Using the openssl command-line tool, how can I verify a hexadecimal sha1 signature (i.e., the output of "openssl sha1 -sign -hex ...")? I can verify a binary signature, but for my application I need to use plain text. I could use "openssl base64" to encode and decode the binary signature, but I'd rather use the hex signature directly.
If this isn't possible, how is the ability to generate the signature in hexadecimal useful? Here's a shell script that demonstrates the problem: ============================== CUT HERE ============================== #!/bin/sh try() { echo "% $@" "$@" || echo "Failed: exit $?" } echo 'Hello, world' > foo.txt try cat foo.txt try openssl version echo '' echo '... Generating private and public RSA keys ...' try openssl genrsa -out rsa-privkey try openssl rsa -in rsa-privkey -pubout -out rsa-pubkey echo '' echo '... Generating binary sha1 signature ...' try openssl sha1 -sign rsa-privkey -out foo.bin foo.txt echo '' echo '... Verifying binary sha1 signature ...' try openssl sha1 -verify rsa-pubkey -signature foo.bin foo.txt echo '' echo '... Generating hex sha1 signature ...' try openssl sha1 -sign rsa-privkey -hex -out foo.hex foo.txt echo '' echo '... Verifying hex sha1 signature ...' try openssl sha1 -verify rsa-pubkey -signature foo.hex foo.txt echo '' echo '... Verifying hex sha1 signature (using "-hex") ...' try openssl sha1 -verify rsa-pubkey -hex -signature foo.hex foo.txt ============================== AND HERE ============================== And here's the output (including messages sent to stderr): ============================== CUT HERE ============================== % cat foo.txt Hello, world % openssl version OpenSSL 0.9.8d 28 Sep 2006 ... Generating private and public RSA keys ... % openssl genrsa -out rsa-privkey Generating RSA private key, 512 bit long modulus ........++++++++++++ ......++++++++++++ e is 65537 (0x10001) % openssl rsa -in rsa-privkey -pubout -out rsa-pubkey writing RSA key ... Generating binary sha1 signature ... % openssl sha1 -sign rsa-privkey -out foo.bin foo.txt ... Verifying binary sha1 signature ... % openssl sha1 -verify rsa-pubkey -signature foo.bin foo.txt Verified OK ... Generating hex sha1 signature ... % openssl sha1 -sign rsa-privkey -hex -out foo.hex foo.txt ... Verifying hex sha1 signature ... % openssl sha1 -verify rsa-pubkey -signature foo.hex foo.txt Verification Failure Failed: exit 1 ... Verifying hex sha1 signature (using "-hex") ... % openssl sha1 -verify rsa-pubkey -hex -signature foo.hex foo.txt Verification Failure Failed: exit 1 ============================== AND HERE ============================== I get the same result with the latest snapshot (openssl-SNAP-20070118.tar.gz). -- Keith Thompson <[EMAIL PROTECTED]> San Diego Supercomputer Center <http://users.sdsc.edu/~kst/> 858-822-0853 We must do something. This is something. Therefore, we must do this. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]