On 10/11/2012 4:16 PM, redpath wrote:
Well the situation is I have a file which has been signed for its contents.
This signature
is used to verify the authentication of the file. The signature works great
but I want to use
best practices to package the signature. A PKCS7 was suggested. So I assume
I can extract this signature from the PKCS7 to verify the file contents
which I create the message digest SHA2 from.
This sounds like you want a "detached" PKCS#7 signature, where the
PKCS#7 structure itself contains some meta-information about the file
(such as what hash algorithm to use and what date the signature was
made), but not the actual file contents.
Detached PKCS#7 signatures are very common, this is how PKCS#7 is used
with signed (but not encrypted) e-mails, Microsoft Authenticode
signatures and many other uses.
The function families suggested to you also contain functions that can
generate and validate detached PKCS7 signatures.
Is there something I am missing here. Just want to use best practices.
The challenger has the file and the PKCS7 (signature) to verify the
contents. The challenger has the
public key.
It is currently considered "best practice" to provide the public key
in the form of an X.509 certificate issued by someone the challenger
probably trusts with the ability to independently verify that you are
who you say you are. This will be provided to the challenger in two
places (that must agree):
1. Inside the PKCS#7 structure (there is a field specifically for that).
2. Separately over a trusted delivery mechanism (so the challenger has
another reason to be certain he has the proper public key to trust
with signing the file contents).
redpath wrote:
I have a PKCS7 file with signature in the envelope.
What API function can I use to open the PKCS7 to extract the signature
data and length
and then verify the message digest? The verify is shown below assuming I
got the signature
data and length.
int rc = ECDSA_verify(0, md, 20, signaturedata, signaturelength,
pubeckey);
Kinda hard to find the right functions which seems to be a pretty common
thing.
I did search the forum for this.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
