Re: Signature validation in certificates - Openssl
This is a discussion on Re: Signature validation in certificates - Openssl ; The signature checking work like this
The SIGNER ( CA or SERVER ) build a digest with an appropriate
algorithm
then he encrypt the digest with its private key
Within the certificate you know the digest algorithm so you can ...
-
Re: Signature validation in certificates
The signature checking work like this
The SIGNER ( CA or SERVER ) build a digest with an appropriate
algorithm
then he encrypt the digest with its private key
Within the certificate you know the digest algorithm so you can build
this digest
and then you decrypt thi sdsignature with the public key of the
signer , this must be identical to the digest
I hope this helps
Dominique LOHEZ
Geetha_Priya a écrit :
> I have read numerous certification related docs. Being new to this technology I don't find any material detailing the manual certificate validation [even the faq on the same heading ] specially verifying key part. I also went through verify.c in openssl but key verification is lost amongst the APIs. Here is my understanding on certificate validation
>
> A root certificate [signed by CA] comprises of version, serial num, issuer and subject details, public key algorithm details and a signature which is hash of the rest of cert details further encrypted using private key. This root cert is installed by browsers automatically. The web servers have their certificates signed by these CA.
>
> When a https site id accessed , the server sends a server certificate that contains most of the above details (except for changed subject name/validity etc.)along with the signature and a RSA public key
>
> Now for certificate validation:
>
> First we verify the credentials of issuer/common name etc.. that is clear to me
>
> Second step is to match the signature which I find a lil confusing
>
> Here do you use public key to decrypt the signature portion of your root certificate and compare it with,
> the decrypted portion of server certificate (decrypted with public keythat appears in server certificate). Does this sound right?
>
> The root certificate has public key and signature and so does the server certificate.
>
> Please clarify as I am manually trying to verify certificates.
> Any other C files within openssl which talks the details about signature validation.
>
> Thanks for your help
> Regards
> Geetha
>
>
>
> DISCLAIMER:
> This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
>
>
>
--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: Dominique.Lohez@isen.fr
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
-
RE: Signature validation in certificates
Thanks Dominique. I guess the openssl verify does these steps to actually verify if an incoming server certificate compares to a root certificate.
Regards
Geetha
-----Original Message-----
From: owner-openssl-users@openssl.org [mailto
wner-openssl-users@openssl.org] On Behalf Of Dominique Lohez
Sent: Wednesday, July 09, 2008 7:33 PM
To: openssl-users@openssl.org
Subject: Re: Signature validation in certificates
The signature checking work like this
The SIGNER ( CA or SERVER ) build a digest with an appropriate
algorithm
then he encrypt the digest with its private key
Within the certificate you know the digest algorithm so you can build
this digest
and then you decrypt thi sdsignature with the public key of the
signer , this must be identical to the digest
I hope this helps
Dominique LOHEZ
Geetha_Priya a écrit :
> I have read numerous certification related docs. Being new to this technology I don't find any material detailing the manual certificate validation [even the faq on the same heading ] specially verifying key part. I also went through verify.c in openssl but key verification is lost amongst the APIs. Here is my understanding on certificate validation
>
> A root certificate [signed by CA] comprises of version, serial num, issuer and subject details, public key algorithm details and a signature which is hash of the rest of cert details further encrypted using private key. This root cert is installed by browsers automatically. The web servers have their certificates signed by these CA.
>
> When a https site id accessed , the server sends a server certificate that contains most of the above details (except for changed subject name/validity etc.)along with the signature and a RSA public key
>
> Now for certificate validation:
>
> First we verify the credentials of issuer/common name etc.. that is clearto me
>
> Second step is to match the signature which I find a lil confusing
>
> Here do you use public key to decrypt the signature portion of your root certificate and compare it with,
> the decrypted portion of server certificate (decrypted with public key that appears in server certificate). Does this sound right?
>
> The root certificate has public key and signature and so does the server certificate.
>
> Please clarify as I am manually trying to verify certificates.
> Any other C files within openssl which talks the details about signature validation.
>
> Thanks for your help
> Regards
> Geetha
>
>
>
> DISCLAIMER:
> This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
>
>
>
--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: Dominique.Lohez@isen.fr
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
DISCLAIMER:
This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard isappreciated.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
