On Mar 17, 2010, at 2:05 PM, Thomas Anderson wrote: > According to <http://linuxmanpages.com/man1/rsautl.1.php>, you can > sign data with OpenSSL. My question is how? I tried to sign my > private key and got the following error: > > ubu...@ubuntu:~$ openssl rsautl -sign -in rsa.txt -inkey rsa.txt -out sig > Enter pass phrase for rsa.txt: > RSA operation error > 1543:error:0406C06E:rsa routines:RSA_padding_add_PKCS1_type_1:data too > large for key size:rsa_pk1.c:73:
Read a little further down that same man page, and you'll see: NOTES rsautl because it uses the RSA algorithm directly can only be used to sign or verify small pieces of data. The amount of data that you can decrypt with an RSA private key is small, and depends on size of the modulus of your key (1024, 2048, etc.). Your private key data, being a X bit exponent and a Y bit modules, is likely too large to be signed with a Y bit key. Try taking a hash of your data, and feeding that to the utility. > If I didn't know better, I'd guess that rsautl wasn't signing messages > but rather was encrypting them, even though I had "out -sig" set. So > how do I sign with rsautl? Is it even possible? And how do I sign > with PSS as opposed to PKCS#1? Looks like this utility is a little limited... you could either a) add PSS support to the utility and recompile your OpenSSL or 2) hash and pad your data through other means and use -raw. S. -- san...@temme.net http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
smime.p7s
Description: S/MIME cryptographic signature
