Openssl Rsa Sign Example C

Package 'openssl' July 18, 2019 Type Package Title Toolkit for Encryption, Signatures and Certificates Based on OpenSSL Version 1. Lincoln Hughes / March 4, 2014 / OpenSSL, Security / certificate signing request, OpenSSL 3 comments In this tutorial, let’s learn how to use OpenSSL to generate X. Set environment variable OPENSSL_CONF. This requires and RSA private key. All examples assume you have loaded OpenSSL with: require 'openssl' These examples build atop each other. OpenSSL allows you to create a key and a certificate signing request in one step: openssl req -newkey rsa:1024 -keyout zmiller. I shall explain in this article how to use the blowfish algorithm for encryption using OpenSSL's crypto libraries. Win64 OpenSSL v1. sh echo $(date) openssl aes-256-cbc -a -salt -in abc. Generate A Certificate Signing Request In order to get an SSL certificate and key (for use by an httpd server, for example), you must first create a Certificate Signing Request (CSR). OpenSSL makes it relatively easy to compute the digest and signature from a plaintext using a single API. using OpenSSL 1. 509 certificate or a “stack” of certificates. pem with the Entire SSL Certificate Trust Chain Log into your DigiCert Management Console and download your Intermediate (DigiCertCA. BouncyCastle. 5 as a reference. 509 certificate request. RSA Sign and verify using OpenSSL : Behind the scene. SEED Labs – RSA Public-Key Encryption and Signature Lab 6 server, get its issuer’s public key, and then use this public key to verify the signature on the certificate. require 'openssl'. When verifying signatures, it only handles the RSA, DSA, or ECDSA signature itself, not the related data to identify the signer and algorithm used in formats such as x. pem -out newcert. In the following examples, we will use openssl commands to. The digest for the client. Is Bouncy Castle SHA256withRSA/PSS compatible with OpenSSL RSA PSS padding with SHA256 digest?. pem signing a message with digest and private key. Demonstrates how to use Chilkat to RSA encrypt, and then use OpenSSL to decrypt. 1, you'd see the public key, expressed as a sequence of two integers. I'm trying to sign a simple data with C# using Sha1 hash and RSA and then verify it with the OpenSSL command. 174 OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular. one of the weak point of. There's a workaround: Remove prompt = no, and instead add -subj / to your openssl req command line. This tutorial introduces how to use RSA to generate a pair of public and private keys on Windows. And so I opened up the OpenSSL documentation to figure out how to encrypt and decrypt simple messages with RSA in C. I know using public key & hash we can verify the digital signature. 2 Note that openssl does not use all of the possible SCF pkcs11 functions. key –out test. In the following examples, we will use openssl commands to. This method implicitly sets the issuer's name based on the issuer certificate and private key used to sign the CRL. mbed TLS is fully open-source. key 2048 openssl rsa -in server. Prepare master key. pfx -inkey private. I need to implement the following commands using C++. bool success = rsa. 1e-fips 11 Feb 2013. X509Request. In this HOWTO, I use the RSA public key algorithm and the AES shared key algorithm. /** * XML Security Library example: Signing a file with a dynamicaly created template and an X509 certificate. // See Global Unlock Sample for sample code. Converting Certificates Using OpenSSL. How to sign a certificate request by you own CA. You can vote up the examples you like or vote down the ones you don't like. It's not using your rsa private key as an actual key, it's just using the raw bytes from that file as a password. But external, task-based documentation is often used instead, particularly for the task of making a Certificate Signing Request to get an SSL certificate. RSA Sign and verify using OpenSSL : Behind the scene. Notable vulnerabilities Timing attacks on RSA Keys. give OpenSSL configuration file with -c openssl. We will be signing certificates using our intermediate CA. Keywords: applied cryptography · public key cryptography · RSA · side-channel analysis· timingattacks· cache-timingattacks· OpenSSL· CVE-2018-0737 1 Introduction. For example SHA1 represents all ciphers suites using the digest algorithm SHA1 and SSLv3 represents all SSL v3 algorithms. When I call initRSA() it prints the generated signature. openssl dgst -sha256 -sign private. The key is just a string of random bytes. I am trying to implement the program to generate CSR using openssl and c++. Specifically. Sign server and client certificates¶. create public key from the private key and use them to encrypt and decrypt msg. Phantom139. It can