A private key has (to the best of our knowledge -- we don't know everything about mathematics) a precise 1 to 1 correspondence with a public key, and a 1 to 1 correspondence from a public key to a private key.
But I can't imagine why you'd want to present a different certificate to the client than the one you're proxying. (Note that this implies collusion between you and the owner of the site which you're proxying to, as you would have to be able to have privateKey1 to prove publicKey1 in the certificate, and private keys are typically kept private.) -Kyle H On Wed, Jul 21, 2010 at 12:08 PM, PS <mytechl...@gmail.com> wrote:
Well, think of the device as proxy which acts as the client to the server and server to the client. Hence, the proxy is configured with the same public-key and private key as that of the server so that it can act as the server to the clients. But before it starts to do that, I want to make sure that the server is using the exact same pub/pvt key pair as the one configured on the proxy. Hence, the question. So, given your response, I take it that if I compare the Pub-key in C2 (which came on the wire) with the Pub-key in C1, then I can indirectly infer that the private-key corresponding to C1 and C2 is the same. In other words, if the pub-key for 2 certs match, then they must have the same private-key. On Tue, Jul 20, 2010 at 10:41 PM, Kyle Hamilton <aerow...@gmail.com> wrote:Your question makes no sense. If you know PK1 (contained in C1), and you know K1, then if you receive C2 that contained PK1, you know that someone's trying to make you think you're talking to yourself. (Nobody else can, by the rules of PKI, have K1 but you -- which is why the challenge/response protocol exists, to prove that you are who you say you are. If the asserter of the identity contained in C2 can also prove that it knows the private key K1 -- which it would have to if that other certificate contained PK1 -- then you know you *are* talking to either yourself or someone who somehow got your private key, which should be disturbing if you aren't expecting it.) But, if you simply want to know if it's possible to prove that two public keys are identical by byte-comparison, you would either have to extract the public key from the subjectPublicKey portion of the certificate in the format that your own system would understand before you could do that kind of byte comparison, or byte-compare the DER-encoded keys from the certificates themselves.) -Kyle H On Tue, Jul 20, 2010 at 11:40 AM, PS <mytechl...@gmail.com> wrote: > Let us say I have a certificate and a private key pair (C1, K1) > Now, lets say I received a Certificate, C2 on the wire. Now, I want to > know > whether the pvt-key K1 corresponds to the private key of C2. One method > is > encrypt a Known random number with pub-key in C2 and decrypt with K1 and > see > if the number is same. But this is expensive. > I thought of another method and wanted to know if this is correct: > Do a byte-for-byte compare of the pub-key in C1 with that of C2. If they > are > same, then we can assume that K1 must be the private-key of C2. Am I > correct? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org
smime.p7s
Description: S/MIME Cryptographic Signature
