Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: gcrypt

LibGcrypt verify Help required

 

 

GnuPG gcrypt RSS feed   Index | Next | Previous | View Threaded


presannar at ami

Feb 19, 2008, 6:50 PM

Post #1 of 7 (2466 views)
Permalink
LibGcrypt verify Help required

Hi,
I am developing an App that needs to verify the signature of a file signed by gpg. I am unable to use gpg in the EFI environment. I have converted the public key, signature from the armored format to the s-expression by extracting the MPI values and building the sexpression from them. The problem is that I am unable to verify the data.
I am able to build the public key and signature s-expression without any problems. The statement I use is for public key and signature is
rc = gcry_sexp_create(&pkey, buffer, inputFileLength, 1, free); (replace pkey with sign for signature.) the buffer contains the
I am using the following statement to build the sexpression of the data
rc = gcry_sexp_build(&data, NULL, "(data (flags raw no-blinding) (value %s))", buffer);
where the data is provided as the buffer. Can someone help as to where I am going wrong? Is the syntax correct for converting data into sexpression?

Pl. Help.

With Regards,

Presanna Raman.


agl at imperialviolet

Feb 19, 2008, 8:42 PM

Post #2 of 7 (2369 views)
Permalink
Re: LibGcrypt verify Help required [In reply to]

On Feb 19, 2008 6:50 PM, Presanna Raman <presannar [at] ami> wrote:
> I am developing an App that needs to verify the signature of a file
> signed by gpg. I am unable to use gpg in the EFI environment. I have
> converted the public key, signature from the armored format to the
> s-expression by extracting the MPI values and building the sexpression from
> them. The problem is that I am unable to verify the data.

I could be wrong, but I'm pretty sure that gpg signature will have
rather more encoding. Unless gpg is really in some sort of 'really
raw' mode, it should be following the OpenPGP spec[1]. Possibly
opencdk is the library that you want for this.

[1] http://www.faqs.org/rfcs/rfc2440.html

AGL

--
Adam Langley agl [at] imperialviolet http://www.imperialviolet.org

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel


agl at imperialviolet

Feb 19, 2008, 8:46 PM

Post #3 of 7 (2388 views)
Permalink
Re: LibGcrypt verify Help required [In reply to]

On Feb 19, 2008 8:42 PM, Adam Langley <agl [at] imperialviolet> wrote:
> Possibly opencdk is the library that you want for this.

Oh, and please note that opencdk appears to be *GPL* licensed, not
LGPL. That may affect your plans.


AGL

--
Adam Langley agl [at] imperialviolet http://www.imperialviolet.org

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel


simon at josefsson

Feb 20, 2008, 2:25 AM

Post #4 of 7 (2386 views)
Permalink
Re: LibGcrypt verify Help required [In reply to]

"Adam Langley" <agl [at] imperialviolet> writes:

> On Feb 19, 2008 8:42 PM, Adam Langley <agl [at] imperialviolet> wrote:
>> Possibly opencdk is the library that you want for this.
>
> Oh, and please note that opencdk appears to be *GPL* licensed, not
> LGPL. That may affect your plans.

FYI, there is a minimal version of opencdk which is licensed under LGPL,
it is included in gnutls. Probably it should be released on its own,
but we don't know what to do with the GPL'd larger opencdk in that case.
Maybe the lgpl version should be renamed. On the other hand, I'm not
sure if any non-gnutls applications needs anything from the full opencdk
that isn't in the lgpl opencdk.

However, I would also recommend looking at GPGME.

/Simon

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel


presannar at ami

Feb 20, 2008, 2:57 PM

Post #5 of 7 (2361 views)
Permalink
RE: LibGcrypt verify Help required [In reply to]

Thankx Adam for the suggestion. Unfortunately, I will have to use G-Crypt lib. I did look at how openCdk verifies a signature. It is the same that I have followed. I have a detached Armored Signature, the Armored Public Key and the binary file which was used to generate the detached signature. On going thru the RFC 4880 I gather that the 2 mpi's part of the signature packet contain the hashed data. I use this to construct the sexpression equivalent for the signature. Similarly, I use the 4 mpi's of the public key to construct the public key s-expression. What I am not sure is how do I generate the sexpression of the data? Should I encode the data using some hashing algorithm and then generate the sexpression for verification? Or am I missing something. The RFC specifies that the preferred encoding in OpenPGP is PKCS#1. But using PKCS1 as the flag in constructing the sexpression I get back Error status GPG_ERR_CONFLICT. Any help will be appreciated.

On a side Note, In the function gcry_mpi_set_opaque() the a->sign is set as nbit with no check made to make sure if the value is signed. Is this correct?

With Regards,

Presanna Raman.

> -----Original Message-----
> From: alangley [at] gmail [SMTP:alangley [at] gmail] On Behalf Of Adam Langley
> Sent: Tuesday, February 19, 2008 11:46 PM
> To: Presanna Raman
> Cc: gcrypt-devel [at] gnupg
> Subject: Re: LibGcrypt verify Help required
>
> On Feb 19, 2008 8:42 PM, Adam Langley <agl [at] imperialviolet> wrote:
> > Possibly opencdk is the library that you want for this.
>
> Oh, and please note that opencdk appears to be *GPL* licensed, not
> LGPL. That may affect your plans.
>
>
> AGL
>
> --
> Adam Langley agl [at] imperialviolet http://www.imperialviolet.org


presannar at ami

Feb 20, 2008, 3:07 PM

Post #6 of 7 (2366 views)
Permalink
RE: LibGcrypt verify Help required [In reply to]

NM Regarding the gcry_mpi_set_opaque. I stand corrected.

