> > I used fwrite(signature,1,strlen(signature),fp) and got the
> > same results.
You seem to have a fundamental misunderstanding about how strings work
in
C. That's not good for someone writing security software. The 'strlen'
function computes the length of a C-style string. The signature *IS* *NOT* a
C-style string. It *MUST* *NOT* be passed to 'strlen'.
Also, this code has a problem:
if(RSA_sign(NID_sha1, (unsigned char*) message, strlen(message),
signature, &slen, private_key) != 1) {
You are telling RSA_sign that you are using it to sign a SHA1 hash, but
the
message is not a SHA1 hash. I believe this will currently sort of work, but
it's very bad practice.
You should not be using low-level RSA functions unless you really
understand RSA. You have already gotten, in the previous round, perfectly
clear explanations of this:
"RSA_sign() and RSA_verify() don't sign arbitrary data they expect the
digest of the data being signed/verified.
If you want an API that does sign arbitrary data use EVP_Sign*() and
EVP_Verify*() instead."
You are still neither calling the EVP_* functions nor generating a hash.
and
"The signature is not a NUL terminated C-string, so using "printf" is
not the right way to save it to a file. You are throwing away "slen",
don't."
You are still treating the signature as if it was a C-style string and
throwing away slen.
What's the point of asking questions if you ignore the answers?
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
