demos/sign/sign.txt

   1 From ssl-lists-owner@mincom.com Mon Sep 30 22:43:15 1996
   2 Received: from cygnus.mincom.oz.au by orb.mincom.oz.au with SMTP id AA12802
   3   (5.65c/IDA-1.4.4 for eay); Mon, 30 Sep 1996 12:45:43 +1000
   4 Received: (from daemon@localhost) by cygnus.mincom.oz.au (8.7.5/8.7.3) id MAA25922 for ssl-users-outgoing; Mon, 30 Sep 1996 12:43:43 +1000 (EST)
   5 Received: from orb.mincom.oz.au (eay@orb.mincom.oz.au [192.55.197.1]) by cygnus.mincom.oz.au (8.7.5/8.7.3) with SMTP id MAA25900 for <ssl-users@listserv.mincom.oz.au>; Mon, 30 Sep 1996 12:43:39 +1000 (EST)
   6 Received: by orb.mincom.oz.au id AA12688
   7   (5.65c/IDA-1.4.4 for ssl-users@listserv.mincom.oz.au); Mon, 30 Sep 1996 12:43:16 +1000
   8 Date: Mon, 30 Sep 1996 12:43:15 +1000 (EST)
   9 From: Eric Young <eay@mincom.com>
  10 X-Sender: eay@orb
  11 To: Sampo Kellomaki <sampo@neuronio.pt>
  12 Cc: ssl-users@mincom.com, sampo@brutus.neuronio.pt
  13 Subject: Re: Signing with envelope routines
  14 In-Reply-To: <199609300037.BAA08729@brutus.neuronio.pt>
  15 Message-Id: <Pine.SOL.3.91.960930121504.11800Y-100000@orb>
  16 Mime-Version: 1.0
  17 Content-Type: TEXT/PLAIN; charset=US-ASCII
  18 Sender: ssl-lists-owner@mincom.com
  19 Precedence: bulk
  20 Status: O
  21 X-Status:
  22
  23
  24 On Mon, 30 Sep 1996, Sampo Kellomaki wrote:
  25 > I have been trying to figure out how to produce signatures with EVP_
  26 > routines. I seem to be able to read in private key and sign some
  27 > data ok, but I can't figure out how I am supposed to read in
  28 > public key so that I could verify my signature. I use self signed
  29 > certificate.
  30
  31 hmm... a rather poorly documented are of the library at this point in time.
  32
  33 > I figured I should use
  34 >       EVP_PKEY* pkey = PEM_ASN1_read(d2i_PrivateKey, PEM_STRING_EVP_PKEY,
  35 >                                      fp, NULL, NULL);
  36 > to read in private key and this seems to work Ok.
  37 >
  38 > However when I try analogous
  39 >       EVP_PKEY* pkey = PEM_ASN1_read(d2i_PublicKey, PEM_STRING_X509,
  40 >                                      fp, NULL, NULL);
  41
  42 What you should do is
  43         X509 *x509=PEM_read_X509(fp,NULL,NULL);
  44         /* which is the same as PEM_ASN1_read(d2i_X509,PEM_STRING_X509,fp,
  45          * NULL,NULL); */
  46 Then
  47         EVP_PKEY *pkey=X509_extract_key(x509);
  48
  49 There is also a X509_REQ_extract_key(req);
  50 which gets the public key from a certificate request.
  51
  52 I re-worked quite a bit of this when I cleaned up the dependancy on
  53 RSA as the private key.
  54
  55 > I figured that the second argument to PEM_ASN1_read should match the
  56 > name in my PEM encoded object, hence PEM_STRING_X509.
  57 > PEM_STRING_EVP_PKEY seems to be somehow magical
  58 > because it matches whatever private key there happens to be. I could
  59 > not find a similar constant to use with getting the certificate, however.
  60
  61 :-), PEM_STRING_EVP_PKEY is 'magical' :-).  In theory I should be using a
  62 standard such as PKCS#8 to store the private key so that the type is
  63 encoded in the asn.1 encoding of the object.
