2
0

sign.txt 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170
  1. From ssl-lists-owner@mincom.com Mon Sep 30 22:43:15 1996
  2. Received: from cygnus.mincom.oz.au by orb.mincom.oz.au with SMTP id AA12802
  3. (5.65c/IDA-1.4.4 for eay); Mon, 30 Sep 1996 12:45:43 +1000
  4. Received: (from daemon@localhost) by cygnus.mincom.oz.au (8.7.5/8.7.3) id MAA25922 for ssl-users-outgoing; Mon, 30 Sep 1996 12:43:43 +1000 (EST)
  5. Received: from orb.mincom.oz.au (eay@orb.mincom.oz.au [192.55.197.1]) by cygnus.mincom.oz.au (8.7.5/8.7.3) with SMTP id MAA25900 for <ssl-users@listserv.mincom.oz.au>; Mon, 30 Sep 1996 12:43:39 +1000 (EST)
  6. Received: by orb.mincom.oz.au id AA12688
  7. (5.65c/IDA-1.4.4 for ssl-users@listserv.mincom.oz.au); Mon, 30 Sep 1996 12:43:16 +1000
  8. Date: Mon, 30 Sep 1996 12:43:15 +1000 (EST)
  9. From: Eric Young <eay@mincom.com>
  10. X-Sender: eay@orb
  11. To: Sampo Kellomaki <sampo@neuronio.pt>
  12. Cc: ssl-users@mincom.com, sampo@brutus.neuronio.pt
  13. Subject: Re: Signing with envelope routines
  14. In-Reply-To: <199609300037.BAA08729@brutus.neuronio.pt>
  15. Message-Id: <Pine.SOL.3.91.960930121504.11800Y-100000@orb>
  16. Mime-Version: 1.0
  17. Content-Type: TEXT/PLAIN; charset=US-ASCII
  18. Sender: ssl-lists-owner@mincom.com
  19. Precedence: bulk
  20. Status: O
  21. X-Status:
  22. On Mon, 30 Sep 1996, Sampo Kellomaki wrote:
  23. > I have been trying to figure out how to produce signatures with EVP_
  24. > routines. I seem to be able to read in private key and sign some
  25. > data ok, but I can't figure out how I am supposed to read in
  26. > public key so that I could verify my signature. I use self signed
  27. > certificate.
  28. hmm... a rather poorly documented are of the library at this point in time.
  29. > I figured I should use
  30. > EVP_PKEY* pkey = PEM_ASN1_read(d2i_PrivateKey, PEM_STRING_EVP_PKEY,
  31. > fp, NULL, NULL);
  32. > to read in private key and this seems to work Ok.
  33. >
  34. > However when I try analogous
  35. > EVP_PKEY* pkey = PEM_ASN1_read(d2i_PublicKey, PEM_STRING_X509,
  36. > fp, NULL, NULL);
  37. What you should do is
  38. X509 *x509=PEM_read_X509(fp,NULL,NULL);
  39. /* which is the same as PEM_ASN1_read(d2i_X509,PEM_STRING_X509,fp,
  40. * NULL,NULL); */
  41. Then
  42. EVP_PKEY *pkey=X509_extract_key(x509);
  43. There is also a X509_REQ_extract_key(req);
  44. which gets the public key from a certificate request.
  45. I re-worked quite a bit of this when I cleaned up the dependancy on
  46. RSA as the private key.
  47. > I figured that the second argument to PEM_ASN1_read should match the
  48. > name in my PEM encoded object, hence PEM_STRING_X509.
  49. > PEM_STRING_EVP_PKEY seems to be somehow magical
  50. > because it matches whatever private key there happens to be. I could
  51. > not find a similar constant to use with getting the certificate, however.
  52. :-), PEM_STRING_EVP_PKEY is 'magical' :-). In theory I should be using a
  53. standard such as PKCS#8 to store the private key so that the type is
  54. encoded in the asn.1 encoding of the object.
