On Mon, Mar 17, 2003, Henrik Grindal Bakken wrote: > "Dr. Stephen Henson" <[EMAIL PROTECTED]> writes: > > > On Thu, Mar 13, 2003, Henrik Grindal Bakken wrote: > > > >> Firstly, I want to make a signature on a file using a DSA key-pair. > >> I can do this for an RSA pair with 'openssl rsautl', but is there > >> something similar for DSA, or do I have to write it myself? > > > > rsautl takes 'raw' signatures rather than signing digests. > > > > The dgst utility digests data and has options to sign the > > digest. You can signing using DSA with the -dss1 digest > > (SHA1+DSA). Check out the manual pages for more info. > > Ah, thanks. I looked at it, and tried, but couldn't verify the > signature. I discovered later that -binary might have been a good > idea... Is there much difference between using smime with detached > signature and -outform pem and using dgst? >
Yes dgst is just a raw DSA signature and things like the public key to verify the signature with have to be determined by other means. The smime signature uses S/MIME format which encapsulates the signature and associated certificate in PKCS#7 format. > >> Second question: I want to issue a version 3 X.509 certificate from > >> my own (testing purposes only) CA, with a custom extension. The > >> extension value should be a string (although that is not > >> important). Do I have to write my own code here, or can the > >> current application do this? > > > > There are some string extension already available such as netscape > > comment whic may suit. > > I noticed that, and I could use it for testing purposes, but for a > more final version, it doesn't really suffice. > > > If you really want a custom extension. You can do this with 0.9.7 > > but you have to work out the encoding yourself and place the hex > > form in the DER option. > > Hmm. A bit awkward. I did find the doc/openssl.txt (or whatever the > name was) file, and I read it a little, but figured I didn't have time > to do this properly at the moment. > > > With 0.9.8-dev you can use a human readable syntax such as: > > > > myextension = ASN1:UTF8:My Extension string > > Looks better, less messy. > > Is there any estimate of when 0.9.8 will be ready? Is it safe to use > for a not-very-critical project now? > No there's no timetable in 0.9.8. All I can say is probably not soon. Its a moving target and while the today's version may be pretty stable tomorrow's may not :-) > > You can actually use the asn1parse utility in 0.9.8 to dump out the > > DER version which you could then place in a 0.9.7 config file. > > Hmm. That sounds like an idea. Thanks for the suggestions. > You could do something like: openssl asn1parse -genstr "UTF8:my string" -noout -out extension.der then do a hex dump of extension.der which you can include in 0.9.7. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
