Hi All, Thank you all for your detailed update. Now I understood my mistake. I haven't copied the original message in dBuffer while calling EVP_VerifyUpdate(). Actually my aim is to make my system FIPs complaint. RSA_public_decrypt() is not FIPS complaint. hence I tried to replace this with EVP_Verify*(). Please let me know EVP_PKEY_public_decrypt() to make my system FIPs complaint.
Thanks, Gayathri On Tue, Oct 28, 2014 at 12:54 AM, Tom Francis <thomas.francis...@pobox.com> wrote: > > > On Oct 27, 2014, at 4:33 AM, Gayathri Manoj <gayathri.an...@gmail.com> > wrote: > > > > Hi All, > > > > How can I replace RSA_public_decrypt() with EVP_Verify*(). > > > > I wanted to replace the below api with EVP_verify*() > > > > RSA_public_decrypt(Len, SgnData, dBuffer, rsa_pub_key, > RSA_PKCS1_PADDING); > > > > You’d need to share more of the code around the call to > RSA_public_decrypt(). RSA_public_decrypt() only does some of the work done > by EVP_Verify*. EVP_Verify* are intended to: > > 1) Hash user data using the hash type passed to EVP_VerifyInit(), SHA1 in > your example below, using EVP_VerifyUpdate(); > 2) Decrypt the encrypted data (SgnData in your example below) in > EVP_VerifyFinal(); and > 3) Verify the hash type specified in EVP_VerifyInit() matches the one in > the decrypted data from step 2, and verify the hash value from step 1 > matches the hash value in the decrypted data from step 2. > > Your code below probably fails because you didn’t pass the correct data to > EVP_Update(), SgnData isn’t in a valid signature format, OR you use the > wrong keys somewhere. :) > > Oh, and the signature algorithm for the certificate is meaningless unless > you’re trying to verify the certificate’s signature —- and if you want to > do that, I strongly recommend using X509_verify_cert() for verifying the > certificate’s signature, if at all possible, and X509_check_issued() if you > can't. > > TOM > > > I have tried with > > > > EVP_MD_CTX md_ctx; > > unsigned char *decryptBuffer = NULL; > > EVP_PKEY *pubKey = NULL; > > PubKey = X509_get_pubkey(X509cert); > > decryptBuf = (uchar *) malloc(EVP_MD_size(EVP_sha1())); > > > > EVP_VerifyInit(&md_ctx, EVP_sha1()); > > EVP_VerifyUpdate (&md_ctx, dBuffer, strlen(dBuffer)-1); > > errorCode = EVP_VerifyFinal(&md_ctx, SgnData, Len, PubKey); > > > > Getting errorCode as 0. ERR[bad signature] > > > > certificate's Signature Algorithm is SHA256withRSA > > > > Please let me know how can I solve this issue. > > > > Thanks, > > Gayathri > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
