Mailing List Archive

On Wed, 5 Dec 2007 09:07, dos@scarff.id.au said:

> <http://scarff.id.au/file/gcrypt_vs_openssl.c>, which runs without
> aborting and demonstrates that the signatures produced are different.
> Is this correct libgcrypt behaviour? I'd have filed a bug but I'm
> unsure if I've just misinterpreted the API.

Yes, this is correct. Libgcrypt expects that P < Q; whereas OpenSSL
expect Q < P. Here is code to convert this.

/* check that p is less than q */
if (gcry_mpi_cmp (skey->p, skey->q) > 0)
{
gcry_mpi_t tmp;

log_info ("swapping secret primes\n");
tmp = gcry_mpi_copy (skey->p);
gcry_mpi_set (skey->p, skey->q);
gcry_mpi_set (skey->q, tmp);
gcry_mpi_release (tmp);
/* and must recompute u of course */
gcry_mpi_invm (skey->u, skey->p, skey->q);
}

The important thing here is to recompute U because u = p^{-1} mod q.

I have a item on my todo list to allow for native OpenSSL parameters in
Libgrypt but this has not yet been done.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

On Wed, 05 Dec 2007 16:21:09 +0100, Werner Koch said:
> Yes, this is correct. Libgcrypt expects that P < Q; whereas OpenSSL
> expect Q < P. Here is code to convert this.
[snip]
> The important thing here is to recompute U because u = p^{-1} mod q.

Aha. I saw that the primes had been reversed but I missed this.

Thanks.

--
Dean


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

Dean Scarff <dos@scarff.id.au> writes:

> On Wed, 05 Dec 2007 16:21:09 +0100, Werner Koch said:
>> Yes, this is correct. Libgcrypt expects that P < Q; whereas OpenSSL
>> expect Q < P. Here is code to convert this.
> [snip]
>> The important thing here is to recompute U because u = p^{-1} mod q.
>
> Aha. I saw that the primes had been reversed but I missed this.

I had the same experience when porting libssh2 from OpenSSL to
libgcrypt, and this caused quite some confusion and a long debugging
session.

Is there a normal standard for this in the literature? I'm too tired to
look it up..

PKCS#1 calls the first prime P and the second one Q, and uses
coeff=p^{-1} mod q, which would suggest that libgcrypt got this
backwards.

/Simon

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

On Wed, 5 Dec 2007 21:50, simon@josefsson.org said:

> I had the same experience when porting libssh2 from OpenSSL to
> libgcrypt, and this caused quite some confusion and a long debugging
> session.

Frankly, I had the same problem several times. I added a note to the
Libgcrypt manual which might help us in the future.

> PKCS#1 calls the first prime P and the second one Q, and uses
> coeff=p^{-1} mod q, which would suggest that libgcrypt got this
> backwards.

Libgcrypt stems from gpg and this implements OpenPG. OpenPGP defines

- MPI of RSA secret prime value p.
- MPI of RSA secret prime value q (p < q).
- MPI of u, the multiplicative inverse of p, mod q.

Thus Libgcrypt uses this definition.


Shalom-Salam,

Werner



--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel