Tried to find documentation and examples ( which includes searching the forum) for using a PKCS7 standard in context to what I am trying to do for best practices when using a signature to verify a document received.
Basically I have a document file (100k) called BackgroundCheck.doc (document_bytes document_length) and an ECDSA signature from this file (used SHA1 from the document using a ECDSA private key) called BackgroundCheck.ecdsa (signature_bytes signature_length) The document and signature is sent to a recipient who has a file called ecdsapublic.x509 to verify the signature from the document using the ECDSA public key. basically the Message Digest is computed from the document received by the recipient to verify the document. unsigned char md[20]; result= SHA1(document_bytes, document_size, md); //compute the message digest from the document Then use the X509 file with public key to verify the signature. X509 *x509= PEM_read_bio_pubkey(bio, NULL,0 ,NULL); //read the ecdsapublic.x509 EVP_KEY *evpkey= X509_get_pubkey(x509); //get the public key EC_KEY *pubeckey = EVP_PKEY_get1_EC_KEY(evpkey); ret= EC_KEY_set_group(pubeckey, EC_GROUP_new_by_curve_name(curvetype); //set the curve type which recipient knows. rc = ECDSA_verify(0,md, 20, signature_bytes, signature_length); //now verify the document using the signature file And that works great sending many documents with signatures and the recipient can verify that they are authentic. The issue is the raw signature is simple not best practice (I assume) it could use a PKCS7 but I have no idea how this would apply. Basically a programmatic API could be used p7= PKCS7_new(); int rc= PKCS7_set_type(p7, NID_pkcs7_enveloped); to make a PKCS7 for the signature that could be sent with the document instead of the raw signature. So where are there examples? I have read the O'Reilly OpenSSL book but their context is not mine for the PKCS7 usage and its a thin chapter (well if you want to call it a chapter). Maybe an example can be posted here using the functions. redpath wrote: > > Well the situation is I have a file which has been signed for its > contents. This signature > is used to verify the authentication of the file. The signature works > great but I want to use > best practices to package the signature. A PKCS7 was suggested. So I > assume I can extract this signature from the PKCS7 to verify the file > contents which I create the message digest SHA2 from. > Is there something I am missing here. Just want to use best practices. > The challenger has the file and the PKCS7 (signature) to verify the > contents. The challenger has the > public key. > > > redpath wrote: >> >> I have a PKCS7 file with signature in the envelope. >> What API function can I use to open the PKCS7 to extract the signature >> data and length >> and then verify the message digest? The verify is shown below assuming I >> got the signature >> data and length. >> >> int rc = ECDSA_verify(0, md, 20, signaturedata, signaturelength, >> pubeckey); >> >> Kinda hard to find the right functions which seems to be a pretty common >> thing. >> I did search the forum for this. >> >> >> > > -- View this message in context: http://old.nabble.com/PKCS7-open-and-extract-signature-tp34542036p34548505.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
