Sign, verify and recover message directly, without using a hash

Phil Atkin

unread,

Jun 30, 2020, 1:28:41 PM6/30/20

to Crypto++ Users

I currently use the following command to sign a short message:

openssl pkeyutl -sign -in message -inkey privateKey.pem -out signedMessage

I am trying to use CryptoPP to verify and recover this message (using the public key). Note that this openssl command does not generate or use a digest; it signs the original message. This may be undesirable but I need my implementation to work with messages that have already been signed in this way.

If I use

RSA::PrivateKey privateKey;

privateKey.Load(FileSource("privateKey", true, NULL, true /*binary*/).Ref());

RSASS<PSSR, SHA1>::Signer signer(privateKey);

... then I can sign a message but the output is different for every run. The openssl command above always gives the same output, and I need CryptoPP to reproduce this. I think this is to do with the hash function (digest) that CryptoPP is including (as per convention) and that I can't work out how to exclude.

Similarly, if I try to use a RSASS<PSSR, SHA1>::Verifier to do a RecoverMessage on the output of openssl (which is my ultimate goal), the verification fails.

Is there a way to define a Verifier that does not expect to find a hash value?

P.S. Please be gentle; cryptography is definitely not my thing...

Jeffrey Walton

unread,

Jul 2, 2020, 8:29:02 PM7/2/20

to Crypto++ Users

https://crypto.stackexchange.com/questions/6515/are-rsa-signatures-deterministic

OpenSSL is using PKCS#1, which is deterministic. PKCS#1 is the old way of doing things. Also see https://blog.cryptographyengineering.com/2012/06/21/bad-couple-of-years-for-cryptographic/ and https://www.openssl.org/docs/man1.0.2/man1/pkeyutl.html.

In Crypto++ you are using a randomized signature scheme via PSS in PSSR. PSS is "probabilistic signature scheme" and the "R" indicates recovery. PSSR is the new way of doing things.

Randomized signature schemes always produce a different signature on the same message because the padding is randomized. Or if it does not, then there's something wrong with the implementation.

Also see https://www.cryptopp.com/wiki/RSA_Signature_Schemes

Jeff

Jeffrey Walton

unread,

Jul 2, 2020, 8:38:50 PM7/2/20

to Crypto++ Users

On Tuesday, June 30, 2020 at 1:28:41 PM UTC-4, Phil Atkin wrote:

I currently use the following command to sign a short message:

openssl pkeyutl -sign -in message -inkey privateKey.pem -out signedMessage

I am trying to use CryptoPP to verify and recover this message (using the public key). Note that this openssl command does not generate or use a digest; it signs the original message. This may be undesirable but I need my implementation to work with messages that have already been signed in this way.

...

Regarding the titular question about signing a message without hashing, see https://www.cryptopp.com/wiki/Raw_rsa.

Jeff

Phil Atkin

unread,

Jul 3, 2020, 6:07:47 AM7/3/20

to Crypto++ Users

Thanks for both your replies, Jeff.

It's clear (now!) that my initial naive steps were in a bad direction, but I was coming to the topic 'cold' and there was a great deal to learn and understand. Once I got something to work, I stuck with it. It does work, and it provides the level of security I need - I was just hoping to avoid the need to use openssl.

The references you kindly provided (particularly the last) seem like they will provide a solution, albeit requiring a level of detailed understanding that I was hoping to avoid...