> From: [email protected] On Behalf Of redpath > Sent: Saturday, 06 October, 2012 18:59
> I have created EC Digital Signature and saved it in a file. <snip> > And I use this signature file to verify a message digest later using a > public key. <snip> You don't say, but I assume this signature is on the hash of some data of yours (presumably SHA1 or RIPEMD since it's 20 bytes). > Everything works great. I want this signature to be in an > X509 and open the > X509 and > extract it to use to verify things. > That makes no sense. An X.509 certificate contains, and "binds", some identity (typically the name of a person, organization, or system), to a public-key, for a specified time period optionally (but usually) with related attributes such as allowed usage and revocation checking information, "guaranteed" by a CA. It doesn't contain any signature on user data. What can make sense is to use a cert to contain, and convey, your publickey. You -- or more usefully someone else, generically called a relier -- can then use the key from the cert to verify a given signature matches given data, and also use the other data in the certificate to decide if the verified data comes from someone the relier wants to trust, and thus to trust that data. > How do you place a signature in an X509 format and use code > to extract them? > > In the past I have created an X509 for public keys > before and extract the key to use it; and that works great to > extract them > and use them. > Exactly. That's what X.509 cert is for. If you want a standard message format to convey data with a signature, or a signature "detached" from data, try CMS (Cryptographic Message Syntax) formerly known as PKCS#7. > So if anyone has a procedure for the using the API to do this > let me know. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
