[cryptopp-users] Using Crypto++ to sign using private key; SHA1 vs Whirlpool

[Olli Savolainen]

Hi there, 

I'm using crypto++ according to the RSA-PSSR-Filter-Test.zip example from 
this link and it works:
http://marko-editor.com/articles/cryptopp_sign_string/

I'm trying to find something I can use reliably for signing a message with 
private key and verifying its origin with public key programmatically in a 
Qt app.

I am happy I can actually get the message extracted while verifying the 
signature:

        StringSource(signature, true,
        new SignatureVerificationFilter(
            verifier,
            new StringSink(recovered),
            SignatureVerificationFilter::THROW_EXCEPTION | 
SignatureVerificationFilter::PUT_MESSAGE) // SignatureVerificationFilter
    ); // StringSource

    assert(ui->plainTextEdit->toPlainText().toStdString() == recovered);

But SHA1 is unsafe.

Then I found this example with Whirlpool. However, it doesn't seem to 
extract the actual original message, just claims to verify it.Does this 
code actually verify the message though? The ArraySink usage seems a bit 
esoteric to me so I can't tell.
http://marko-editor.com/articles/cryptopp_sign_string/

  bool result = false;
  Verifier verifier(publicKey);
  CryptoPP::StringSource ss2(decodedSignature + aMessage, true,
                         new CryptoPP::SignatureVerificationFilter(verifier,
                           new CryptoPP::ArraySink((byte*)&result,
                                                   sizeof(result))));

  return result;

I tried to convert the code to be similar to the SHA1 example but this does 
not extract any message:

    CryptoPP::StringSource ss2(decodedSignature, true,
        new CryptoPP::SignatureVerificationFilter(verifier,
            new StringSink(recovered)));

Is it possible to convert this code with Whirlpool to actually extract the 
message from the signature, or is the actual message not contained in the 
signature although it appears to be PSSR?

I am also wondering about the usage of 'new' allocations here; does this 
code actually leak memory?

My apologies for any erroneous terminology; I am not in the security field.
I hope linking to the full examples instead of attaching to them to this 
message is enough, it seemed extraneous to attach files here that are 
already publicly available. I already asked this on stackoverflow before, 
feel free to respond there if you like. 
https://stackoverflow.com/questions/54033029/using-crypto-to-sign-using-private-key-sha1-vs-whirlpool

Kind regards,
Olli Savolainen


-- 
You received this message because you are subscribed to "Crypto++ Users". More 
information about Crypto++ and this group is available at 
http://www.cryptopp.com and 
http://groups.google.com/forum/#!forum/cryptopp-users.
--- 
You received this message because you are subscribed to the Google Groups 
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cryptopp-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.