RSA sign/verify and hash generation functions
Nikos Mavrogiannopoulos
nmav at gnutls.org
Thu Dec 9 09:22:33 CET 2010
On 12/08/2010 11:40 PM, Murray S. Kucherawy wrote:
>> -----Original Message----- From: Nikos Mavrogiannopoulos
>> [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos
>> Mavrogiannopoulos Sent: Wednesday, December 08, 2010 2:28 PM To:
>> Murray S. Kucherawy Cc: help-gnutls at gnu.org Subject: Re: RSA
>> sign/verify and hash generation functions
>>
>> On 12/08/2010 12:30 AM, Murray S. Kucherawy wrote:
>>
>>> assert(gnutls_privkey_sign_hash(rsa_key, &dd, &rsa_out ==
>> GNUTLS_E_SUCCESS);
>>
>> Also check the documentation of the functions you are using :)
>
> I did. By the looks of things, the *_sign_hash() functions look like
> they sign a hash that's already been computed, which is the case for
> me, so that's what I used.
The current sign_hash function is not what you want. They are tricky to
use to generate correct signatures (for DSA they work ok, but for RSA
require one more step to generate a PKCS #1 compliant signature - i.e.
BER encode the hash as DigestInfo). I'll add a safer to use API for
2.12.x and deprecate those functions.
The _sign_data() functions work as expected.
regards,
Nikos
More information about the Gnutls-help
mailing list