> From: owner-openssl-us...@openssl.org On Behalf Of DarkMike > Sent: Monday, 04 July, 2011 13:24
> What I want to do is: > > 1. decrypt the signature to get decrypted message digest (sha1) > 2. compute the sha1 from the certificate on my own > and compare these two digests > Presumably you mean the signature in the cert, over the certTBS, since otherwise comparing the digests makes no sense. This process is a first step in verifying the certificate; an entity using a certificate (generically called a relying party or relier) usually needs to make additional checks as well. Two caveats: - all common signature schemes use some hash, but not always SHA1 - talking about "encrypting" and "decrypting" the hash is not entirely correct for RSA, and totally wrong for DSA and ECDSA. sign/verify and encrypt/decrypt are actually different operations, even if mathematically related, and it's best to keep them distinct. > I want to use this mechanism for whole communication between my > server and multiple clients, to ensure each message my server gets is > from expected uniqe client. > > I.e. get next message from the client signed by sha1 digest > decrypted with > client private key, > then decrypt this signature, compare to signature that my > server computes > from this message. > Now you seem to want to sign and verify some data of your own, NOT the certificate. If that's what you want, then have the client create a signature for the data and send it, and have the server verify that signature. No certificate needs to be involved, although a certficate is one standard way to securely transport the signer's publickey, which the verifier needs to have. And the certificate *signature* is not involved at all, unless you want to verify the certificate, in which case as above checking the signature is only one step. If you want to do that with openssl commandline, the digest -sign and digest -verify options you referenced earlier are one method. The smime or pkcs7 format, which basically bundles the data and signature for it together, is another approach. And if you write (or already have) your own program(s) there are more choices. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
