Re: Question about verifying signatures
David Shaw <dshaw@jabberwocky.com> Wed, 31 March 2010 01:53 UTC
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id o2V1rmAo043236 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Mar 2010 18:53:48 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id o2V1rm0J043234; Tue, 30 Mar 2010 18:53:48 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from walrus.jabberwocky.com (walrus.jabberwocky.com [173.9.29.57]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id o2V1rk10043226 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-openpgp@imc.org>; Tue, 30 Mar 2010 18:53:47 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from grover.home.jabberwocky.com (grover.home.jabberwocky.com [172.24.84.28]) by walrus.jabberwocky.com (8.14.3/8.14.3) with ESMTP id o2V1rjNA022208; Tue, 30 Mar 2010 21:53:45 -0400
Subject: Re: Question about verifying signatures
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: David Shaw <dshaw@jabberwocky.com>
In-Reply-To: <20100330202049.GA21672@mediacentre>
Date: Tue, 30 Mar 2010 21:53:45 -0400
Cc: ietf-openpgp@imc.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5FEFDF51-313E-4247-A813-CA8B0195F071@jabberwocky.com>
References: <20100330202049.GA21672@mediacentre>
To: Stephen Paul Weber <singpolyma@singpolyma.net>
X-Mailer: Apple Mail (2.1078)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
On Mar 30, 2010, at 4:20 PM, Stephen Paul Weber wrote: > I'm reading RFC4880 in an attempt to produce an implementatdion of a subset > of OpenPGP (RSA signatures) using <http://phpseclib.sourceforge.net/>. I > have the publickey and compression-literal-signature packets parsed out. I > can extract n and e and feed them to Crypt_RSA to construct a verifier. I > tell it I'm using sha256. It then needs a "message" and a "signature" > parametre. I get the signature data out of the signature packet no problem. > The question I have is: what is "message"? According to section 5.2.4 it's > some combination of the literal data packet(s?) (their bodies or the whole > packet?) and the "hashed" subpackets. Do I just concat all the data packets > and the hashed packets together in the order they appear? Basically, yes. To paraphrase 5.2.4, and assuming we're talking about V4 signatures, you take all the data (just the uncompressed literal packet body - not including the literal packet header), and follow that with the signature version (1 byte), the signature type (1 byte), the public-key algorithm (1 byte), the hash algorithm (1 byte), the hashed subpacket length (2 bytes, big endian), and the hashed subpacket body (however many bytes). Note that these are the first n bytes of your signature packet. Then you hash the trailer: 0x04, 0xFF, and a four byte big-endian number which is the number of bytes you hashed from the signature (i.e. 6 bytes, plus the number of subpacket bytes). Note that the data (literal packet contents) might be tagged as binary (0x00) or text (0x01) (the tag is in the literal packet header). They are the same, except that text has its line endings canonicalized to CRLF. David
- Re: Question about verifying signatures Stephen Paul Weber
- Re: Question about verifying signatures David Shaw
- Re: Question about verifying signatures Stephen Paul Weber
- Re: Question about verifying signatures Wim Lewis
- Question about verifying signatures Stephen Paul Weber