I have some data that was signed with RSA-SHA1
<https://www.w3.org/PICS/DSig/RSA-SHA1_1_0.html>.
What's the proper way of verifying that data with a signature?
The signature is base64 encoded, so first I do:
openssl enc -d -A -base64 -in signature.txt -out signature.sha1
Then I do:
openssl dgst -verify pubkey.pem -signature signature.sha1 datafile.txt
Or:
openssl dgst -sha1 -verify pubkey.pem -signature signature.sha1 datafile.txt
Either of those fails with:
Verification Failure
Whenever I try to verify data signed with my own key, everything works.
But for that data that I got from a third party nothing works. That
third party is adamant that the signature is correct and it's RSA_SHA1,
but they've been unwilling to explain the details on how they sign it
and what they use to verify.
So what are the proper way of dealing with this?
--
Best Regards,
Nikolay Kudryavtsev
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