also be used to generate self-signed certificates that can be used for testing purposes or internal usage (more details in Step 3). bin data The part to sign and verify dosen't work. In this post, I have shown how RSA works, I will follow this up L1 with another post explaining why it works. conf file will need to exist and point at the desired connector. How to generate RSA SHA signature using OpenSSL in C. askyb on February, 26th 2013 in C++ OpenSSL This tutorial will guide you on how to hash a string by using OpenSSL's SHA1 hash function. To send the Sign emails with DKIM is good its a great help. In this article, I have explained how to do RSA Encryption and Decryption with OpenSSL Library in C. Convert both, the key and the certificate into DER format using openssl : openssl pkcs8 -topk8 -nocrypt -in key. openssl rsautl expects a signature in binary format, not Base64-encoded. OpenSSL is a C library that implements the main cryptographic operations like symmetric encryption, public-key encryption, digital signature, hash functions and so on OpenSSL also implements obviously the famous Secure Socket Layer (SSL) protocol. tlen is the length of RSA's number n (all calculations are modulo n). key -out example. eg, "-aes256" Note on my system I do not have RSA in my options - at least by that name. Keys Creating a Key. 5 signatures, OAEP encryption, PSS signatures), OAEP is the least used and thus it receives the least amount of scrutiny and effort to break it (e. For example, in the RSA case, the public-private key pair used in. Description. I am new to openssl. You can rate examples to help us improve the quality of examples. Here are some example Openssl commands that are meant to be used in the Certificate Manager Context. crt -extensions v3_ca -config. We cannot use SSL and decided to use RSA encryption with the help of low-level functions provided by CryptoAPI at the client side and OpenSSL PHP extension at the server. DESCRIPTION. Common OpenSSL Commands with Keys and Certificates. Reduce the openssl library/image size. The toolkit is loaded with tons of functionalities that can be performed using various options. Bouncycastle RSA-PSS works with OpenSSL RSA-PSS (if you can find out how to do it ;-)) which also accept the real test vectors provided by RSA. There's a workaround: Remove prompt = no , and instead add -subj / to your openssl req command line. In my previous post I explained that we needed to encrypt a communication messages between Windows C++/VCL client and PHP based web service. The PKCS#1 type of RSA signatures is the most widely used and supported. What is sorely missing however, is some example code to clarify things. RSA Sign and verify using OpenSSL : Behind the scene. openssl rsa -pubout -in private_key. Now I need a utility based on rsa_sign. askyb on February, 26th 2013 in C++ OpenSSL This tutorial will guide you on how to hash a string by using OpenSSL’s SHA1 hash function. All of the operations we discuss start with either a single X. This is in accordance with PKIX standards. You can vote up the examples you like or vote down the ones you don't like. A digital signature is a mathematical. pem -outform PEM -pubout -out public. Demonstration of using OpenSSL to create RSA public/private key pair, sign and encrypt messages using those keys and then decrypt and verify the received messages. The code in the blog is obviously very good. Learn more about SSL certificates » A CSR is an encoded file that provides you with a standardized way to send DigiCert your public key as well as some. You should also check the signature scheme used. Here is an example of using OpenSSL s_server with an RSA key and cert with ID 3. The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. 55K stars browserify-aes. [email protected]# openssl req -in example. OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. You can vote up the examples you like or vote down the ones you don't like. After installing OpenSSL, open a CMD prompt and navigate to the directory where OpenSSL is installed (for example: C:\OpenSSL-Win64\bin). The exact method by which the recipient establishes the public RSA key candidate(s) to check the signature must be specified by the application's security protocol. pem -out x509Req. PHP openssl_sign - 30 examples found. In this post we are going to talk about the s_server option. OpenSSL is avaible for a wide variety of platforms. pem something. Export the public key as RSAParameters and write the Modulus and Exponent values to disk, Or use OpenSSL directly in C# with the OpenSSL. / OpenSSL: Working with SSL Certificates, Private Keys and CSRs OpenSSL: Working with SSL Certificates, Private Keys and CSRs OpenSSL is a versatile command line tool that can be used for a large variety of tasks related to Public Key Infrastructure (PKI) and HTTPS (HTTP over TLS). pem and sign data. Ultimately, I'd want a Linux server probably using OpenSSL to sign licence certificates, for C# programs we use the. For a large public service like an e-commerce website, you’ll want a certificate signed by an established trusted root CA, who, like Verisign, have their root keys bundled with web browsers and operating systems. crt), and Primary Certificates (your_domain_name. ssl" That command is doing symmetric encryption. Sign - 3 examples found. 