Topic: DsaPublicKeyDecode fails with test public key

I try to use DsaPublicKeyDecode to convert a (dsa) DER public key to a DSA key, which I later want to use to verify a signature created with the private key. Creating the DSA key seems to be problematic though, as I always get -158 as return code:

ASN_DH_KEY_E     -158     ASN key init error, invalid input

As a test case, I extended the ctaocrypt/test/test.c source to also verify the generated signature with the public key (after verifying with the private key).

I applied to following patch (3.2.0 sources):

--- cyassl-3.2.0-build/ctaocrypt/test/test.c.orig       2014-09-11 00:17:13.000000000 +0200
+++ cyassl-3.2.0-build/ctaocrypt/test/test.c    2014-10-01 15:49:52.000000000 +0200
@@ -3983,6 +3983,31 @@
 
     FreeDsaKey(&key);
 
+    byte   tmp2[1024];
+    word32 bytes2;
+
+    file = fopen("./certs/dsa2048-pub.der", "rb");
+
+    if (!file)
+           return -66;
+
+    bytes2 = (word32) fread(tmp2, 1, sizeof(tmp2), file);
+    fclose(file);
+
+    DsaKey key2;
+    word32 idx2;
+
+    InitDsaKey(&key2);
+    ret = DsaPublicKeyDecode(tmp2, &idx2, &key2, bytes2);
+    printf("Ret failed with %d\n", ret);
+    if (ret != 0) return -67;
+
+    ret = DsaVerify(hash, signature, &key2, &answer);
+    if (ret != 0) return -68;
+    if (answer != 1) return -69;
+
+    FreeDsaKey(&key2);
+
     return 0;
 }
 

The extension reads './certs/dsa2048-pub.der' (the dsa public key) and creates a DsaKey object, which is then used to verify the constructed signature again, using the original sha digest hash. Unfortunately the process already ends at constructing the DsaKey object from the DSA public key in DER format.

cyassl-3.2.0-build$ ctaocrypt/test/testctaocrypt 
MD5      test passed!
SHA      test passed!
SHA-256  test passed!
HMAC-MD5 test passed!
HMAC-SHA test passed!
HMAC-SHA256 test passed!
ARC4     test passed!
DES      test passed!
DES3     test passed!
AES      test passed!
RANDOM   test passed!
RSA      test passed!
Ret failed with -158
DSA      test failed!
 error = -67

I created file ./certs/dsa2048-pub.der' using openssl:

openssl dsa -inform DER -in certs/dsa2048.der -pubout -outform DER -out certs/dsa2048-pub.der

Text info of openssl on dsa2048-pub.der :

cyassl-3.2.0-build$ openssl dsa -inform DER -in certs/dsa2048-pub.der -pubin -text
read DSA key
pub: 
    66:4b:bb:b7:c9:48:95:0d:5a:a6:2d:a1:7f:df:1f:
    67:6d:ed:52:4b:16:6c:17:c6:ae:f8:6a:c4:57:ed:
    2f:b3:f0:2a:55:ab:ba:ca:ea:17:e8:35:7c:e5:31:
    0d:4a:95:fc:43:6f:97:3c:5c:67:ac:be:67:7f:e9:
    4e:aa:48:b3:92:a1:76:75:ea:04:34:7f:87:33:2d:
    24:b6:29:97:e3:04:77:93:89:13:db:1b:93:b8:2c:
    90:1a:09:3b:26:d9:59:f3:2a:09:58:dc:ac:25:b4:
    a9:45:3b:a2:3a:6c:61:84:bf:68:d4:ea:9b:c5:29:
    48:60:15:10:35:2c:44:1d:b5:9a:ee:ac:c1:68:e8:
    47:b7:41:34:39:9a:f8:a5:20:e9:24:c4:2c:58:3f:
    4c:41:30:3a:14:6e:8d:ea:ad:ba:9b:43:d3:98:2f:
    83:d8:14:67:e8:f8:d5:4f:ac:e0:3b:bf:a7:54:16:
    5e:49:64:26:54:a4:6b:69:7c:ba:8a:83:d9:2e:65:
    0a:a2:27:ef:99:99:08:d7:b5:9f:a0:01:ef:7e:17:
    bf:83:6b:2e:dd:c0:39:38:23:68:b4:76:6b:e5:ca:
    f7:7c:ee:c0:52:e2:dd:ad:59:3a:42:06:45:b0:c7:
    c1:77:05:b2:0c:32:40:46:aa:da:79:77:04:71:df:
    7a
P:   
    00:cc:8e:c9:a0:d5:9a:27:1c:da:52:df:c7:c0:e6:
    06:a4:3e:8a:66:49:d0:59:33:51:69:c4:9c:5e:64:
    85:c7:f1:ab:d5:d9:62:ac:fd:a1:e0:1b:57:ff:96:
    ef:0c:9f:c8:44:87:eb:5c:91:d0:46:42:09:50:6a:
    23:cb:89:6f:55:e9:6a:11:a9:a8:32:ab:33:0d:51:
    b5:79:51:b4:ab:a2:25:11:8d:e5:24:be:d8:f1:9d:
    4e:12:6f:ac:44:54:80:a9:b4:81:68:4e:44:0e:b8:
    39:f3:be:83:08:74:a2:c6:7a:d7:6a:7d:0a:88:57:
    83:48:dc:cf:5e:6f:ee:68:0c:f7:ff:03:04:90:aa:
    f7:07:98:f8:67:5a:83:23:66:47:60:c3:43:6e:03:
    91:ac:28:66:cb:f0:d3:05:c8:09:97:b5:ae:01:5e:
    80:3b:9d:4f:de:3e:94:fe:cb:82:b0:b1:fc:91:8b:
    1d:8a:ee:c6:06:1f:37:91:48:d2:f8:6c:5d:60:13:
    83:a7:81:ac:ca:8d:d0:6a:04:0a:ea:3e:22:4e:13:
    f1:0d:bb:60:6b:cd:bc:5c:87:a3:67:2b:42:a1:9f:
    cd:39:58:be:55:b1:93:84:ce:b2:10:4e:e4:c3:9f:
    b2:53:61:01:29:aa:96:cb:20:60:42:1d:ba:75:4b:
    63:c1
Q:   
    00:e7:a5:39:d4:6a:37:5e:95:06:39:07:77:0a:eb:
    a0:03:eb:78:82:9b
G:   
    00:9a:d4:4c:71:2f:ec:fa:32:b2:80:7e:61:4a:6b:
    5f:18:76:43:c3:69:ba:41:c7:a7:1d:79:01:ec:af:
    34:87:67:4f:29:80:a8:3b:87:f6:e8:a1:e8:cd:1b:
    1c:86:38:f6:d1:0c:46:2e:c8:e0:c9:30:26:d5:2c:
    7f:c1:08:bf:cc:5a:82:8e:d4:d4:49:aa:a2:fa:e6:
    c1:9d:f0:d9:96:b0:ff:0c:5b:33:8e:06:dd:9d:28:
    a9:e9:80:41:3b:d8:7a:94:21:8f:56:f1:a2:b4:2b:
    89:1c:74:ff:7e:91:dc:1f:91:13:98:af:c7:06:d2:
    4c:90:a2:bd:da:16:ba:65:b0:2d:68:87:3c:6e:25:
    8d:90:c7:bc:0d:a9:43:03:c9:be:cf:85:6f:db:07:
    7b:8c:f8:b1:c2:49:10:69:63:56:37:c5:30:d2:fb:
