Hi Matt, Thanks very much! I'm glad I'm on the right track in regards to EVP vs EC.
The signature is generated by a client program (also a 'c' program). What is the format of a signature? How do I find out? Just to confirm - whether it's ECDSA or RSA, for verification, we just get the EVP_PKEY data structure filled with the public key correctly and call in a sequence ending up with a call to EVP_VerifyFinal. Is that correct? Thanks again! Anant On Tue, Jun 10, 2014 at 3:51 PM, Matt Caswell <m...@openssl.org> wrote: > On 10 June 2014 15:24, Anant Rao <a...@noknok.com> wrote: > > Hi, > > > > Objective in one-line: > > ================= > > Verify a signature, given an ECDSA public key in X509 format. > > > > > > Details: > > ====== > > I read an X509 cert stored on disk. The following are some of its > contents: > > > > Public Key Algorithm: id-ecPublicKey > > Public-Key: (256 bit) > > > > ... > > ASN1 OID: prime256v1 > > Signature Algorithm: ecdsa-with-SHA1 > > ... > > > > > > Now, I get some data that is signed by the private key corresponding to > the > > above public key/cert and I need to verify it. > > > > Here're some pieces of my code: > > > > ... > > EVP_PKEY *pub_key = X509_get_pubkey(cert); //this is OK > > ... > > EVP_VerifyFinal(&c, signature, signature_len, pub_key); //this fails; Why > > does it fail? > > > > The following are the errors from the above VerifyFinal: > > > > 140310811899840:error:0D07207B:asn1 encoding > routines:ASN1_get_object:header > > too long:asn1_lib.c:150: > > 140310811899840:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad > > object header:tasn_dec.c:1306: > > 140310811899840:error:0D07803A:asn1 encoding > > routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=ECDSA_SIG > > > > Looks to me like the signature you are passing it is in the wrong > format. Where did you get it from? > > > > > > So, after reading this page > > (http://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography), I > realized > > I need to extract the EC_POINT out of the above public key. > > No. There is no need to do this. You only need to worry about the low > level EC stuff if you are not using the EVP interface - which you are. > > Matt > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- *Anant* *Rao* Server Lead D / a...@noknok.com *Nok Nok Labs Inc.* 4151 Middlefield Road, Suite 200 Palo Alto, CA 94303 T +1 650 433 1300 i...@noknok.com *www.noknok.com* <http://www.noknok.com> <http://www.linkedin.com/company/nok-nok-labs> <http://www.twitter.com/noknoklabs> <https://plus.google.com/108217184383559859585> <http://www.facebook.com/NokNokLabs>