1, providing subjectAltName directly on command line becomes much easier, with the introduction of the -addext flag to openssl req (via this commit). So in the previous post we saw how to generate a ECDSA key in C#, then export its public representation to be used in another C# program. RSA-SHA1 Digest. These examples will probably include those ones which you are looking for. You should also check the signature scheme used. 8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys. openssl genrsa 2048. PEM files can be recognized by the BEGIN and END headers. C# (CSharp) OpenSSL. 5 as a reference. The CODESIGN. Programming with OpenSSL and libcrypto in examples BurgasLab, Burgas April, 2014 DSA/RSA key agreement algorithms - Diffie-Hellman sign csr. Hi All I have two simple questions that perhaps someone can answer. pem 1024 Now I have my pr. pem -out cert. This document will guide you through using the OpenSSL command line tool to generate a key pair which you can then import into a YubiKey. pem file created earlier. Create Certificate Signing Request (CSR) We will generate a Certificate Signing Request (CSR) by pointing our private key. A brief review of cloning, building, debugging, and experimenting with the master branch of the OpenSSL project. An example of using RSA to encrypt a single asymmetric key. Given that the parsing and validation stems from here, it only seems reasonable to start with how to create or access an X509 object. openssl rsautl: Encrypt and decrypt files with RSA keys. More information about the command can be found from its man page. How to sign a certificate request by you own CA. See PASS PHRASE ARGUMENTS in the openssl(1) man page for how to format the arg. indicates that the input is a certificate containing an RSA public key. Then sign it, remembering the signing key password: openssl ca -config openssl. The key is just a string of random bytes. pem #include. How To Create an SSH CA to Validate Hosts and Clients with Ubuntu we need to generate some RSA keys that will function as the signing keys. pem -signature signature. key -out server1. OpenSSL is avaible for a wide variety of platforms. Using OpenSC pkcs11-tool It may be convenient to define a shell-level alias for the pkcs11-tool --module command. We use cookies for various purposes including analytics. OpenSSL is a common library used by many operating systems (I tested the code using Ubuntu Linux). This is used as a logical and operation. You will send this to your new CA, and they will sign it and send it back to you. That is, it calculates c d mod n where d is the private key. openssl pkeyutl -sign|-verify -inkey key [-pubin] -pkeyopt digest:hashname where the key is an RSA key, which does all of PKCS#1-v1. The best way of learning OpenSSL for C/C++ is the OpenSSL community website, which provides the best tutorials and guidelines to learn it. The toolkit is loaded with tons of functionalities that can be performed using various options. com certificate. Even though I am not a well established CA, but I can still use OpenSSL to sign somebody else's certificate. pem - days 365 -nodes. (C++) RSA Encrypt and OpenSSL Decrypt. After creating a Certificate Signing Request we should check the CSR with the following command where we can see all information provided by CSR. For a thorough understanding of TLS and how to get the most out of it, we would recommend the use of other resources, for example Network Security with OpenSSL. This is just the key but we should generate a Certificate Sing Request CSR to the CA which is we in this example. 20 OpenSSL Commands Examples that you must know OpenSSL is an open source toolkit used to implement the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols. HMAC hashing allow user to hash with a secret key. The most famous one is the one all of you use when connecting to https://something… When doing this,. OpenSSL is a standard, open source library that supports a wide range of cryptographic functions, including the creation and signing of x509 certificates. 