Andrew Zaborowski <balr...@googlemail.com> wrote: > Without overhauling akcipher you could modify pkcs1pad so that sign > takes the hash as input, adds the DER struct in front of it to build > the signature, and the verify operation could at most check that the > DER string matches the hash type and return the hash. But I think > RFC2437 suggests that you rather compare the signatures, not the > hashes.
Whilst that is true about what RFC2437 shows, I wonder how strict it wants to be about that rather than it just being a convenient way of describing the algorithm. The advantage of doing it the way the RFC suggests is that you get to use the EMSA-PKCS1-V1_5-ENCODE operation twice, thereby saving code and only having one place for bugs to occur instead of two - but you can argue this either way. That said, I would be okay with it returning just the message hash with the padding stripped off, providing the padding is validated in the crypto layer, if that's necessary. David -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
