openssl: Incorrect response for RSA Signature Generation 9.31

I’m trying to generate RSA 9.31 signature using OpenSSL 1.1.1. I see a mismatch in the signature generated in some instances when compared against results generated with OpenSSL 1.0.2*. 3-4 out of 10 instances fail to match results when compared to OpenSSL 1.0.2*, remaining of the instances match.

Here is my code and output for OpenSSL 1.1.1d

memcpy(tmpdinfo, hash, md_len);    // hash is the hash of message passed in
tmpdinfo[md_len] = RSA_X931_hash_id(NID_sha1);
RSA_private_encrypt((md_len + 1), tmpdinfo, signature, rsa, RSA_X931_PADDING);

Test input and output:

[mod = 2048]

n = bff722714050aebb23a9bd018c3e9ba26a47f53816eeac7e10543958702d9265c8d67784fe03c07bfceac05e7f2a434971dfa2a5ea461893450ced52fcb3f143a85fb3a9194417ff220258840a3359a104079ccd201afec091bab6587d4cfe0b95bba34ef74a70b392a92a93f026c9bed41eb4ec80452492a2ad524e6b0333c5787b34ee941829020bb75ee5dd216b3734823ddd547d50f8a7e711f8a24fd7dbc0bd2f062ccaba98cdbf62c15d2521b39ce44c53125604493e482ae35f945c4efff1d01414b0aad33de77b020ea4aedf3d88171fe51b22881bc70c639f8b6f1b5a70ed39aa121a8f44887dcbbfce29e1e508d1b0f0666693b476d81faa6a18bd

e = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010001

SHAAlg = SHA1
Msg = b9ff7c8599c14f08669e2c531def1b2025cce1f18475d39953f0e9ff6ff4131f7206d051e2e2fccea81ce970c307b2b93dd6cc175e01de6621ebd3b7e4c12d5063a59cf4e70ccf64bb648a25e0fbf984011c44d8a97b6307b4d2344b04cdca36752408f412066fd189be35fadc9197885ae570bacea90982f6f0334436df93da
S = 3dc6cfb9984d233f47f1631d02a5862b7614be63edbeaf7c36730d511bd145f907b03aedcc2ef3bf376c4955893ea8f5b887a10e6204e243c85cb1e4ef3ea8206a0864eb3f9ee2f4f8cb3b5696640efce67298e50165bf8e57bbbaaec86e5d069dbaebf5b18ca9b2bb98dc61af562a2f262216fa1cf94ea478a48f62c75f0484cb45e32af7a388bada471837d8aaa2ea9e2fad8a6b5aaa0068420085b125d468dc2e1a62f140ba344015a47157778eb98a6450dc219539aeb07e7378ab57fb6e630adf91b45399a84069186a2c61f226d233a40a41066ada1ac8c04dd58a3edb7397945f975ed87a2e535b279898c04d9fb46722c8bdf47f588227b84bd92ffb   // output

With OpenSSL 1.0.2 (integrated with fipscanister), the code and output are shown below:

FIPS_rsa_sign(rsa, message, 128, EVP_sha1(), RSA_X931_PADDING, 0, NULL, signature, &siglen);

Test input and output:

[mod = 2048]

n = bff722714050aebb23a9bd018c3e9ba26a47f53816eeac7e10543958702d9265c8d67784fe03c07bfceac05e7f2a434971dfa2a5ea461893450ced52fcb3f143a85fb3a9194417ff220258840a3359a104079ccd201afec091bab6587d4cfe0b95bba34ef74a70b392a92a93f026c9bed41eb4ec80452492a2ad524e6b0333c5787b34ee941829020bb75ee5dd216b3734823ddd547d50f8a7e711f8a24fd7dbc0bd2f062ccaba98cdbf62c15d2521b39ce44c53125604493e482ae35f945c4efff1d01414b0aad33de77b020ea4aedf3d88171fe51b22881bc70c639f8b6f1b5a70ed39aa121a8f44887dcbbfce29e1e508d1b0f0666693b476d81faa6a18bd

e = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010001

SHAAlg = SHA1
Msg = b9ff7c8599c14f08669e2c531def1b2025cce1f18475d39953f0e9ff6ff4131f7206d051e2e2fccea81ce970c307b2b93dd6cc175e01de6621ebd3b7e4c12d5063a59cf4e70ccf64bb648a25e0fbf984011c44d8a97b6307b4d2344b04cdca36752408f412066fd189be35fadc9197885ae570bacea90982f6f0334436df93da
S = 823052b7a8038b7bdbb859e489991576f43336d4292ffd01d9e12c07545c4c6cc1263c9731d4ccbcc57e7708f5eb9a53b95801978841364f7cb03b6e0d7549233e574ebdd9a5350a29371d2d73cf4aa41d9503e81eb53f3239fefba9b4dea104f800b75945bdc700d7104e3240d09f8fadfc9df2634bd5ee2a08c2eba3a42f40ad3551c39c74a047317046ae0476c84c96529052e922a6f83fa51172f12a0372e48f14a33b8a00648da9be5005ad92fa127ffb76f0c0ca9a8dc9b76ab43c60e09ce6f082605d112afd7e6297e242bcb86b547315a414b7ae00fe4c15ca01303fe6d958da12b34215163522a42735699445546a8e27a872145bf4b0675e90e8c2

Thanks in advance.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 15 (9 by maintainers)

Most upvoted comments

I have had the same issue. When I test RSA 9.31 (1.1.1) with CAVP vectors, some of the results are correct and some are incorrect. These tests worked on 1.0.2 with the FIPS Object Module but don’t work correctly on 1.1.1.

+1
lisarabe on Jan 28, 2020
Read more comments on GitHub
← openssl: Inconsistent generation logic for asm modules
openssl: Installed libssl.so and libcrypto.so symlinks broken? →