909 RFC4134 examples draft and interop and consistency checks of many. pem 1024 Now I have my pr. privkey should be set to a private key that was previously generated by openssl_pkey_new() (or otherwise obtained from the other openssl_pkey family of functions). It can be used for. The CSR is signed by a Certificate Authority to create a certificate. conf openssl s_server -engine pkcs11 \ -keyform engine -key 0:0003 -cert rsa. I was wondering if there where any examples of using RSA and DSA to sign data/verify? The man pages are not exactly straight forward on what you have to do. 34 it will determine the strength of ephemeral DH keys from the key size of your RSA certificate. In short, it does the following: Generate a private RSA key. But you need other OpenSSL commands to generate a digest from the document first as shown in the following test: C:\Users\fyicenter>d. 509 certificate or a “stack” of certificates. eg, "-aes256" Note on my system I do not have RSA in my options - at least by that name. It can come in handy in scripts or for accomplishing one-time command-line tasks. Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. // ssh-keygen -t rsa -C "[email protected] txt are the Private key and the CSR code files. com" -days 3650 -passout pass:foobar Generate Certificate Signing Request (CSR) from private key with passphrase. #> openssl speed Doing mdc2 for 3s on 16 size blocks: 1902676 mdc2's in 3. Sign extracted from open source projects. sha256 client. [email protected]# openssl req -in example. You are about to be asked to enter information that will be incorporated into your certificate request. When signing a file, dgst will automatically determine the algorithm (RSA, ECC, etc) to use for signing based on the private key's ASN. Configure New Instructions: From Homebrew. Here are a few (of the many) functions that I have found useful, along with examples of how to use them: Base64 Encoding and Decoding. It's a simple function which objective is to wrap OpenSSL's RSA_public_encrypt taking two bignums (modulus and exponent) instead of an RSA key. Here's an example script that produces both a CSR and a self-signed certificate:. txt | openssl enc -base64 -A; RSA Encryption -- Same Key Different Results; RSA Sign with PKCS8 Encrypted Key; RSA Sign with PKCS8 Encrypted Key; Create PKCS1 RSA Signature. Use the update-cache request to update and remove content from the Google AMP Cache. eg, "-aes256" Note on my system I do not have RSA in my options - at least by that name. An Introduction to OpenSSL Programming, Part I of II An Introduction to OpenSSL Programming, Part I of II. Demonstration of using OpenSSL to create RSA public/private key pair, sign and encrypt messages using those keys and then decrypt and verify the received messages. key The `modulus' and the `public exponent' portions in the key and the Certificate must match. OpenSSL makes it relatively easy to compute the digest and signature from a plaintext using a single API. This is a tutorial showing how to use OpenSSL in linux systems (Kali in the video) for symmetric and assymetric encription and decription. Currently, update-cache only ensures that the content is updated within its max-age, which means the maximum amount of time a resource will be considered fresh. pem -inform PEM -out cert. It is an extremely useful, valuable Open Source project. In order to sign Certificate we need to create a Certificate Signing Request (CSR) which is described below. The corresponding public portion of the key will be used to sign the CSR. You can use OpenSSL to create both a private key and your certificate signing request. Hello, I'm really close to having all the pieces I need for my program. This example creates a 2048 bit RSA keypair and writes it to the current directory. pem It will ask you for your import password from when you exported it in Windows. In my seemingly endless side project to implement RSA and AES encryption to my Alsa Server project , I wrote a while ago about doing simple RSA encryption with OpenSSL. And so I opened up the OpenSSL documentation to figure out how to encrypt and decrypt simple messages with RSA in C. For example SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms. I am trying to implement the program to generate CSR using openssl and c++. A digital signature is a mathematical. For example the key created in the next is used in throughout these examples. c in OpenSSL 1. I'm adding https support to an embedded linux device. Generate the RSA key, the certificate request (filling in the organization and common name for the CA), and the certificate. key -out yourdomain. Includes stepping into the crypto library with GDB. We can't use the -verify option of the dgst command because by default, openssl uses PKCS#2, but the openssl engine uses PKCS#1. OpenSSL is an open source toolkit that implements security protocols such as SSL and a lot of encryption algorithms like RSA, AES and several hash functions like SHA1 and MD5. I was working on a prototype to sign the source code of open source projects in order to release it including the signature. Sign some data using a private key: openssl. Hello, I'm trying to encrypt a symmetric key using RSA with OpenSSL my code looks something like (for mingw) : in the example the symmetric key is replaced by the word hello int main(int argc, char. Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The BN_from_montgomery function in crypto/bn/bn_mont. We also set a symmetric key to protect our certificate sign request. You can rate examples to help us improve the quality of examples. sigret must point to RSA_size(rsa) bytes of memory. pem -out x509Req. openssl rsa -check -in server-key. Protocol support. If you are unsure as to whether a feature will be useful for the general OpenSSL community please discuss it on the openssl-users mailing list first. #> openssl speed Doing mdc2 for 3s on 16 size blocks: 1902676 mdc2's in 3. Feel free to use any file names, as long as you keep the. Note: You can also use the openssl command to create your own certificate request. The following C++ code demonstrates how to decrypt with RSA private key with OpenSSL library. Notable vulnerabilities Timing attacks on RSA Keys. openssl req -new -newkey rsa:2048 -nodes -keyout server. pem -inkey test_example. No need to change this (unless you want to). Before you do any work, you should know which OpenSSL version you'll be using. openssl rsa: Manage RSA private keys (includes generating a public key from it). PHP openssl_sign - 30 examples found. HMAC can take most of the hash engine in order to hash your data with the secret key. Is Bouncy Castle SHA256withRSA/PSS compatible with OpenSSL RSA PSS padding with SHA256 digest?. NET into OpenSSL If I misunderstood you, or you have any questions, please let me know. cnf file which can be found in the C:\Tools\php-4. privkey should be set to a private key that was previously generated by openssl_pkey_new() (or otherwise obtained from the other openssl_pkey family of functions). 503 deallocation routines to be used by OpenSSL, for example memory. com certificate, but it does not come with any warranty and the organization name of the website owner does not appear in the SSL certificate. pem -inform PEM -out key. com' I'd like to specify a subjectAltName also at creation time, but I cannot find info in the openssl manpage on how to do this. key using openssl: openssl genrsa –out test. I have tried to generate a self-signed certificate with these steps: openssl req -new > cert. This is in accordance with PKIX standards. NET) (both will. 2d-i386-win32. -rsa_padding_mode:mode. exe req -new -key my_key. env OPENSSL_CONF=engine. You get the 30/08 because there isn't a -days option that override the default certificate validity of 30 days, as mentioned in x509 the man page:-days arg specifies the number of days to make a certificate valid for. txt | openssl enc -base64 -A; RSA Encryption -- Same Key Different Results; RSA Sign with PKCS8 Encrypted Key; RSA Sign with PKCS8 Encrypted Key; Create PKCS1 RSA Signature. Note that this is a default build of OpenSSL and is subject to local and state laws. After creating a Certificate Signing Request we should check the CSR with the following command where we can see all information provided by CSR. I was working on a prototype to sign the source code of open source projects in order to release it including the signature. pem -out sha256. $ openssl rsa -in example_rsa -pubout -out public. Using a simple key pair generated by OpenSSL at a command line it was very simple to create scripts in Perl and PHP to produce (and sign) and then decode (and validate) some data using this key pair. Which route you choose depends on your circumstances and why you need a certificate. TLS/SSL and crypto library. You can use these signed certificates in a variety of situations, such as to secure connections to a web server or to authenticate clients connecting to a service. openssl pkcs12 -export -out cacert. You can vote up the examples you like or vote down the ones you don't like. DSA The Digital Signature Algorithm is an alternative to RSA. Simple File Encryption with OpenSSL December 12, 2007. pem -out x509Req. 1 OpenSSL Decryption At the heart of RSA decryption is a modular exponen-tiation m = cd mod N where N = pq is the RSA modulus, d is the private decryption exponent, and c is the ciphertext being decrypted. Creates a 1024 bit RSA key pair and stores it to the filesystem as two files. Key-based authentication uses two keys, one "public" key that anyone is allowed to see, and another "private" key that only the