On Wed, Apr 02, 2003, Howard Chan wrote: > Actually, I found that if I use : openssl dgst -sha1 -verify > "pubkey" -signature "signature_file" -binary "original_file" > works. > > Provided that I signed with : openssl dgst -sha1 -sign "privkey" "original > file" . This is what I did with a testfile which i generated to test this > process. > > I'm actually trying to verify a signature of an OCSP request. The most > confusing part is, with a signed OCSP request, I'm not sure which portion of > the request I should consider as the "original file", and which portion from > within the OCSP request (a certain BIT STRING) represents the signature ( > "signature_file") of the request . This is the most difficult part, and I'm > looking into RFC 2560 for hints. > > I've done an asn1parse on the whole OCSP request, and I'm looking into where > I make the extraction of the signature and the "original file". In the case > of OCSP requests, the "original file" is most certainly NOT the whole binary > file!! > > Does anyone have any hints for me? >
Yes: use the OCSP library to parse the ASN1 structure. Its rather tricky working out things from the asn1parse output... There isn't a command line utility to directly verify an OCSP request, though there is for an OCSP response. OCSP_request_verify() should do the trick. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
