PHP openssl_sign with SHA512

Question

Is there any chance to get PHP’s openssl_sign method working with SHA512 (or any other SHA2 family member)?

If I use RSA as the key type (OPENSSL_KEYTYPE_RSA) and sign via

openssl_sign($data, $signature, $privatekey, 'sha512');

everything works just fine.

However when using OPENSSL_KEYTYPE_DSA the signature remains empty.

At an OpenSSL help page I found this: “If you wish to sign or verify data using the DSA algorithm then the dss1 digest must be used.”

So I tried this with DSA:

openssl_sign($data, $signature, $privatekey, 'dss1');

and it worked fine.

I’d prefer to use DSA because it creates much shorter signatures which is more suitable for my use case. However my concern is that DSS1 is basically SHA1 which isn’t supposed to be used anymore. Is this also valid for a combination with DSA? Is there a way to work around this issue and use DSA with SHA512?

Answer 1

Not really an answer but more than I can make readable in comments.

That OpenSSL manpage note is outdated (note). OpenSSL 0.9.8 using the "EVP" API, which commandline dgst among others does, selected hash and PKalg together and as a result could only do DSA with SHA1 (as specified by the original no-suffix FIPS) and called it DSS1 (as you found). Also it could only generate DSA params with subgroup (q) size 160, although it could do group (p) size > 1k in spite of the FIPS saying 512 to 1k in steps of 64 (which was good back in like 1995).

In 1.0.0 and 1.0.1 with new&improved APIs you can generate all FIPS186-3 param sizes (1k/160, 2k/224, 2k/256, 3k/256) and sign/verify DSA of any sane size with any of the 4 original SHA-2 hashes, where a hash longer than q (subgroup) is truncated per FIPS and thus basically wasted. (The 3 SHA-2 "slash" variants added in IIRC FIPS180-4 aren't yet implemented in OpenSSL as hashes, much less for signatures.)

As you've apparently confirmed, OpenSSL since 0.9.8 supports RSA with (I'm pretty sure) all hashes from MD2 through SHA512. But SHA512 is like Schneier's mile-high stake; in order for RSA preserve its nominal strength you need over 15kbits according to both NIST and ECRYPT (see www.keylength.com) and that will be sloooow.

ECDSA produces equally small signature values, and is expected to scale better at the higher strengths now or soon wanted.

If, when and how this is (or these are) available in PHP I know nothing.

And as always with crypto if you're interoperating with one or more other systems check their capabilities also.

(note) Following last month's (cough, cough) excitement the number of people working on OpenSSL has jumped upward, and some are even doing the boring bits like doc and testing that have lagged for years, so I'll put in a fix request on this.