  55. > Is my approach of using PEM_ASN1_read correct? What should I pass in
  56. > as name? Can I use normal (or even self signed) X509 certificate for
  57. > verifying the signature?
  58. The actual public key is kept in the certificate, so basically you have
  59. to load the certificate and then 'unpack' the public key from the
  60. certificate.
  61. > When will SSLeay documentation be written ;-)? If I would contribute
  62. > comments to the code, would Eric take time to review them and include
  63. > them in distribution?
  64. :-) After SSLv3 and PKCS#7 :-). I actually started doing a function list
  65. but what I really need to do is do quite a few 'this is how you do xyz'
  66. type documents. I suppose the current method is to post to ssl-users and
  67. I'll respond :-).
  68. I'll add a 'demo' directory for the next release, I've appended a
  69. modified version of your program that works, you were very close :-).
  70. eric
  71. /* sign-it.cpp - Simple test app using SSLeay envelopes to sign data
  72. 29.9.1996, Sampo Kellomaki <sampo@iki.fi> */
  73. /* converted to C - eay :-) */
  74. #include <stdio.h>
  75. #include "rsa.h"
  76. #include "evp.h"
  77. #include "objects.h"
  78. #include "x509.h"
  79. #include "err.h"
  80. #include "pem.h"
  81. #include "ssl.h"
  82. void main ()
  83. {
  84. int err;
  85. int sig_len;
  86. unsigned char sig_buf [4096];
  87. static char certfile[] = "plain-cert.pem";
  88. static char keyfile[] = "plain-key.pem";
  89. static char data[] = "I owe you...";
  90. EVP_MD_CTX md_ctx;
  91. EVP_PKEY * pkey;
  92. FILE * fp;
  93. X509 * x509;
  94. /* Just load the crypto library error strings,
  95. * SSL_load_error_strings() loads the crypto AND the SSL ones */
  96. /* SSL_load_error_strings();*/
  97. ERR_load_crypto_strings();
  98. /* Read private key */
  99. fp = fopen (keyfile, "r"); if (fp == NULL) exit (1);
  100. pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PrivateKey,
  101. PEM_STRING_EVP_PKEY,
  102. fp,
  103. NULL, NULL);
  104. if (pkey == NULL) { ERR_print_errors_fp (stderr); exit (1); }
  105. fclose (fp);
  106. /* Do the signature */
  107. EVP_SignInit (&md_ctx, EVP_md5());
  108. EVP_SignUpdate (&md_ctx, data, strlen(data));
  109. sig_len = sizeof(sig_buf);
  110. err = EVP_SignFinal (&md_ctx,
  111. sig_buf,
  112. &sig_len,
  113. pkey);
  114. if (err != 1) { ERR_print_errors_fp (stderr); exit (1); }
  115. EVP_PKEY_free (pkey);
  116. /* Read public key */
  117. fp = fopen (certfile, "r"); if (fp == NULL) exit (1);
  118. x509 = (X509 *)PEM_ASN1_read ((char *(*)())d2i_X509,
  119. PEM_STRING_X509,
  120. fp, NULL, NULL);
  121. if (x509 == NULL) { ERR_print_errors_fp (stderr); exit (1); }
  122. fclose (fp);
  123. /* Get public key - eay */
  124. pkey=X509_extract_key(x509);
  125. if (pkey == NULL) { ERR_print_errors_fp (stderr); exit (1); }
  126. /* Verify the signature */
  127. EVP_VerifyInit (&md_ctx, EVP_md5());
  128. EVP_VerifyUpdate (&md_ctx, data, strlen((char*)data));
  129. err = EVP_VerifyFinal (&md_ctx,
  130. sig_buf,
  131. sig_len,
  132. pkey);
  133. if (err != 1) { ERR_print_errors_fp (stderr); exit (1); }
  134. EVP_PKEY_free (pkey);
  135. printf ("Signature Verified Ok.\n");
  136. }