On Mon, Apr 9, 2012 at 10:57 PM, Niels Möller nisse@lysator.liu.se wrote:
What about the rsa_compute_root? This is the only function I can use from nettle for RSA signatures
I wasn't aware of that. That's an argument for an rsa_compute_root_tr (or alternatively, public rsa_blind and rsa_unblind helpers). Can you explain briefly what special signatures are used by tls? (It was more then 10 years since I wrote an implementation, then it was ssl version 3).
Out of memory TLS 1.0 uses a concatenation of md5 and sha1. I don't think however that, this mode should be added in nettle. It would complicate the API for no real reason (if a generic pkcs1, 1.5 signing function is available).
If there was an rsa_pkcs1_sign() and rsa_pkcs1_verify() with similar interface to encrypt/decrypt, I could use those instead.
Can you propose such an interface? Currently, rsa_md5_sign calls pkcs1_rsa_md5_encode followed by rsa_compute_root. If it's easy for you to use rsa_compute_root in the same way, then I guess there's no need to introduce new low-level primitives, but maybe it could be rearranged in some better way?
I do the pkcs1 1.5 encoding in gnutls, and you also do it in the high level functions in nettle, that I cannot use. It would be nice if we can save some code and reduce error risk by having a common pkcs1 1.5 signing function. I'll try to propose one the next few days.
Or, since tls is an important application, it may make sense to directly add tls-style signatures to Nettle.
I don't think it is a good idea. What might be needed at some point later is pkcs 1 2.0 signatures. I've come across some passports signed by certificates using rsa-pss :(
regards, Nikos