On Mar 30, 2010, at 4:20 PM, Stephen Paul Weber wrote:
I'm reading RFC4880 in an attempt to produce an implementatdion of a subset
of OpenPGP (RSA signatures) using <http://phpseclib.sourceforge.net/>. I
have the publickey and compression-literal-signature packets parsed out. I
can extract n and e and feed them to Crypt_RSA to construct a verifier. I
tell it I'm using sha256. It then needs a "message" and a "signature"
parametre. I get the signature data out of the signature packet no problem.
The question I have is: what is "message"? According to section 5.2.4 it's
some combination of the literal data packet(s?) (their bodies or the whole
packet?) and the "hashed" subpackets. Do I just concat all the data packets
and the hashed packets together in the order they appear?
Basically, yes.
To paraphrase 5.2.4, and assuming we're talking about V4 signatures, you take
all the data (just the uncompressed literal packet body - not including the
literal packet header), and follow that with the signature version (1 byte),
the signature type (1 byte), the public-key algorithm (1 byte), the hash
algorithm (1 byte), the hashed subpacket length (2 bytes, big endian), and the
hashed subpacket body (however many bytes). Note that these are the first n
bytes of your signature packet. Then you hash the trailer: 0x04, 0xFF, and a
four byte big-endian number which is the number of bytes you hashed from the
signature (i.e. 6 bytes, plus the number of subpacket bytes).
Note that the data (literal packet contents) might be tagged as binary (0x00)
or text (0x01) (the tag is in the literal packet header). They are the same,
except that text has its line endings canonicalized to CRLF.
David