On Wed, May 11, 2005, Andreas Hoffmann wrote:
> The "signature" contains the value which is extracted from the
> socket-datastream and is 128Bytes (1024bit) long.
> What is in a signature in DER format? - Is it just the signature itself
> or is there additional information?
>
> What do the error-messages mean -
> - Is there some problem while verifying (wrong input-values,...) OR
> - Is the verification completed successfully but the signature simply
> does not match the data?
>
> Andreas
>
> the errors again:
> 9876:error:0D07209B:asn1 encoding routines:ASN1_get_object:too
> long:asn1_lib.c:132:
> 9876:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object
> header:tasn_dec.c:935:
> 9876:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=X509_SIG
>
>
This needs a bit of background first.
EVP_{Sign,Verify}*() with an RSA key use PKCS#1 for signatures. This consists
of DER DigestInfo structure (X509_SIG in OpenSSL) encrypted using the
appropriate RSA key. This structure is simply the digest value and the digest
algorithm in use.
When the signature is verified OpenSSL decrypts and attempts to ASN1 parse the
result.
If the ASN1 parsing fails you get that error. It is unlikely that that error
could be produce by an accident: it may well be in a different format.
To see the format used you can do:
openssl rsautl -verify -certin -in signature -inkey cert.pem -hexdump
and post the result. Also try it with the -asn1parse option instead of
-hexdump.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
