Bonjour, Hodie pr. Non. Aug. MMXI, Giordano Bruno scripsit: > Thank you for reply, > I didn't understand what you mean with this sequence (02, padding, DER > sequence with hash OID and value). Can you explain? > The hash of our der file (without the first header, the signature > header and the signature) should be the expected result of your > command (openssl rsautl -in example.der.sig -inkey example.key -pubin > -verify -hexdump -raw)?
The command I used displays the integer that has been signed in the RSA process. So yes, the hash of your data should have been embedded in this result, encapsulated in a structure. I made a mistake, it doesn't start with 02, but with 00 01. Here's an example of a valid "before signature block", signed by a 2048bits RSA key, with the sha1withRSA signature scheme (I got this with the same command, obviously on other data): 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 80 08 3f d2 05 06 6b e1 0a f3 75 39 70 d2 5b 57 01 37 2c df Everything is described by the PKCS#1 standard, and the text is freely available. You should be able to recognize the following structure: 30 21 SEQUENCE { 30 09 SEQUENCE { 06 05 2b 0e 03 01 1a OID (sha1) 05 00 NULL } 04 14 ... 2c df OCTET STRING (the hash value) } Download and read PKCS#1, and you'll have a better understanding. -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS 11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France Tél.: +33 1 55 64 22 07 http://www.keynectis.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org