The signature checking work like this
The SIGNER ( CA or SERVER ) build a digest with an appropriate
algorithm
then he encrypt the digest with its private key
Within the certificate you know the digest algorithm so you can build
this digest
and then you decrypt thi sdsignature with the public key of the
signer , this must be identical to the digest
I hope this helps
Dominique LOHEZ
Geetha_Priya a écrit :
I have read numerous certification related docs. Being new to this technology I
don't find any material detailing the manual certificate validation [even the
faq on the same heading ] specially verifying key part. I also went through
verify.c in openssl but key verification is lost amongst the APIs. Here is my
understanding on certificate validation
A root certificate [signed by CA] comprises of version, serial num, issuer and
subject details, public key algorithm details and a signature which is hash of
the rest of cert details further encrypted using private key. This root cert is
installed by browsers automatically. The web servers have their certificates
signed by these CA.
When a https site id accessed , the server sends a server certificate that
contains most of the above details (except for changed subject name/validity
etc.)along with the signature and a RSA public key
Now for certificate validation:
First we verify the credentials of issuer/common name etc.. that is clear to me
Second step is to match the signature which I find a lil confusing
Here do you use public key to decrypt the signature portion of your root
certificate and compare it with,
the decrypted portion of server certificate (decrypted with public key that
appears in server certificate). Does this sound right?
The root certificate has public key and signature and so does the server certificate.
Please clarify as I am manually trying to verify certificates.
Any other C files within openssl which talks the details about signature
validation.
Thanks for your help
Regards
Geetha
DISCLAIMER:
This email (including any attachments) is intended for the sole use of the
intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE
COMPANY INFORMATION. Any review or reliance by others or copying or
distribution or forwarding of any or all of the contents in this message is
STRICTLY PROHIBITED. If you are not the intended recipient, please contact the
sender by email and delete all copies; your cooperation in this regard is
appreciated.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
