Menu
I am signing packets in some Java code and I want to verify the signatures on a C server. I want to fork openssl for this purpose (can always use library functions later... when I know openssl can verify the signatures); however, it's failing to do so:
openssl dgst -verify cert.pem -signature file.sha1 file.data The certificate says:
openssl verify cert.pem cert.pem: /C=.... error 20 at 0 depth lookup:unable to get local issuer certificate However, I specifically don't care about verifying the certificate, I want only to verify the signature for a given file!
The output of openssl x509 -in cert.pem -noout -text is:
Certificate: Data: Version: 1 (0x0) Serial Number: ... Signature Algorithm: sha1WithRSAEncryption Issuer: C=... Validity Not Before: Feb 1 15:22:44 2010 GMT Not After : Jun 19 15:22:44 2037 GMT Subject: C=... Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:cc:cc:f9:c7:3a:00:0f:07:90:55:d9:fb:a9:fe: ... 32:cc:ee:7f:f2:01:c7:35:d2:b5:9b:35:dd:69:76: 00:a9 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 39:d6:2c:6b:6a:00:74:b5:81:c2:b8:60:d6:6b:54:11:41:8d: ... 8f:3e:3f:5d:b3:f8:dd:5e 
524
Check the signature on an EXE or MSI fileRight-click the EXE or MSI file and select Properties. Click the Digital Signatures tab to check the signature.
Right click the .exe of the program in question and select Properties. Select Digital Signatures. Under Signature List, select the Signature, and click Details. You will see information regarding the Code Signing certificate that was used to sign the executable.
DESCRIPTION. The digest functions output the message digest of a supplied file or files in hexadecimal. The digest functions also generate and verify digital signatures using message digests. The generic name, dgst, may be used with an option specifying the algorithm to be used.
Open the file that contains the certificate you want to view. Click File > Info > View Signatures. In the list, on a signature name, click the down-arrow, and then click Signature Details.
openssl dgst -verify foo.pem expects that foo.pem contains the "raw" public key in PEM format. The raw format is an encoding of a SubjectPublicKeyInfo structure, which can be found within a certificate; but openssl dgst cannot process a complete certificate in one go.
You must first extract the public key from the certificate:
openssl x509 -pubkey -noout -in cert.pem > pubkey.pem then use the key to verify the signature:
openssl dgst -verify pubkey.pem -signature sigfile datafile If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
