> From: owner-openssl-us...@openssl.org On Behalf Of Wim Lewis > Sent: Wednesday, 30 March, 2011 17:01
> On 30 Mar 2011, at 12:02 PM, luis hernandez wrote: > > Thanks Wim, > > > > i know that cer pem files have the public key in it like: > > > > -----BEGIN PUBLIC KEY----- > > MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD0ltQNthUNUfzq0t1GpIyapjz... > > -----END PUBLIC KEY----- > > -----BEGIN CERTIFICATE----- > > MIIE/TCCA+WgAwIBAgIUMzAwMDEwMDAwMDAxMDAwMDA4MDAwDQYJKoZIhvcNAQEF... > > -----END CERTIFICATE----- > > Not necessarily and not usually. As noted below, this is redundant. Usually a cert file is just a cert, or multiple certs; sometimes it makes sense to put cert(s) and *private*key together in one file. > > but what i receive is: > > > signedstring:ki987jjhfw84hf7ewh9f497fe9hihfw87yr79g23hfd937f23 > 7fg327f2... > > > certificate:MIIE/TCCA+WgAwIBAgIUMzAwMDEwMDAwMDAxMDAwMDA4MDAwDQ > YJKoZIhvcNAQEF... > > some other data... > > > > so from that can i verify the signed string? > > > You should be able to either base64-decode the "certificate" > text to get a certificate in DER format, or you could > surround it by BEGIN/END CERTIFICATE lines to get a > certificate in PEM format. > Yes. Actually BEGIN/END lines and internal newlines as needed so that data lines are mult of 4 <= about 72. > > Even though your .cer files have both a PUBLIC KEY blob and a > CERTIFICATE blob, the certificate blob includes all the > public-key information needed to verify a message. In effect, > a certificate is a copy of your public key that's been signed > by the certificate authority. > A copy of somebody's public key, here presumably the signer, plus some other related info, signed by the CA. That's half the battle. Then to use this cert to verify a signature, you need the data and the signature. Something named "signedstring" sounds like it should be data plus signature in some format, but what? It isn't likely base64, and definitely isn't hex. Plus, you probably need to validate the cert itself. (Unless this data is arriving by a channel that already ensures integrity and authenticity -- and then you don't need the cert and signature at all!) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