owner is allowed to see. key -out new_private. give OpenSSL configuration file with -c openssl. The following C++ code demonstrates how to decrypt with RSA private key with OpenSSL library. Example Code: Create RSA Signature with PEM Private Key Duplicate openssl dgst -md5 -sign myKey. RSA example with OAEP Padding and random key generation. I’ve found: mbedtls_x509_crt_parse so I can read the pem to a buffer and load it into a mbedtls_x509_crt structure. The concept of public key and the private key you have elaborate is informative. pem -keyform PEM -sha256 -out data. "openssl genpkey -algorithm RSA -out eekey. However the command line tools of OpenSSL are pretty well documented and easy to use. For example, type: >C:\Openssl\bin\openssl. Convert both, the key and the certificate into DER format using openssl : openssl pkcs8 -topk8 -nocrypt -in key. For testing, the keytool utility bundled with the JDK provides the simplest way to generate the key and certificate you need. Browsers and servers usually negotiate the strongest mutually supported session. In this article, I have explained how to do RSA Encryption and Decryption with OpenSSL Library in C. In this example the client certificate request is a file called storereq. By default this command listens on port 4433 for HTTPS connections. Applies to: All versions: Summary: Using Openssl can be a tedious process, as it is all command line driven. Crypto) to encrypt/decrypt files in my c# project. Digicert has a useful form that will create the command for use in OpenSSL at their site. Okay this is the final tip and trick with openssl. openssl rsa -pubout -in private_key. I know using public key & hash we can verify the digital signature. I have tried to generate a self-signed certificate with these steps: openssl req -new > cert. 509 certificate or a “stack” of certificates. pem -out sha256. zip -out abc. This tutorial will create two C++ example files which will compile and run in Ubuntu environment. Keys Creating a Key. , code; not just the SSL code. com' Make a new Certificate Signing Request (CSR) that will be valid for 3 years. * * Signs a file using a dynamicaly created template, key from PEM file and * an X509 certificate. pem -outform PEM -pubout -out public. // This example assumes the Chilkat API to have been previously unlocked. There are a lot of other great reasons to upgrade to OpenSSL >=1. pem" -signature "D:\ProductInformation_xml. The rsautl command can be used to sign, verify, encrypt, and decrypt data using the RSA algorithm. C# (CSharp) OpenSSL. But I have very less memory avaialable. Before you do any work, you should know which OpenSSL version you’ll be using. key If you are using passphrase in key file and using Apache then every time you start, you have to enter the password. I know using public key & hash we can verify the digital signature. Options-in filename. der -outform DER. pem Code Signing. For more information about the team and community around the project, or to start making your own contributions, start with the community page. Provide the following command to generate a server private key and public certificate: openssl req -x509 -newkey rsa:2048 -nodes -keyout key. The fact-checkers, whose work is more and more important for those who prefer facts over lies, police the line between fact and falsehood on a day-to-day basis, and do a great job. Today, my small contribution is to pass along a very good overview that reflects on one of Trump’s favorite overarching falsehoods. Namely: Trump describes an America in which everything was going down the tubes under  Obama, which is why we needed Trump to make America great again. And he claims that this project has come to fruition, with America setting records for prosperity under his leadership and guidance. “Obama bad; Trump good” is pretty much his analysis in all areas and measurement of U.S. activity, especially economically. Even if this were true, it would reflect poorly on Trump’s character, but it has the added problem of being false, a big lie made up of many small ones. Personally, I don’t assume that all economic measurements directly reflect the leadership of whoever occupies the Oval Office, nor am I smart enough to figure out what causes what in the economy. But the idea that presidents get the credit or the blame for the economy during their tenure is a political fact of life. Trump, in his adorable, immodest mendacity, not only claims credit for everything good that happens in the economy, but tells people, literally and specifically, that they have to vote for him even if they hate him, because without his guidance, their 401(k) accounts “will go down the tubes.” That would be offensive even if it were true, but it is utterly false. The