functions?  Hex decoding a 512 byte
string should not give another 512 byte string.  Did you allocate a
signature.data buffer before calling gnutls_hex_decode?

Btw, if you aren't sure that you must use these functions, you
probably want to use a higher-layer message signature format instead
of low-level sign/verify primitives.  Standard formats for this is
OpenPGP (try GnuPG) and CMS/SMIME (try gpgsm).

/Simon