Please don't use md5. Use sha128 or sha256 instead, if you can.
How signing works is this:
1) The signer creates the data he wishes to sign. (In this case, a
certificate.)
2) The signer performs the specified hash function over the data he
wishes to sign. (This is done via md5, sha1, sha2, sha256, sha128,
etc.)
3) The signer encrypts the output of the hash function with his private key.
4) The signer appends the encrypted blob of the hash to the data,
along with information as to what hash function he used.
To verify a signature, the verifier does this:
1) The verifier receives the data he wishes to verify the signature of.
2) The verifier removes the information appended in section 4 of the
signer's procedure.
3) The verifier performs the specified hash function over the data he
wishes to verify. (This is specified by the signer, not the verifier,
since the signer only did a single hash.) He saves the output in
variable A.
4) The verifier decrypts the encrypted blob of the hash, using the
signer's public key. He saves this output in variable B.
5) The verifier verifies that A == B. If it matches, the data is the
same that was signed. If it does not match, the data is not the same
that was signed.
The reason you should not use MD5 is because recent attacks have been
demonstrated against it which would allow, in certain circumstances,
certificates to be forged (hash collisions can be generated, and are
only expected to become easier as time goes on). SHA-1 has the same
types of attacks, though much less advanced, described against it.
Regardless, the "default_md" line stands for "default message digest"
-- i.e., default hash type. MD5 works there, but as I said you should
try not to use it.
-Kyle H
On Tue, Feb 24, 2009 at 12:13 AM, sarym binome <binome_...@hotmail.com> wrote:
> hello
> i thank you very much sir,
> i'v other question , where i put the name of signature algorithm which i
> use it to sign a certificate , cause in my config file i put only the MD5
> function (but it is a hash function and i can't use it to sign, am i
> wrong??)
> in my sslcreat.pl
> # create request config file (look please the bold underlined ligne )
> sub create_ca_config_file {
>
> my ($file) = @_;
>
> open TMP, ">$file";
> print TMP "[ ca ]\n";
> print TMP "default_ca = CA_default\n";
> print TMP "[ CA_default ]\n";
> print TMP "dir = $ARAN_CA_DIR\n";
> print TMP "database = \$dir/index.txt\n";
> print TMP "new_certs_dir = \$dir/newcerts\n";
> print TMP "certificate = \$dir/cacert.pem\n";
> print TMP "serial = \$dir/serial\n";
> print TMP "private_key = \$dir/private/cakey.pem\n";
> print TMP "RANDFILE = \$dir/private/.rand\n";
> print TMP "\n";
> print TMP "default_days = $ARAN_CA_DAYS\n";
> print TMP "default_crl_days = 30\n";
> print TMP "default_md = md5\n";
> print TMP "\n";
> print TMP "policy = policy_any\n";
> print TMP "\n";
> print TMP "[ policy_any ]\n";
> print TMP "countryName = optional\n";
> print TMP "stateOrProvinceName = optional\n";
> print TMP "organizationName = optional\n";
> print TMP "organizationalUnitName = optional\n";
> print TMP "commonName = supplied\n";
> print TMP "emailAddress = optional\n";
> print TMP "\n";
> print TMP "[ req ]\n";
> print TMP "default_bits = 1024\n";
> print TMP "distinguished_name = req_distinguished_name\n";
> print TMP "prompt = no\n";
> print TMP "\n";
> print TMP "[ req_distinguished_name ]\n";
> print TMP "CN = ARAN CA\n";
> print TMP "\n";
> close TMP;
>
> }
>
> best regards
>
>
>
>> Date: Tue, 24 Feb 2009 08:34:54 +0100
>> Subject: Re: what it is X509_STORE ?
>> From: toondel...@gmail.com
>> To: openssl-users@openssl.org
>>
>> It is a certificate memory store where you should put your
>> certificates (CA, root etc..) of your trusted path that are needed by
>> your application for signature verifycation. Thjis is also the place
>> you will put your CRL.
>>
>> Have a look at X509_STORE _xxx and X509_load_xxx. functions. You
>> might also consider using PEM_read_xxx fnuctions for your signing
>> certificate.
>>
>> regards
>>
>> Emmanuel
>>
>> 2009/2/24 sarym binome <binome_...@hotmail.com>:
>> > hello
>> > i try create a X509 certificate for a CA and certificates signed by the
>> > CA ,
>> > and i want to check it (verify it) , somebody tell me what it is
>> > X509_STORE
>> > ?
>> > thanks.
>> >
>> > ________________________________
>> > Tous vos amis discutent sur Messenger, et vous ? Téléchargez Messenger,
>> > c'est gratuit !
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majord...@openssl.org
>
> ________________________________
> Découvrez toutes les possibilités de communication avec vos proches
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