> -----Original Message-----
> From: Presanna Raman
> Sent: Wednesday, February 20, 2008 5:58 PM
> To: gcrypt-devel [at] gnupg; 'Adam Langley'
> Subject: RE: LibGcrypt verify Help required
>
> Thankx Adam for the suggestion. Unfortunately, I will have to use G-Crypt lib. I did look at how openCdk verifies a signature. It is the same that I have followed. I have a detached Armored Signature, the Armored Public Key and the binary file which was used to generate the detached signature. On going thru the RFC 4880 I gather that the 2 mpi's part of the signature packet contain the hashed data. I use this to construct the sexpression equivalent for the signature. Similarly, I use the 4 mpi's of the public key to construct the public key s-expression. What I am not sure is how do I generate the sexpression of the data? Should I encode the data using some hashing algorithm and then generate the sexpression for verification? Or am I missing something. The RFC specifies that the preferred encoding in OpenPGP is PKCS#1. But using PKCS1 as the flag in constructing the sexpression I get back Error status GPG_ERR_CONFLICT. Any help will be appreciated.
>
> On a side Note, In the function gcry_mpi_set_opaque() the a->sign is set as nbit with no check made to make sure if the value is signed. Is this correct?
>
> With Regards,
>
> Presanna Raman.
>
> -----Original Message-----
> From: alangley [at] gmail [SMTP:alangley [at] gmail] On Behalf Of Adam Langley
> Sent: Tuesday, February 19, 2008 11:46 PM
> To: Presanna Raman
> Cc: gcrypt-devel [at] gnupg
> Subject: Re: LibGcrypt verify Help required
>
> On Feb 19, 2008 8:42 PM, Adam Langley <agl [at] imperialviolet> wrote:
> > Possibly opencdk is the library that you want for this.
>
> Oh, and please note that opencdk appears to be *GPL* licensed, not
> LGPL. That may affect your plans.
>
>
> AGL
>
> --
> Adam Langley agl [at] imperialviolet http://www.imperialviolet.org


presannar at ami

Feb 20, 2008, 4:15 PM

Post #7 of 7 (2365 views)
Permalink
RE: LibGcrypt verify Help required [In reply to]

On reading up further and analyzing the code, I came across the following. The description for the sexp_data_to_mpi function says that "Either the VALUE or the HASH element must be present for use with signatures. VALUE is used for encryption."
(data
[(flags [pkcs1])]
[(hash <algo> <value>)]
[(value <text>)]
)

So am I correct to assume that inorder to verify a binary file I first need to calculate the Hash value for that file and replace <value> in the above expression and not provide the binary file as is. So my S-expression for the data will be something like "(data (flags pkcs1(hash rmd160 <binary file hash value>)))". If I need to verify the signature of text file I provide it as the <text>? Is this a right assumption?

With Regards,

Presanna Raman.

> -----Original Message-----
> From: Presanna Raman
> Sent: Wednesday, February 20, 2008 5:58 PM
> To: gcrypt-devel [at] gnupg; 'Adam Langley'
> Subject: RE: LibGcrypt verify Help required
>
> Thankx Adam for the suggestion. Unfortunately, I will have to use G-Crypt lib. I did look at how openCdk verifies a signature. It is the same that I have followed. I have a detached Armored Signature, the Armored Public Key and the binary file which was used to generate the detached signature. On going thru the RFC 4880 I gather that the 2 mpi's part of the signature packet contain the hashed data. I use this to construct the sexpression equivalent for the signature. Similarly, I use the 4 mpi's of the public key to construct the public key s-expression. What I am not sure is how do I generate the sexpression of the data? Should I encode the data using some hashing algorithm and then generate the sexpression for verification? Or am I missing something. The RFC specifies that the preferred encoding in OpenPGP is PKCS#1. But using PKCS1 as the flag in constructing the sexpression I get back Error status GPG_ERR_CONFLICT. Any help will be appreciated.
>
> On a side Note, In the function gcry_mpi_set_opaque() the a->sign is set as nbit with no check made to make sure if the value is signed. Is this correct?
>
> With Regards,
>
> Presanna Raman.
>
> -----Original Message-----
> From: alangley [at] gmail [SMTP:alangley [at] gmail] On Behalf Of Adam Langley
> Sent: Tuesday, February 19, 2008 11:46 PM
> To: Presanna Raman
> Cc: gcrypt-devel [at] gnupg
> Subject: Re: LibGcrypt verify Help required
>
> On Feb 19, 2008 8:42 PM, Adam Langley <agl [at] imperialviolet> wrote:
> > Possibly opencdk is the library that you want for this.
>
> Oh, and please note that opencdk appears to be *GPL* licensed, not
> LGPL. That may affect your plans.
>
>
> AGL
>
> --
> Adam Langley agl [at] imperialviolet http://www.imperialviolet.org

GnuPG gcrypt RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.