It is not clear why you want to separate the signature from the certificate and validate it independently. Moreover, you can validate the signature on the certificate data by using the public key of the CA that signed the certificate. If you want to make sure that the complete certificate you received is valid, try using "openssl verify" command. It does the signature validation as well a bunch of other checks as documented in the man pages.
-Sandeep On Mon, Jul 4, 2011 at 12:56 PM, DarkMike <m_strasbur...@poczta.fm> wrote: > > The result of my weekend reading, is the following command, > which could pretty nicely do the thing for me: > > 'openssl sha1 -verify rsa_public_key.pem -signature rsa_signature.bin > data_for_digest_computation.txt` > > the questions would be: > > - how to split x509 pem certificate with embedded encrypted digest > (Signature Alg: sha1RsaEncrypted) > into: > - rsa_signature.bin > - data_for_digest_computation.txt > as expected by the above command written in bold > > in other words > > - how to convert hex dump of the signature, which is embedded in the pem > ceritficate > (I hope it is this part of the pem certificate): > > Signature Algorithm: sha1WithRSAEncryption > 88:a9:c6:1f:a3:3e:6a:72:19:54:ee:f4:a6:d5:be:26:da:08: > 6b:34:99:b5:67:4b:1e:86:64:3f:4f:c8:0d:e7:f2:83:88:c7: > a5:7e:07:b0:16:bf:69:55:c9:28:55:b0:6e:f5:aa:76:1e:f5: > d8:67:02:fa:0d:ac:92:2b:62:fc:45:04:eb:f5:5f:94:d4:d1: > b3:fa:de:21:5f:88:4b:69:6b:a3:df:6b:50:8e:27:c6:18:19: > ec:12:98:6a:c2:d1:66:4e:cc:b8:33:5d:cf:48:7d:06:7d:7f: > 10:6a:c8:9a:fe:e2:65:35:aa:88:59:89:09:6b:49:b9:33:29: > e2:67 > > into the form expected by command written in bold (rsa_signature.bin) > > - how to separate from pem certificate the data on which the signature was > computed > into the form expected by command written in bold > (data_for_digest_computation.txt) > > If anyone knows any better way to do the above with openssl command line > tool, please let me know, > > regards, > Mike > > > DarkMike wrote: > > > > Hi all, > > > > I would like to do the following with openssl command line tool: > > > > 1. Create CA > > 2. Create Client > > 3. Verify Client in One Way Authentication (OWA) > > > > Now, I have successfully did first 2 steps using: > > > > ./CA.sh –newca > > ./CA.sh –newreq > > ./CA.sh –sign > > > > I have got private and public keys for both sides CA and Client, > > as a part of OWA procedure the third side device called Server gets > Client > > certificate. > > > > Server needs to: > > > > - extract sha1 hash signed with Client private RSA key (Signature Alg: > > sha1RsaEncrypted) from the certificate > > - decrypt sha1 hash using Client public RSA key > > - regenerate sha1 hash on the original message to check if it is correct > > > > Once I have got familiar with the OWA I thought the above are ones of > most > > common things > > anyone will want to do with openssl, however google is unable to find any > > examples for it so far. > > > > What openssl commands will do the above things for me? > > > > It would also help me a lot to know the routines I need to use to do the > > same from within C program. > > Any help would be much appreciated. > > > > regards, > > Mike > > > > -- > View this message in context: > http://old.nabble.com/Extracting-and-verifying-encrypted-certificate-digest-tp31987195p31987327.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
