Crypto: RSATest::testSign() should verify with public key only #622
Description
To verify signature operation, the original RSA key (containing both private and public keys) is used to initialize the RSADigestEngine (eng2). Before the verification, a new public RSA key (keyPub) is created by saving the public key part of the original RSA key. However this public key is not used in the verification.
I don't fully understand the logic behind the test.
- Should the test code use only the public key (keyPub) for verification when constructing eng2 ?
or - Are both keys(private, public) required for verification ?
void RSATest::testSign()
{
std::string msg("Test this sign message");
RSAKey key(RSAKey::KL_2048, RSAKey::EXP_LARGE);
RSADigestEngine eng(key);
eng.update(msg.c_str(), static_cast(msg.length()));
const Poco::DigestEngine::Digest& sig = eng.signature();
std::string hexDig = Poco::DigestEngine::digestToHex(sig);
// verify
std::ostringstream strPub;
key.save(&strPub);
std::string pubKey = strPub.str();
std::istringstream iPub(pubKey);
RSAKey keyPub(&iPub);
RSADigestEngine eng2(key);
eng2.update(msg.c_str(), static_cast(msg.length()));
assert (eng2.verify(sig));
}