Openssl verification of signature

[Nischal Bansal]

Hi,

We are generating public key and signature and trying to verify it using OpenSSL

Below is our code for Key pair generation:

KeyPairGenerator g = KeyPairGenerator.getInstance("RSA", "SC");
g.initialize(2048);
return g.generateKeyPair();

Below is our code for signature creation:

Option 1: 

Signature sig = Signature.getInstance("SHA256WithRSA");
sig.initSign(priv);
sig.update(input);
byte[] signature = sig.sign();

Verified OK with OpenSSL option 1

Signature Verification Failure with OpenSSL option 2

Option 2: 

Signature pss = Signature.getInstance("RSASSA-PSS");
pss.initSign(priv);
PSSParameterSpec pssParamSpec = new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1);
pss.setParameter(pssParamSpec);
pss.update(input);
byte[] signature = pss.sign();

Signature Verification Failure with OpenSSL option 1

Signature Verification Failure with OpenSSL option 2

Q1: What is the correct option to generate Signature?

Q2: If there is any mistake in signature generation, please suggest?

OpenSSL commands to verify Signature

Option 1:

>openssl dgst -sha256 -verify pub -signature sig hashfile

Verified OK

Option 2:

>openssl pkeyutl -verify -pubin -inkey pub -sigfile sig -in hashfile -pkeyopt digest:sha256 -keyform PEM -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:32

Signature Verification Failure

Q3: What is the difference between these OpenSSL options?

Q4: Which OpenSSL option is correct to verify signature & Why?