openssl - 'dgst verify and sign' equivalent with 'RSA_Verify()' -

i using rsa_verify() function validate sha signed using openssl program (via console). rsa_verify() returning non successful validation, think sending incorrect parameters it.

the following console commands run in linux ubuntu openssl 0.9.8k.

the c functions compiled android, using openssl 1.0.1...c far remember. it's 1.0.1 (we updating avoid heartbleed issue).

this do... please forgive mistake learning myself.

1. generate private key

   openssl genrsa -out private.key 2048 

2. extract public key private key

   openssl rsa -in private.key -out public.key -outform pem -pubout 

3. calculate sha file called permissions , sign private.key, output sha rsa encryption (permissions.sign)

   openssl dgst -sha256 -sign private.key -out permissions.sign permissions 

4. validate received sha signature against permissions file (it's successful in ubuntu console)

   openssl dgst -sha256 -verify public.key -signature permissions.sign permissions 

5. i copy permissions file, permissions.sign file , public.key file file system in android.

6. i verify permissions.sign created permissions , matching private.key... of public.key (i don't have private key in android).

this c function.

#include <openssl/pem.h> #include <openssl/rsa.h> #include <openssl/sha.h>  ...  /* initialize public key */ rsa *pub_key = rsa_new();  if(null == pub_key) {    android_loge("rsa_new failed");    result = 0; } else {    file* fp = fopen(public_key, "r");     if(null == fp)    {       android_loge_p("fopen [%s] failed", public_key);       result = 0;    }    else    {       /* read passed path */       if(pem_read_rsa_pubkey(fp, &pub_key, null, null) == null)       {          android_loge_p("[%s] can't read", public_key);          result = 0;          fclose(fp);       }       else       {          /* verify file , sha public key */          int verified = rsa_verify(              nid_sha256,              file, /* message digest (message validate) */              file_size, /* message size */              sign, /* signature (signed sha) */              sign_size, /* signature size */              pub_key);          android_logd("nid_sha256");           if(verified)          {             result = 1;             android_logd_p("[%s] valid", file_to_verify);          }          else          {             android_loge_p("[%s] not valid", file_to_verify);          }           fclose(fp);       }        rsa_free(pub_key);    } } 

• public_key path public.key
• pem_read_rsa_pubkey succeeds
• nid_sha256 think should use verification
• file byte array contents of permissions
• file_size array size of file
• sign byte array contents of permissions.sign
• sign_size array size of sign
• rsa_verify() fails, returns 0

so question is, correct to:

• generate keys commands used,

• sign permissions file (which generates permissions.sign),

• and try verify files pem_read_rsa_pubkey() , rsa_verify() ?

are commands used signing process equivalent c functions used verification process?

please let me know if more info required or study more this.

thanks!

edit: added error printing after calling rsa_verify():

android_loge_p("openssl: %s", err_reason_error_string(err_get_error()));

it prints:

openssl: bad signature

still investigating.

there several missing steps in reading process public key.

the correct commands generate private , public keys follows:

generate private key "openssl genrsa -out private.key 2048"

extract public key (der certificate form) private key (needed rsa_sha_verify()) "openssl req -outform der -new -x509 -key private.key -out public.key -days 30000"

generate public key no certificate info (only needed "openssl dgst -sha1 -verify ...") "openssl x509 -inform der -in public.key -pubkey -noout > public_no_cert.key"

sign file private key "openssl dgst -sha1 -sign private.key -out permissions.sign permissions"

verify file public key (no certificate info) "openssl dgst -sha1 -verify public_no_cert.key -signature permissions.sign permissions"

please refer documentation on openssl.org details. required x509 der certificate holding public key verify signed sha rsa_verify().

an equivalency in command mode rsa_verify() is:

openssl dgst -sha1 -verify public.key -signature permissions.sign permissions

for code source, please refer link: http://www.bmt-online.org/geekisms/rsa_verify

it not compile @ first sight, have tweak it. call functions in there follows:

   result = sign_data(          input_file_buffer,          input_file_size,          private_key_buffer,          private_key_size,          (void**)&signature,          &signature_size);     result = verify_data(          input_file_buffer,          input_file_size,          signature_buffer,          signature_size,          public_key_buffer,          public_key_size); 

everything has in ram, pass them pointers.

the signing function expects pointer pointer (**) save signed sha it. can later save file.

tested under ubuntu openssl 0.9.8k.

if see missing, please let me know. reading!

edit: here's link source code... http://migsantiago.com/index.php/tutoriales/32-firma-y-valida-archivos-con-openssl