[Botan-devel] Raw RSA

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Apr 22 03:05:04 EDT 2010

On 21 apr 2010, at 16.46, Jack Lloyd wrote:

> On Wed, Apr 21, 2010 at 04:12:33PM +0200, Rickard Bellgrim wrote:
>> On 21 apr 2010, at 15.40, Jack Lloyd wrote:
>>> EMSA "Raw" (which maps to the EMSA_Raw) class should do it. Can you
>>> send your input file? I can't quite puzzle out what OpenSSL is doing
>>> differently here.
>>> -Jack
>> Yes, sure. Here you go. I think .sig was from Botan and .sig2 was from OpenSSL.
> Clearly something went quite badly here: file.txt.sig has a value
> which is actually larger than the RSA modulus in rsa.pem. I don't
> understand how this is possible... are you sure you used the same key
> to generate both of these signatures?

Hmm, now I cannot recreate this bad signature. Because now it works. And I can do this:

# Generate key pair (The key also could have been generated within SoftHSM)
openssl genrsa -out rsa2048.key 2048
openssl pkcs8 -topk8 -in rsa2048.key -out rsa2048.pem -nocrypt

# Import key pair
softhsm --import rsa2048.pem --slot 3 --label 14 --id 14 --pin 123456

# Sign data
pkcs11-tool --module=/usr/local/lib/libsofthsm.so --slot 3 -p 123456 --id 14 -s -i file.txt -o file.txt.sig -m RSA-X-509

# Verify signature
openssl rsautl -verify -in file.txt.sig -inkey rsa2048.pem -raw -out file.txt.org
diff file.txt file.txt.org

> file.txt.sig2 seems to have a valid signature, but in botan it doesn't
> verify anyway! That's because after the sig^e mod n RSA computation
> the initial leading 0x00 byte is removed, and then when we compare the
> two values in EMSA_Raw::verify they don't match. Definitely a bug
> there.

Sorry, I probably missed some flag or so when testing it the first time. But at least another bug was found :)

// Rickard

More information about the botan-devel mailing list