  64
  65 > Is my approach of using PEM_ASN1_read correct? What should I pass in
  66 > as name?  Can I use normal (or even self signed) X509 certificate for
  67 > verifying the signature?
  68
  69 The actual public key is kept in the certificate, so basically you have
  70 to load the certificate and then 'unpack' the public key from the
  71 certificate.
  72
  73 > When will SSLeay documentation be written ;-)? If I would contribute
  74 > comments to the code, would Eric take time to review them and include
  75 > them in distribution?
  76
  77 :-) After SSLv3 and PKCS#7 :-).  I actually started doing a function list
  78 but what I really need to do is do quite a few 'this is how you do xyz'
  79 type documents.  I suppose the current method is to post to ssl-users and
  80 I'll respond :-).
  81
  82 I'll add a 'demo' directory for the next release, I've appended a
  83 modified version of your program that works, you were very close :-).
  84
  85 eric
  86
  87 /* sign-it.cpp  -  Simple test app using SSLeay envelopes to sign data
  88    29.9.1996, Sampo Kellomaki <sampo@iki.fi> */
  89
  90 /* converted to C - eay :-) */
  91
  92 #include <stdio.h>
  93 #include "rsa.h"
  94 #include "evp.h"
  95 #include "objects.h"
  96 #include "x509.h"
  97 #include "err.h"
  98 #include "pem.h"
  99 #include "ssl.h"
 100
 101 void main ()
 102 {
 103   int err;
 104   int sig_len;
 105   unsigned char sig_buf [4096];
 106   static char certfile[] = "plain-cert.pem";
 107   static char keyfile[]  = "plain-key.pem";
 108   static char data[]     = "I owe you...";
 109   EVP_MD_CTX     md_ctx;
 110   EVP_PKEY *      pkey;
 111   FILE *          fp;
 112   X509 *        x509;
 113
 114   /* Just load the crypto library error strings,
 115    * SSL_load_error_strings() loads the crypto AND the SSL ones */
 116   /* SSL_load_error_strings();*/
 117   ERR_load_crypto_strings();
 118
 119   /* Read private key */
 120
 121   fp = fopen (keyfile, "r");   if (fp == NULL) exit (1);
 122   pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PrivateKey,
 123                                    PEM_STRING_EVP_PKEY,
 124                                    fp,
 125                                    NULL, NULL);
 126   if (pkey == NULL) {  ERR_print_errors_fp (stderr);    exit (1);  }
 127   fclose (fp);
 128
 129   /* Do the signature */
 130
 131   EVP_SignInit   (&md_ctx, EVP_md5());
 132   EVP_SignUpdate (&md_ctx, data, strlen(data));
 133   sig_len = sizeof(sig_buf);
 134   err = EVP_SignFinal (&md_ctx,
 135                        sig_buf,
 136                        &sig_len,
 137                        pkey);
 138   if (err != 1) {  ERR_print_errors_fp (stderr);    exit (1);  }
 139   EVP_PKEY_free (pkey);
 140
 141   /* Read public key */
 142
 143   fp = fopen (certfile, "r");   if (fp == NULL) exit (1);
 144   x509 = (X509 *)PEM_ASN1_read ((char *(*)())d2i_X509,
 145                                    PEM_STRING_X509,
 146                                    fp, NULL, NULL);
 147   if (x509 == NULL) {  ERR_print_errors_fp (stderr);    exit (1);  }
 148   fclose (fp);
 149
 150   /* Get public key - eay */
 151   pkey=X509_extract_key(x509);
 152   if (pkey == NULL) {  ERR_print_errors_fp (stderr);    exit (1);  }
 153
 154   /* Verify the signature */
 155
 156   EVP_VerifyInit   (&md_ctx, EVP_md5());
 157   EVP_VerifyUpdate (&md_ctx, data, strlen((char*)data));
 158   err = EVP_VerifyFinal (&md_ctx,
 159                          sig_buf,
 160                          sig_len,
 161                          pkey);
 162   if (err != 1) {  ERR_print_errors_fp (stderr);    exit (1);  }
 163   EVP_PKEY_free (pkey);
 164   printf ("Signature Verified Ok.\n");
 165 }
 166
 167
 168
 169
 170