On Fri, Oct 12, 2012, redpath wrote: > > Tried to find documentation and examples ( which includes searching the > forum) > for using a PKCS7 standard in context to what I am trying to do for best > practices > when using a signature to verify a document received. > > Basically I have a document file (100k) called > BackgroundCheck.doc (document_bytes document_length) > > and an ECDSA signature from this file (used SHA1 from the document using a > ECDSA private key) > called > BackgroundCheck.ecdsa (signature_bytes signature_length) > > The document and signature is sent to a recipient who has a > file called ecdsapublic.x509 to verify the signature from the document > using the ECDSA public key. > > basically the Message Digest is computed from the document received > by the recipient to verify the document. > > unsigned char md[20]; > result= SHA1(document_bytes, document_size, md); //compute the message > digest from the document > > Then use the X509 file with public key to verify the signature. > > X509 *x509= PEM_read_bio_pubkey(bio, NULL,0 ,NULL); //read the > ecdsapublic.x509 > EVP_KEY *evpkey= X509_get_pubkey(x509); //get > the public key > EC_KEY *pubeckey = EVP_PKEY_get1_EC_KEY(evpkey); > > ret= EC_KEY_set_group(pubeckey, EC_GROUP_new_by_curve_name(curvetype); > //set the curve type which recipient knows. > > rc = ECDSA_verify(0,md, 20, signature_bytes, signature_length); //now > verify the document using the signature file > > > And that works great sending many documents with signatures and the > recipient can verify that > they are authentic. The issue is the raw signature is simple not best > practice (I assume) > it could use a PKCS7 but I have no idea how this would apply. Basically a > programmatic API could be used > > p7= PKCS7_new(); > int rc= PKCS7_set_type(p7, NID_pkcs7_enveloped); > > to make a PKCS7 for the signature that could be sent with the document > instead of the raw signature. > So where are there examples? I have read the O'Reilly OpenSSL book but their > context is not mine > for the PKCS7 usage and its a thin chapter (well if you want to call it a > chapter). > > Maybe an example can be posted here using the functions. >
Check the manual pages for PCKS7_sign, PKCS7_verify and the demos in demos/pkcs7 and the CMS version CMS_sign, CMS_verify and demos/cms Stedve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
