An Open Specification for Pretty Good Privacy (openpgp)

Stephen Paul Weber | 30 Mar 2010 22:20

Question about verifying signatures


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'm reading RFC4880 in an attempt to produce an implementatdion of a subset
of OpenPGP (RSA signatures) using <http://phpseclib.sourceforge.net/>.  I
have the publickey and compression-literal-signature packets parsed out.  I
can extract n and e and feed them to Crypt_RSA to construct a verifier.  I
tell it I'm using sha256.  It then needs a "message" and a "signature"
parametre.  I get the signature data out of the signature packet no problem.
The question I have is: what is "message"?  According to section 5.2.4 it's
some combination of the literal data packet(s?) (their bodies or the whole
packet?) and the "hashed" subpackets.  Do I just concat all the data packets
and the hashed packets together in the order they appear?

Thanks.

- -- 
Stephen Paul Weber,  <at> singpolyma
Please see <http://singpolyma.net> for how I prefer to be contacted.
edition right joseph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJLsl0hAAoJENEcKRHOUZzeeiEQALIrdMesbnGdz28npdEDun6U
JyZP+WpUBI0RFESTs3VNTkvvxnNOCuQrg6PDHn10b/06b3hgbpicplAWBglGJSHd
P7/0CG4ADa3yTapyEKZy9lKbjj6s5gUuz6PJVvw+Ph5XIxDfNM3EHRSoHZERaPPI
Cs7ohUE7sxLO2Q8AYxwAQelWdzhCOONDq4WFciXp+ziI9lFVKgZKxFVAOvOLwi3s
EFDpV/6qoVWC5XBJhZPbwHcOaLbBVGwSDnA+lI1JCwtdN1HGsQnnD3fvMSjGsICv
+skfheEpoQI2x8WBq928d5cbuxQaTVKY3aHFT8DyjROUv6tAwaMWObCJ5/+GEy/8

(Continue reading)

Wim Lewis | 31 Mar 2010 00:18

Re: Question about verifying signatures

On Tue, 30 Mar 2010, Stephen Paul Weber wrote:
> The question I have is: what is "message"?  According to section 5.2.4 it's
> some combination of the literal data packet(s?) (their bodies or the whole
> packet?) and the "hashed" subpackets.  Do I just concat all the data packets
> and the hashed packets together in the order they appear?

Section [5.2.4] says:
> For binary document signatures (type 0x00), the document data is
> hashed directly.  For text document signatures (type 0x01), the
> document is canonicalized by converting line endings to <CR><LF>,
> and the resulting data is hashed.

I agree that paragraph isn't completely unambiguous. IIRC, the data passed 
to the SHA1/MD5/whatever algorithm is the bare document contents (possibly 
with EOL canonicalization as described above), concatenated with some 
"trailer" bytes which depend on the version number of the signature, but 
are a copy of part of the signature subpacket itself plus perhaps a length 
field and so on (see the last three paragraphs of [5.2.4]).

(The encrypted-data packet, by contrast, does contain a sequence of 
OpenPGP packets.)

Stephen Paul Weber | 31 Mar 2010 03:46

Re: Question about verifying signatures


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Somebody claiming to be Wim Lewis wrote:
> I agree that paragraph isn't completely unambiguous. IIRC, the data
> passed to the SHA1/MD5/whatever algorithm is the bare document
> contents (possibly with EOL canonicalization as described above),
> concatenated with some "trailer" bytes which depend on the version
> number of the signature, but are a copy of part of the signature
> subpacket itself plus perhaps a length field and so on (see the last
> three paragraphs of [5.2.4]).

So, I'm concatenating:

* The literal contents of any literal data packet(s).
* The literal bytes of the signature packet up to and including the "hashed"
  subpackets
* 0x04
* 0xFF
* The length of the second thing in this list

As the "message" to hash?  I'm going to try that.

- -- 
Stephen Paul Weber,  <at> singpolyma
Please see <http://singpolyma.net> for how I prefer to be contacted.
edition right joseph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

(Continue reading)

David Shaw | 31 Mar 2010 03:53

Re: Question about verifying signatures

On Mar 30, 2010, at 4:20 PM, Stephen Paul Weber wrote:

> I'm reading RFC4880 in an attempt to produce an implementatdion of a subset
> of OpenPGP (RSA signatures) using <http://phpseclib.sourceforge.net/>.  I
> have the publickey and compression-literal-signature packets parsed out.  I
> can extract n and e and feed them to Crypt_RSA to construct a verifier.  I
> tell it I'm using sha256.  It then needs a "message" and a "signature"
> parametre.  I get the signature data out of the signature packet no problem.
> The question I have is: what is "message"?  According to section 5.2.4 it's
> some combination of the literal data packet(s?) (their bodies or the whole
> packet?) and the "hashed" subpackets.  Do I just concat all the data packets
> and the hashed packets together in the order they appear?

Basically, yes.

To paraphrase 5.2.4, and assuming we're talking about V4 signatures, you take all the data (just the
uncompressed literal packet body - not including the literal packet header), and follow that with the
signature version (1 byte), the signature type (1 byte), the public-key algorithm (1 byte), the hash
algorithm (1 byte), the hashed subpacket length (2 bytes, big endian), and the hashed subpacket body
(however many bytes).  Note that these are the first n bytes of your signature packet.  Then you hash the
trailer: 0x04, 0xFF, and a four byte big-endian number which is the number of bytes you hashed from the
signature (i.e. 6 bytes, plus the number of subpacket bytes).

Note that the data (literal packet contents) might be tagged as binary (0x00) or text (0x01) (the tag is in
the literal packet header).  They are the same, except that text has its line endings canonicalized to CRLF.

David

(Continue reading)

Stephen Paul Weber | 31 Mar 2010 16:57

Re: Question about verifying signatures


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Somebody claiming to be David Shaw wrote:
> To paraphrase 5.2.4, and assuming we're talking about V4 signatures, you take all the data (just the
uncompressed literal packet body - not including the literal packet header), and follow that with the
signature version (1 byte), the signature type (1 byte), the public-key algorithm (1 byte), the hash
algorithm (1 byte), the hashed subpacket length (2 bytes, big endian), and the hashed subpacket body
(however many bytes).  Note that these are the first n bytes of your signature packet.  Then you hash the
trailer: 0x04, 0xFF, and a four byte big-endian number which is the number of bytes you hashed from the
signature (i.e. 6 bytes, plus the number of subpacket bytes).

I've finally got one to work.  The "message" that the signature is over
seems to be the concatenation of the literal data in the literal packet (not
header or filename or timestamp) with the bits in your message, in that
order.

Thanks for all the help!

- -- 
Stephen Paul Weber,  <at> singpolyma
Please see <http://singpolyma.net> for how I prefer to be contacted.
edition right joseph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJLs2LdAAoJENEcKRHOUZzeDDgP/jP4lwp+HC4OJesxiq80wbzv
bJdJAqefeg539GwMDUb/ZNIqhhpYR25DgtZPBbgtY1kEWzY8zSdiuo4E125QyjgB
hUw1oKv3GFxGMUI2f9Q6Vgpiek1rNamlhtswCXHI7Vv7DA7G8cwm2ctWYQ5F848/

(Continue reading)

Return

Return to gmane.ietf.openpgp.

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane