Topic: Verifying a Signature in a Non-Standard Environment

Forgive me if I sound like an idiot.  All of this cryptography stuff is very new to me and I am trying to struggle my way to understanding it all and getting this to work.

To give a brief background of my project, I am implementing the DNP3.0 protocol which contains Secure Authentication (SA).  I am using a 3rd party software that handles the bulk of the protocol, but I am using wolfSSL embedded SSL to implement the cryptography part.  So basically I am bridging the calls from the other software to wolfSSL.

The first place I seem to have gotten stuck is verifying a signature.  The section of the wolfSSL Manual that deals with this is, I think, 10.5.4.

To make it simple, let's just assume that they are only using the SHA256 hashing algorithm to verify the signature.  I'm not even sure I will implement the SHA1 part because it appears to not be recommended any more.

So I am being passed a pointer to an array of bytes that contains the key (*pKey) and its length (pKeyLength).  Also I am being passed a pointer to an array of bytes that contains "data to use for verifying signature" (*pData) and its length (pDataLength).  The last thing I am being passed is "signature data (certification) to be verified" (*pSig) and its length (pSigLength).

I am having a hard time understanding how I fit this into your functions.  I have dug down into some of the structures and functions, but it wasn't clear to me exactly how I should tie this data in.  I don't think I need to call "InitSha256()" or do any of the updating or Final. . . but I'm really not quite sure.  I assume I only need to figure out how to get their data/key into your  data/key and then call DsaVerify, but I can't find the information I need to make this happen.

Thanks for any help.

Share

Re: Verifying a Signature in a Non-Standard Environment

It sounds like you want to only use our cryptography library, wolfCrypt (formerly CTaoCrypt). The wolfSSL library is an application of wolfCrypt. It doesn't sound like you are using SSL/TLS at all.

Signatures for data are usually a hash of the data, and then that data is encrypted with a private key. The other end takes the same data, hashes it and decrypts the signature with the public key, then compares the two hashes. The DsaVerify() function assumes you have your copy of the hash, and the signed hash (the encrypted hash from the peer), and the key.

You'll need to make a SHA-256 hash of the data first. Then you use DsaVerify().

We have two sections in our manual describing data signing. Chapter 12 gives an overview of how signing works. Chapter 10 covers the wolfCrypt cryptography suite with examples.

Re: Verifying a Signature in a Non-Standard Environment

I would suspect that I have to only use the cryptography library.

However, I suspect it is just a subset of the larger wolfSSL library.  The IDE I am using does a lot of dead stripping so is it okay for me to continue using the wolfSSL library, or do you still recommend that I use the wolfCrypt.  When we were discussing licensing, we were referencing the WolfCrypt, and when I got the code, I thought maybe it was just a subset of what I have.  If you think I should switch, now would be a good time as I have not done too much, but I would need to source.

I am reading the other sections now, thank you.

Charlie

Share

Re: Verifying a Signature in a Non-Standard Environment

wolfSSL is built on wolfCrypt. If you use dead code stripping and don't call any of the wolfSSL code, you're set.

Re: Verifying a Signature in a Non-Standard Environment

First, thanks for the help so far.  To follow up on this, I think there is some kind of error in the documentation.  I just want to clarify that I am doing this right.

I am using:

wolfSSL User Manual
March 11, 2013
Version 2.5.1

On page 79/80 under the section: 10.5.4 DSA (Digital Signature Algorithm)

In the example, there is no "tmp" variable defined.  However, it is used.

Looking at the function call:

ShaUpdate(&sha, tmp, message);

I'm pretty sure is wrong, as you are passing message, which is byte *, to the word32 length part of the function.

I assume that the tmp variable should be gotten rid of, and replaced with message.  And the function call should look like

ShaUpdate(&sha, message, sizeof(message));

And then this would propagate down to:

DsaPrivateKeyDecode(message, &idx, &key, dsaKeyBuffer);

Am I correct?

Share

Re: Verifying a Signature in a Non-Standard Environment

Hi ctb,

It looks like this has been fixed post-5.2.1.  You can view our most current version of the CTaoCrypt usage reference online, here:  http://yassl.com/yaSSL/Docs-cyassl-manu … rence.html.

A new version of the PDF Manual will be released with our upcoming 2.8.0 release.

Thanks,
Chris

Re: Verifying a Signature in a Non-Standard Environment

Looks like the problem still exists in this version of the usage reference.

Share

Re: Verifying a Signature in a Non-Standard Environment

Spoke too soon... should be updated now.

Thanks,
Chris