Migrating from EVP_Verify*/EVP_Sign* to EVP_Digest*

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Migrating from EVP_Verify*/EVP_Sign* to EVP_Digest*

Tobias Nießen
Hello,

we are currently discussing support for RSASSA-PSS padding in the
node.js built-in crypto module:
https://github.com/nodejs/node/issues/1127

So far, the crypto module uses the older EVP_Sign/EVP_Verify APIs, which
do not support specifying
the padding (and salt length). We considered switching to the newer
EVP_Digest* functions, but we
cannot provide the public key during initialization of the signature /
verification process as this would
require unacceptable changes to the public API of the crypto module. Is
there any way to use the
new API without specifying the key during initialization? Considering
that the old API just computes
a message digest until EVP_SignFinal/EVP_VerifyFinal is called,
shouldn't it be possible to do merely
the same thing using the new API?

If it is impossible, is there any workaround?

Thank you in advance,
Tobias
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Migrating from EVP_Verify*/EVP_Sign* to EVP_Digest*

Dr. Stephen Henson
On Tue, Feb 28, 2017, Tobias Nie?en wrote:

> Hello,
>
> we are currently discussing support for RSASSA-PSS padding in the
> node.js built-in crypto module:
> https://github.com/nodejs/node/issues/1127
>
> So far, the crypto module uses the older EVP_Sign/EVP_Verify APIs,
> which do not support specifying
> the padding (and salt length). We considered switching to the newer
> EVP_Digest* functions, but we
> cannot provide the public key during initialization of the signature
> / verification process as this would
> require unacceptable changes to the public API of the crypto module.
> Is there any way to use the
> new API without specifying the key during initialization?
> Considering that the old API just computes
> a message digest until EVP_SignFinal/EVP_VerifyFinal is called,
> shouldn't it be possible to do merely
> the same thing using the new API?
>

No there isn't with the new API. The reason for that is that some operations
performed (for example which digests can be used, or which salt lengths are
permissible for PSS) depend on the public key. For example in the master
branch RSA-PSS keys can restrict the digest which can be use with the key. The
way the new API is structured you get the error as soon as you attempt the
operation.

> If it is impossible, is there any workaround?
>

There is an alternative which may help. Instead of using EVP_Sign* which
computes the digest and signs with it you can instead call EVP_DigestInit_ex,
EVP_DigestUpdate and EVP_DigestFinal_ex() to compute the raw digest.

Then you can use the EVP_PKEY APIs to sign the raw digest with EVP_PKEY_sign()
using RSA-PSS or verify it with EVP_PKEY_verify().

If that isn't clear let me know and I'll explain further.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...