You want to use RSA to digitally sign data.
Use a wellknown oneway hash function to compress the data, then use a digital signing technique specified in PKCS #1 v2.0 or later. Any good cryptographic library should have primitives for doing exactly this. OpenSSL provides both a lowlevel interface and a highlevel interface, although the highlevel interface doesn't end up removing any complexity.
Digital signing with RSA is roughly equivalent to encrypting with a private key. Basically, the signer computes a message digest, then encrypts the value with his private key. The verifier also computes the digest and decrypts the signed value, comparing the two. Of course, the verifier has to have the valid public key for the entity whose signature is to be verified, which means that the public key needs to be validated by some trusted third party or transmitted over a secure medium such as a trusted courier.
Digital signing works because only the person with the correct private key will produce a "signature" that decrypts to the correct result. An attacker cannot use the public key to come up with a correct encrypted value that would authenticate properly. If that were possible, it would end up implying that the entire RSA algorithm could be broken.
PKCS #1 v2.0 specifies two different signing standards, both of which are assumed to operate on message digest values produced by standard algorithms. Basically, these standards dictate how to take a message digest value and produce a "signature." The preferred standard is RSASSAPSS, which is analogous to RSAESOAEP, the padding standard used for encryption. It has provable security properties and therefore is no less robust than the alternative, RSASSAPKCS1v1.5.^{[3]} There aren't any known problems with the RSASSAPKCS1v1.5, however, and it is in widespread use. On the other hand, few people are currently using RSASSAPSS. In fact, OpenSSL doesn't support RSASSAPSS. If RSASSAPSS is available in your cryptographic library, we recommend using it, unless you are concerned about interoperating with a legacy application. Otherwise, there is nothing wrong with RSASSAPKCS1v1.5.
^{[3]} There is a known theoretical problem with RSASSAPKCS1v1.5, but it is not practical, in that it's actually harder to attack the scheme than it is to attack the underlying message digest algorithm when using SHA1.
Both schemes should have a similar interface in a cryptographic library supporting RSA. That is, signing should take the following parameters:
The signer's private key.
The message to be signed. In a lowlevel API, instead of the actual message, you will be expected to provide a hash digest of the data you really want to be signing. Highlevel APIs will do the message digest operation for you.
An indication of which message digest algorithm was used in the signing. This may be assumed for you in a highlevel API (in which case it will probably be SHA1).
RSASSAPKCS1v1.5 encodes the message digest value into its result to avoid certain classes of attack. RSASSAPSS does no such encoding, but it uses a hash function internally, and that function should generally be the same one used to create the digest to be signed.
You may or may not need to give an indication of the length of the input message digest. The value can be deduced easily if the API enforces that the input should be a message digest value. Similarly, the API may output the signature size, even though it is a wellknown value (the same size as the public RSA modulus?for example, 2,048 bits in 2,048bit RSA).

In OpenSSL, we recommend always using the lowlevel interface to RSA signing, using the function RSA_sign( ) to perform signatures when you've already calculated the appropriate hash. The signature, defined in openssl/rsa.h, is:
int RSA_sign(int md_type, unsigned char *dgst, unsigned int dlen, unsigned char *sig, unsigned int *siglen, RSA *r);
This function has the following arguments:
OpenSSLspecific identifier for the hash function. Possible values are NID_sha1, NID_ripemd, or NID_md5. A fourth value, NID_md5_sha1, can be used to combine MD5 and SHA1 by hashing with both hash functions and concatenating the results. These four constants are defined in the header file openssl/objects.h.
Buffer containing the digest to be signed. The digest should have been generated by the algorithm specified by the md_type argument.
Length in bytes of the digest buffer. For MD5, the digest buffer should always be 16 bytes. For SHA1 and RIPEMD, it should always be 20 bytes. For the MD5 and SHA1 combination, it should always be 36 bytes.
Buffer into which the generated signature will be placed.
The number of bytes written into the signature buffer will be placed in the integer pointed to by this argument. The number of bytes will always be the same size as the public modulus, which can be determined by calling RSA_size( ) with the RSA object that will be used to generate the signature.
RSA object to be used to generate the signature. The RSA object must contain the private key for signing.
The highlevel interface to RSA signatures is certainly no less complex than computing the digest and calling RSA_sign( ) yourself. The only advantage of it is that you can minimize the amount of code you need to change if you would additionally like to support DSA signatures. If you're interested in this API, see the book Network Security with OpenSSL for more information.
Here's an example of signing an arbitrary message using OpenSSL's RSA_sign( ) function:
#include <openssl/sha.h> #include <openssl/rsa.h> #include <openssl/objects.h> int spc_sign(unsigned char *msg, unsigned int mlen, unsigned char *out, unsigned int *outlen, RSA *r) { unsigned char hash[20]; if (!SHA1(msg, mlen, hash)) return 0; return RSA_sign(NID_sha1, hash, 20, out, outlen, r); }