>From: owner-openssl-us...@openssl.org On Behalf Of Gayathri Manoj >Sent: Tuesday, 06 November, 2012 22:56
>I wanted to parse the x509 certificate using openssl-0.9.8l >which is signed by sha256WithRSAEncryption algorithm. >I am not explicitly calling EVP_DigestInit_ex() to initailse EVP_sha256(). >Is it possible to decrypt the certificate using TLS.10 This makes no sense. You don't decrypt a certificate; it isn't encrypted. If someone told you RSA sign and verify are the same as RSA encrypt and decrypt, that's wrong. The underlying number-theoretic primitives (which are the basis of security) are closely related, but the padding used in actual standard schemes is different and not interchangeable. If you want to parse a cert, use d2i_X509* or PEM_read*X509, and the X509_get* routines or just data in the X509 structure. If you want to verify the signature on such a cert, use X509_verify(); it determines the signature algorithm from the OID in the cert. Note except for root or otherwise selfsigned certs, you must locate the issuing key, normally in the "parent" cert; that's more complicated and substantially more difficult than the verify-cert-signature part. And to check if a cert is trustworthy you need to do a LOT more than just check the signature. What is your goal here? If you want to duplicate the code in X509_verify: - get the sigalg OID from the cert and map to an EVP_MD object (if you only support sha256-RSA you can just check the OID equals the correct value and use EVP_sha256()) - reconstruct (or have previously saved) the TBS part "CertInfo" - pass to EVP_Verify* which except for Final are really EVP_Digest* If by TLS.10 you mean TLS v1.0, that's completely irrelevant. X.509 certificates are the same for all versions of SSL and TLS, and for many other things that aren't either SSL or TLS. TLS *v1.2* does have an extension for parties to optionally tell each other what sigalgs they support, and thus guide selection of cert by the other party, but it has no effect on the processing of a cert once selected; that goes by the OID in the cert. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
