Mailing List Archive

On Feb 19, 2008 6:50 PM, Presanna Raman <presannar@ami.com> wrote:
> I am developing an App that needs to verify the signature of a file
> signed by gpg. I am unable to use gpg in the EFI environment. I have
> converted the public key, signature from the armored format to the
> s-expression by extracting the MPI values and building the sexpression from
> them. The problem is that I am unable to verify the data.

I could be wrong, but I'm pretty sure that gpg signature will have
rather more encoding. Unless gpg is really in some sort of 'really
raw' mode, it should be following the OpenPGP spec[1]. Possibly
opencdk is the library that you want for this.

[1] http://www.faqs.org/rfcs/rfc2440.html

AGL

--
Adam Langley agl@imperialviolet.org http://www.imperialviolet.org

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

On Feb 19, 2008 8:42 PM, Adam Langley <agl@imperialviolet.org> wrote:
> Possibly opencdk is the library that you want for this.

Oh, and please note that opencdk appears to be *GPL* licensed, not
LGPL. That may affect your plans.


AGL

--
Adam Langley agl@imperialviolet.org http://www.imperialviolet.org

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

"Adam Langley" <agl@imperialviolet.org> writes:

> On Feb 19, 2008 8:42 PM, Adam Langley <agl@imperialviolet.org> wrote:
>> Possibly opencdk is the library that you want for this.
>
> Oh, and please note that opencdk appears to be *GPL* licensed, not
> LGPL. That may affect your plans.

FYI, there is a minimal version of opencdk which is licensed under LGPL,
it is included in gnutls. Probably it should be released on its own,
but we don't know what to do with the GPL'd larger opencdk in that case.
Maybe the lgpl version should be renamed. On the other hand, I'm not
sure if any non-gnutls applications needs anything from the full opencdk
that isn't in the lgpl opencdk.

However, I would also recommend looking at GPGME.

/Simon

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

Thankx Adam for the suggestion. Unfortunately, I will have to use G-Crypt lib. I did look at how openCdk verifies a signature. It is the same that I have followed. I have a detached Armored Signature, the Armored Public Key and the binary file which was used to generate the detached signature. On going thru the RFC 4880 I gather that the 2 mpi's part of the signature packet contain the hashed data. I use this to construct the sexpression equivalent for the signature. Similarly, I use the 4 mpi's of the public key to construct the public key s-expression. What I am not sure is how do I generate the sexpression of the data? Should I encode the data using some hashing algorithm and then generate the sexpression for verification? Or am I missing something. The RFC specifies that the preferred encoding in OpenPGP is PKCS#1. But using PKCS1 as the flag in constructing the sexpression I get back Error status GPG_ERR_CONFLICT. Any help will be appreciated.

On a side Note, In the function gcry_mpi_set_opaque() the a->sign is set as nbit with no check made to make sure if the value is signed. Is this correct?

With Regards,

Presanna Raman.

> -----Original Message-----
> From: alangley@gmail.com [SMTP:alangley@gmail.com] On Behalf Of Adam Langley
> Sent: Tuesday, February 19, 2008 11:46 PM
> To: Presanna Raman
> Cc: gcrypt-devel@gnupg.org
> Subject: Re: LibGcrypt verify Help required
>
> On Feb 19, 2008 8:42 PM, Adam Langley <agl@imperialviolet.org> wrote:
> > Possibly opencdk is the library that you want for this.
>
> Oh, and please note that opencdk appears to be *GPL* licensed, not
> LGPL. That may affect your plans.
>
>
> AGL
>
> --
> Adam Langley agl@imperialviolet.org http://www.imperialviolet.org

NM Regarding the gcry_mpi_set_opaque. I stand corrected.

> -----Original Message-----
> From: Presanna Raman
> Sent: Wednesday, February 20, 2008 5:58 PM
> To: gcrypt-devel@gnupg.org; 'Adam Langley'
> Subject: RE: LibGcrypt verify Help required
>
> Thankx Adam for the suggestion. Unfortunately, I will have to use G-Crypt lib. I did look at how openCdk verifies a signature. It is the same that I have followed. I have a detached Armored Signature, the Armored Public Key and the binary file which was used to generate the detached signature. On going thru the RFC 4880 I gather that the 2 mpi's part of the signature packet contain the hashed data. I use this to construct the sexpression equivalent for the signature. Similarly, I use the 4 mpi's of the public key to construct the public key s-expression. What I am not sure is how do I generate the sexpression of the data? Should I encode the data using some hashing algorithm and then generate the sexpression for verification? Or am I missing something. The RFC specifies that the preferred encoding in OpenPGP is PKCS#1. But using PKCS1 as the flag in constructing the sexpression I get back Error status GPG_ERR_CONFLICT. Any help will be appreciated.
>
> On a side Note, In the function gcry_mpi_set_opaque() the a->sign is set as nbit with no check made to make sure if the value is signed. Is this correct?
>
> With Regards,
>
> Presanna Raman.
>
> -----Original Message-----
> From: alangley@gmail.com [SMTP:alangley@gmail.com] On Behalf Of Adam Langley
> Sent: Tuesday, February 19, 2008 11:46 PM
> To: Presanna Raman
> Cc: gcrypt-devel@gnupg.org
> Subject: Re: LibGcrypt verify Help required
>
> On Feb 19, 2008 8:42 PM, Adam Langley <agl@imperialviolet.org> wrote:
> > Possibly opencdk is the library that you want for this.
>
> Oh, and please note that opencdk appears to be *GPL* licensed, not
> LGPL. That may affect your plans.
>
>
> AGL
>
> --
> Adam Langley agl@imperialviolet.org http://www.imperialviolet.org

On reading up further and analyzing the code, I came across the following. The description for the sexp_data_to_mpi function says that "Either the VALUE or the HASH element must be present for use with signatures. VALUE is used for encryption."
(data
[(flags [pkcs1])]
[(hash <algo> <value>)]
[(value <text>)]
)

So am I correct to assume that inorder to verify a binary file I first need to calculate the Hash value for that file and replace <value> in the above expression and not provide the binary file as is. So my S-expression for the data will be something like "(data (flags pkcs1(hash rmd160 <binary file hash value>)))". If I need to verify the signature of text file I provide it as the <text>? Is this a right assumption?

With Regards,

Presanna Raman.

> -----Original Message-----
> From: Presanna Raman
> Sent: Wednesday, February 20, 2008 5:58 PM
> To: gcrypt-devel@gnupg.org; 'Adam Langley'
> Subject: RE: LibGcrypt verify Help required
>
> Thankx Adam for the suggestion. Unfortunately, I will have to use G-Crypt lib. I did look at how openCdk verifies a signature. It is the same that I have followed. I have a detached Armored Signature, the Armored Public Key and the binary file which was used to generate the detached signature. On going thru the RFC 4880 I gather that the 2 mpi's part of the signature packet contain the hashed data. I use this to construct the sexpression equivalent for the signature. Similarly, I use the 4 mpi's of the public key to construct the public key s-expression. What I am not sure is how do I generate the sexpression of the data? Should I encode the data using some hashing algorithm and then generate the sexpression for verification? Or am I missing something. The RFC specifies that the preferred encoding in OpenPGP is PKCS#1. But using PKCS1 as the flag in constructing the sexpression I get back Error status GPG_ERR_CONFLICT. Any help will be appreciated.
>
> On a side Note, In the function gcry_mpi_set_opaque() the a->sign is set as nbit with no check made to make sure if the value is signed. Is this correct?
>
> With Regards,
>
> Presanna Raman.
>
> -----Original Message-----
> From: alangley@gmail.com [SMTP:alangley@gmail.com] On Behalf Of Adam Langley
> Sent: Tuesday, February 19, 2008 11:46 PM
> To: Presanna Raman
> Cc: gcrypt-devel@gnupg.org
> Subject: Re: LibGcrypt verify Help required
>
> On Feb 19, 2008 8:42 PM, Adam Langley <agl@imperialviolet.org> wrote:
> > Possibly opencdk is the library that you want for this.
>
> Oh, and please note that opencdk appears to be *GPL* licensed, not
> LGPL. That may affect your plans.
>
>
> AGL
>
> --
> Adam Langley agl@imperialviolet.org http://www.imperialviolet.org