Using the openssl command-line tool, how can I verify a hexadecimal
sha1 signature (i.e., the output of "openssl sha1 -sign -hex ...")?
I can verify a binary signature, but for my application I need to
use plain text. I could use "openssl base64" to encode and decode
the binary signature, but I'd rather use the hex signature directly.
If this isn't possible, how is the ability to generate the signature
in hexadecimal useful?
Here's a shell script that demonstrates the problem:
============================== CUT HERE ==============================
#!/bin/sh
try() {
echo "% $@"
"$@" || echo "Failed: exit $?"
}
echo 'Hello, world' > foo.txt
try cat foo.txt
try openssl version
echo ''
echo '... Generating private and public RSA keys ...'
try openssl genrsa -out rsa-privkey
try openssl rsa -in rsa-privkey -pubout -out rsa-pubkey
echo ''
echo '... Generating binary sha1 signature ...'
try openssl sha1 -sign rsa-privkey -out foo.bin foo.txt
echo ''
echo '... Verifying binary sha1 signature ...'
try openssl sha1 -verify rsa-pubkey -signature foo.bin foo.txt
echo ''
echo '... Generating hex sha1 signature ...'
try openssl sha1 -sign rsa-privkey -hex -out foo.hex foo.txt
echo ''
echo '... Verifying hex sha1 signature ...'
try openssl sha1 -verify rsa-pubkey -signature foo.hex foo.txt
echo ''
echo '... Verifying hex sha1 signature (using "-hex") ...'
try openssl sha1 -verify rsa-pubkey -hex -signature foo.hex foo.txt
============================== AND HERE ==============================
And here's the output (including messages sent to stderr):
============================== CUT HERE ==============================
% cat foo.txt
Hello, world
% openssl version
OpenSSL 0.9.8d 28 Sep 2006
... Generating private and public RSA keys ...
% openssl genrsa -out rsa-privkey
Generating RSA private key, 512 bit long modulus
........++++++++++++
......++++++++++++
e is 65537 (0x10001)
% openssl rsa -in rsa-privkey -pubout -out rsa-pubkey
writing RSA key
... Generating binary sha1 signature ...
% openssl sha1 -sign rsa-privkey -out foo.bin foo.txt
... Verifying binary sha1 signature ...
% openssl sha1 -verify rsa-pubkey -signature foo.bin foo.txt
Verified OK
... Generating hex sha1 signature ...
% openssl sha1 -sign rsa-privkey -hex -out foo.hex foo.txt
... Verifying hex sha1 signature ...
% openssl sha1 -verify rsa-pubkey -signature foo.hex foo.txt
Verification Failure
Failed: exit 1
... Verifying hex sha1 signature (using "-hex") ...
% openssl sha1 -verify rsa-pubkey -hex -signature foo.hex foo.txt
Verification Failure
Failed: exit 1
============================== AND HERE ==============================
I get the same result with the latest snapshot
(openssl-SNAP-20070118.tar.gz).
--
Keith Thompson <[EMAIL PROTECTED]> San Diego Supercomputer Center
<http://users.sdsc.edu/~kst/> 858-822-0853
We must do something. This is something. Therefore, we must do this.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
