Thanks Stephens,
that worked.
i'm just curious what if one uses #>openssl rsautl -sign -inkey
./private/cakey.pem -in plain.txt -out
signature.bin to create a signature, how would you verify it in a c.
essentially what i mean is can u pass null in 2nd argument to the
EVP_VerifyInit (&md_ctx, null); indicating there is no hashing algo to be
used. Is this right or is there some other way.
KB
From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: How to verify signature data with RSA PKCS1
Date: Tue, 1 Aug 2006 01:58:46 +0200
On Mon, Jul 31, 2006, k b wrote:
> Thanks Steve for pointing out that i posting to the wrong list, sorry my
> bad for some reason i didn't read it right. anyways...
>
I've moved it now.
> lemme give some background
> i have a plain text file plain.txt
>
> i call
> #> openssl rsautl -sign -inkey ./private/cakey.pem -in plain.txt -out
> signature.bin
> so my first question
That command uses the RSA algorithm directly to sign the data. That isn't
normally done instead the data is digested and the digest signed instead.
If you use a digest command such as "openssl sha1" with the -sign option
it will do the right thing.
> 1) what kind of hashing alogrithm would the above command use ? is it
> possible to suggest one to use like sha1 or md5 etc ...
>
It doesn't use one.
> in my c code i'm using the EVP_verify interface to verify the
signature.bin
>
> here's what i do
> * I load the cert
> * read the public key into EVP_PKEY
> * read the plaintext into a buffer 'plainTextData'
> * read the signature.bin into a buffer 'sig_buf'
> and then do the followin
>
> EVP_MD_CTX_init(&md_ctx);
>
> EVP_VerifyInit (&md_ctx, EVP_sha1()); <--- here i'm not sure which
> hash algo to specify. ???
> EVP_VerifyUpdate (&md_ctx, plainTextData, plainTextSize);
> err = EVP_VerifyFinal (&md_ctx, sig_buf, sig_len, pkey);
>
> here what i get
> 11908:error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message
> digest algorithm:a_verify.c:141:
> 11908:error:0D07209B:asn1 encoding routines:ASN1_get_object:too
> long:asn1_lib.c:132:
> 11908:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object
> header:tasn_dec.c:935:
> 11908:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=X509_SIG
>
> Any lead would appreciated, as i'm out of ideas.
If you use "openssl sha1" to sign with you should have more luck.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]