RustCrypto / RSA

RSA implementation in pure Rust
Apache License 2.0
557 stars 154 forks source link

How to verify the PSS signature with the public key? #415

Closed NikolaWissenklaus closed 9 months ago

NikolaWissenklaus commented 9 months ago

The signature example shows that to verify the PSS signature, verifying_key needs to have signing_key with the signer's private key, but wouldn't it be correct to verify the data with the signer's public key?

image

Do you have any example where user A signs the data with PSS and user B verifies it? (with user A's public key)

tarcieri commented 9 months ago

That's what that example is showing. The signer (user A) has to calculate the verifying key at some point and give it to user B somehow.

What it isn't showing e.g. the key being serialized to bytes. Would that be helpful?

NikolaWissenklaus commented 9 months ago

Hello! How are you?

So user A will pass the encrypted message, signature and verifying_key (in bytes) to user B?

So user B will decrypt the message with (user B's) private key, and then verify that the message is authentic with verifying_key(message, signature)?

But doesn't user B need user A's public key to verify?

Sorry if my question may seem stupid...

tarcieri commented 9 months ago

Generally some trust relationship between signer and verifier needs to be established first, as opposed to passing the verifying key along with the message. Otherwise an attacker can just pass an attacker-controlled key with the message.

NikolaWissenklaus commented 9 months ago

Got it! Thank you very much for clarifying! Now I know how I can implement it.

NikolaWissenklaus commented 9 months ago

Wait, what about that? https://docs.rs/rsa/latest/rsa/struct.RsaPublicKey.html#:~:text=pub%20fn%20verify%3CS%3A%20SignatureScheme%3E(

can I do this?

let verification = public_key.verify(padding, &hashed_msg, &signature);

    match check {
        Ok(_) => println!("Signature verified successfully."),
        Err(e) => println!("Failed to verify signature: {:?}", e),
    }

I found this example in this repository I found: https://github.com/succinctlabs/sp1/blob/main/examples/rsa/program/src/main.rs

tarcieri commented 9 months ago

Yes, that's an alternative API that does the same thing

NikolaWissenklaus commented 9 months ago

But is this alternative as safe as the first example? Or is there no difference?

tarcieri commented 9 months ago

They're functionally equivalent

NikolaWissenklaus commented 9 months ago

Great! Thank you very much! We can close this thread. :)