hi Kiran, I am not sure if I need to separate the signature from the certificate.
What I want to do is: 1. decrypt the signature to get decrypted message digest (sha1) 2. compute the sha1 from the certificate on my own and compare these two digests I want to use this mechanism for whole communication between my server and multiple clients, to ensure each message my server gets is from expected uniqe client. I.e. get next message from the client signed by sha1 digest decrypted with client private key, then decrypt this signature, compare to signature that my server computes from this message. If there is a method to decrypt the signature of the certificate with openssl cmd, without separating the signature first, then it would even be better, unfortunatelly I have not found it yet... Also if I can force openssl to get as an input the certificate with encrypted digest (sha1WithRsaEncryption) and recalculate the digest ignoring the previously included one (to get sha1 without encryption) this also would be better than I initially planned. But to be honest I do not believe these are possible with openssl cmd without splitting the certificate first. please correct me if I am wrong, or something I described here sounds not to make sense regards, Mike sandeep kiran p wrote: > > It is not clear why you want to separate the signature from the > certificate > and validate it independently. Moreover, you can validate the signature on > the certificate data by using the public key of the CA that signed the > certificate. If you want to make sure that the complete certificate you > received is valid, try using "openssl verify" command. It does the > signature > validation as well a bunch of other checks as documented in the man pages. > > -Sandeep > > On Mon, Jul 4, 2011 at 12:56 PM, DarkMike <m_strasbur...@poczta.fm> wrote: > >> >> The result of my weekend reading, is the following command, >> which could pretty nicely do the thing for me: >> >> 'openssl sha1 -verify rsa_public_key.pem -signature rsa_signature.bin >> data_for_digest_computation.txt` >> >> the questions would be: >> >> - how to split x509 pem certificate with embedded encrypted digest >> (Signature Alg: sha1RsaEncrypted) >> into: >> - rsa_signature.bin >> - data_for_digest_computation.txt >> as expected by the above command written in bold >> >> in other words >> >> - how to convert hex dump of the signature, which is embedded in the pem >> ceritficate >> (I hope it is this part of the pem certificate): >> >> Signature Algorithm: sha1WithRSAEncryption >> 88:a9:c6:1f:a3:3e:6a:72:19:54:ee:f4:a6:d5:be:26:da:08: >> 6b:34:99:b5:67:4b:1e:86:64:3f:4f:c8:0d:e7:f2:83:88:c7: >> a5:7e:07:b0:16:bf:69:55:c9:28:55:b0:6e:f5:aa:76:1e:f5: >> d8:67:02:fa:0d:ac:92:2b:62:fc:45:04:eb:f5:5f:94:d4:d1: >> b3:fa:de:21:5f:88:4b:69:6b:a3:df:6b:50:8e:27:c6:18:19: >> ec:12:98:6a:c2:d1:66:4e:cc:b8:33:5d:cf:48:7d:06:7d:7f: >> 10:6a:c8:9a:fe:e2:65:35:aa:88:59:89:09:6b:49:b9:33:29: >> e2:67 >> >> into the form expected by command written in bold (rsa_signature.bin) >> >> - how to separate from pem certificate the data on which the signature >> was >> computed >> into the form expected by command written in bold >> (data_for_digest_computation.txt) >> >> If anyone knows any better way to do the above with openssl command line >> tool, please let me know, >> >> regards, >> Mike >> >> >> DarkMike wrote: >> > >> > Hi all, >> > >> > I would like to do the following with openssl command line tool: >> > >> > 1. Create CA >> > 2. Create Client >> > 3. Verify Client in One Way Authentication (OWA) >> > >> > Now, I have successfully did first 2 steps using: >> > >> > ./CA.sh –newca >> > ./CA.sh –newreq >> > ./CA.sh –sign >> > >> > I have got private and public keys for both sides CA and Client, >> > as a part of OWA procedure the third side device called Server gets >> Client >> > certificate. >> > >> > Server needs to: >> > >> > - extract sha1 hash signed with Client private RSA key (Signature Alg: >> > sha1RsaEncrypted) from the certificate >> > - decrypt sha1 hash using Client public RSA key >> > - regenerate sha1 hash on the original message to check if it is >> correct >> > >> > Once I have got familiar with the OWA I thought the above are ones of >> most >> > common things >> > anyone will want to do with openssl, however google is unable to find >> any >> > examples for it so far. >> > >> > What openssl commands will do the above things for me? >> > >> > It would also help me a lot to know the routines I need to use to do >> the >> > same from within C program. >> > Any help would be much appreciated. >> > >> > regards, >> > Mike >> > >> >> -- >> View this message in context: >> http://old.nabble.com/Extracting-and-verifying-encrypted-certificate-digest-tp31987195p31987327.html >> Sent from the OpenSSL - User mailing list archive at Nabble.com. >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > > -- View this message in context: http://old.nabble.com/Extracting-and-verifying-encrypted-certificate-digest-tp31987195p31991105.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