    71:9a:e8:82:07:2e:3e:95:50:f3:73:cf:34:5b:d5:
    ab:02:15:f2:cc:d7:52:c5:28:d8:41:19:55:6f:b8:
    5f:f1:99:b3:c7:d9:b3:71:f4:2d:df:22:59:35:86:
    db:39:ca:1b:4d:35:90:19:6b:31:e3:c8:c6:09:bf:
    7c:ed:01:b4:b2:f5:6e:da:63:41:3c:e6:3a:72:2d:
    65:48:f6:07:cd:92:84:8b:1d:a7:31:6b:d6:f0:fb:
    d9:f4
writing DSA key
-----BEGIN PUBLIC KEY-----
MIIDOzCCAi4GByqGSM44BAEwggIhAoIBAQDMjsmg1ZonHNpS38fA5gakPopmSdBZ
M1FpxJxeZIXH8avV2WKs/aHgG1f/lu8Mn8hEh+tckdBGQglQaiPLiW9V6WoRqagy
qzMNUbV5UbSroiURjeUkvtjxnU4Sb6xEVICptIFoTkQOuDnzvoMIdKLGetdqfQqI
V4NI3M9eb+5oDPf/AwSQqvcHmPhnWoMjZkdgw0NuA5GsKGbL8NMFyAmXta4BXoA7
nU/ePpT+y4KwsfyRix2K7sYGHzeRSNL4bF1gE4OngazKjdBqBArqPiJOE/ENu2Br
zbxch6NnK0Khn805WL5VsZOEzrIQTuTDn7JTYQEpqpbLIGBCHbp1S2PBAhUA56U5
1Go3XpUGOQd3CuugA+t4gpsCggEBAJrUTHEv7PoysoB+YUprXxh2Q8NpukHHpx15
AeyvNIdnTymAqDuH9uih6M0bHIY49tEMRi7I4MkwJtUsf8EIv8xago7U1Emqovrm
wZ3w2Zaw/wxbM44G3Z0oqemAQTvYepQhj1bxorQriRx0/36R3B+RE5ivxwbSTJCi
vdoWumWwLWiHPG4ljZDHvA2pQwPJvs+Fb9sHe4z4scJJEGljVjfFMNL7cZroggcu
PpVQ83PPNFvVqwIV8szXUsUo2EEZVW+4X/GZs8fZs3H0Ld8iWTWG2znKG001kBlr
MePIxgm/fO0BtLL1btpjQTzmOnItZUj2B82ShIsdpzFr1vD72fQDggEFAAKCAQBm
S7u3yUiVDVqmLaF/3x9nbe1SSxZsF8au+GrEV+0vs/AqVau6yuoX6DV85TENSpX8
Q2+XPFxnrL5nf+lOqkizkqF2deoENH+HMy0ktimX4wR3k4kT2xuTuCyQGgk7JtlZ
8yoJWNysJbSpRTuiOmxhhL9o1OqbxSlIYBUQNSxEHbWa7qzBaOhHt0E0OZr4pSDp
JMQsWD9MQTA6FG6N6q26m0PTmC+D2BRn6PjVT6zgO7+nVBZeSWQmVKRraXy6ioPZ
LmUKoifvmZkI17WfoAHvfhe/g2su3cA5OCNotHZr5cr3fO7AUuLdrVk6QgZFsMfB
dwWyDDJARqraeXcEcd96
-----END PUBLIC KEY-----

Am I missing something or is this supposed to work ?

Share

Re: DsaPublicKeyDecode fails with test public key

Hi tisj,

Thanks for brining this up.  We'll look into it.

On a side note, is there a reason why you are using DSA instead of RSA or ECC?  Although wolfCrypt supports DSA, CyaSSL doesn't use it in SSL/TLS so it doesn't get tested as frequently.

Thanks,
Chris

Re: DsaPublicKeyDecode fails with test public key

Hi Chris,

Thanks for your reply. I'm trying to port a company application to sign/verify license files from OpenSSL to an alternate embedded SSL implementation (mostly size related). For some reason a DSA public/private key was chosen over an RSA pair. I'll not be needing/using DSA for TLS purposes.

Nice to see the many examples in these test applications. Since I'm a very novice user of cyassl I just wanted to verify whether I wasn't forgetting the obvious.

Cheers,
tisj

Share