stock market has been on a 10-year run of steady gains that began in 2009, the year Barack Obama was inaugurated. But why would anyone care about that? It’s only an unarguable, stubborn fact. Still, speaking of facts, there are so many measurements and indicators of how the economy is doing, that those not committed to an honest investigation can find evidence for whatever they want to believe. Trump and his most committed followers want to believe that everything was terrible under Barack Obama and great under Trump. That’s baloney. Anyone who believes that believes something false. And a series of charts and graphs published Monday in the Washington Post and explained by Economics Correspondent Heather Long provides the data that tells the tale. The details are complicated. Click through to the link above and you’ll learn much. But the overview is pretty simply this: The U.S. economy had a major meltdown in the last year of the George W. Bush presidency. Again, I’m not smart enough to know how much of this was Bush’s “fault.” But he had been in office for six years when the trouble started. So, if it’s ever reasonable to hold a president accountable for the performance of the economy, the timeline is bad for Bush. GDP growth went negative. Job growth fell sharply and then went negative. Median household income shrank. The Dow Jones Industrial Average dropped by more than 5,000 points! U.S. manufacturing output plunged, as did average home values, as did average hourly wages, as did measures of consumer confidence and most other indicators of economic health. (Backup for that is contained in the Post piece I linked to above.) Barack Obama inherited that mess of falling numbers, which continued during his first year in office, 2009, as he put in place policies designed to turn it around. By 2010, Obama’s second year, pretty much all of the negative numbers had turned positive. By the time Obama was up for reelection in 2012, all of them were headed in the right direction, which is certainly among the reasons voters gave him a second term by a solid (not landslide) margin. Basically, all of those good numbers continued throughout the second Obama term. The U.S. GDP, probably the single best measure of how the economy is doing, grew by 2.9 percent in 2015, which was Obama’s seventh year in office and was the best GDP growth number since before the crash of the late Bush years. GDP growth slowed to 1.6 percent in 2016, which may have been among the indicators that supported Trump’s campaign-year argument that everything was going to hell and only he could fix it. During the first year of Trump, GDP growth grew to 2.4 percent, which is decent but not great and anyway, a reasonable person would acknowledge that — to the degree that economic performance is to the credit or blame of the president — the performance in the first year of a new president is a mixture of the old and new policies. In Trump’s second year, 2018, the GDP grew 2.9 percent, equaling Obama’s best year, and so far in 2019, the growth rate has fallen to 2.1 percent, a mediocre number and a decline for which Trump presumably accepts no responsibility and blames either Nancy Pelosi, Ilhan Omar or, if he can swing it, Barack Obama. I suppose it’s natural for a president to want to take credit for everything good that happens on his (or someday her) watch, but not the blame for anything bad. Trump is more blatant about this than most. If we judge by his bad but remarkably steady approval ratings (today, according to the average maintained by 538.com, it’s 41.9 approval/ 53.7 disapproval) the pretty-good economy is not winning him new supporters, nor is his constant exaggeration of his accomplishments costing him many old ones). I already offered it above, but the full Washington Post workup of these numbers, and commentary/explanation by economics correspondent Heather Long, are here. On a related matter, if you care about what used to be called fiscal conservatism, which is the belief that federal debt and deficit matter, here’s a New York Times analysis, based on Congressional Budget Office data, suggesting that the annual budget deficit (that’s the amount the government borrows every year reflecting that amount by which federal spending exceeds revenues) which fell steadily during the Obama years, from a peak of $1.4 trillion at the beginning of the Obama administration, to $585 billion in 2016 (Obama’s last year in office), will be back up to $960 billion this fiscal year, and back over $1 trillion in 2020. (Here’s the New York Times piece detailing those numbers.) Trump is currently floating various tax cuts for the rich and the poor that will presumably worsen those projections, if passed. As the Times piece reported: