On 12/08/2010 11:40 PM, Murray S. Kucherawy wrote: >> -----Original Message----- From: Nikos Mavrogiannopoulos >> [mailto:[email protected]] On Behalf Of Nikos >> Mavrogiannopoulos Sent: Wednesday, December 08, 2010 2:28 PM To: >> Murray S. Kucherawy Cc: [email protected] Subject: Re: RSA >> sign/verify and hash generation functions >> >> On 12/08/2010 12:30 AM, Murray S. Kucherawy wrote: >> >>> assert(gnutls_privkey_sign_hash(rsa_key, &dd, &rsa_out == >> GNUTLS_E_SUCCESS); >> >> Also check the documentation of the functions you are using :) > > I did. By the looks of things, the *_sign_hash() functions look like > they sign a hash that's already been computed, which is the case for > me, so that's what I used.
The current sign_hash function is not what you want. They are tricky to use to generate correct signatures (for DSA they work ok, but for RSA require one more step to generate a PKCS #1 compliant signature - i.e. BER encode the hash as DigestInfo). I'll add a safer to use API for 2.12.x and deprecate those functions. The _sign_data() functions work as expected. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
