🇨🇦
any fediverse devs see anything obviously wrong with my sigbuf? maybe because of header casing or something?
ugh I'm so dumb. RSA_verify takes a hash of the message being signed instead of the message itself. of course. derp. works now! chibipub can verify fediverse messages. yay.
@jb55 You pretty much always hash first, at least under the hood.
Think of it this way: the signature math operates on numbers. Your message is also a number. Hashing it makes your message into a number of manageable size, and randomly distributed so you don't have to deal with any special cases.
@pete ah yes this is what I figured, for some reason I thought the API would do that for you from the type parameter but I guess this API makes more sense.
@jb55 Depends on the philosophy of the API. Requiring the user to hash first can be a big footgun, as many signature schemes are only secure with hash digests due to edge cases. But for flexibility, allowing the user to choose is better.
@pete I was able to get it working after reading this:
https://stackoverflow.com/a/50703808
Is this answer wrong is it just typical to hash before you sign? I’m not super familiar with RSA.