Re: Signature validation in certificates - Openssl

This is a discussion on Re: Signature validation in certificates - Openssl ; The signature checking work like this The SIGNER ( CA or SERVER ) build a digest with an appropriate algorithm then he encrypt the digest with its private key Within the certificate you know the digest algorithm so you can ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Signature validation in certificates

  1. Re: Signature validation in certificates



    The signature checking work like this

    The SIGNER ( CA or SERVER ) build a digest with an appropriate
    algorithm
    then he encrypt the digest with its private key

    Within the certificate you know the digest algorithm so you can build
    this digest
    and then you decrypt thi sdsignature with the public key of the
    signer , this must be identical to the digest


    I hope this helps

    Dominique LOHEZ

    Geetha_Priya a écrit :
    > I have read numerous certification related docs. Being new to this technology I don't find any material detailing the manual certificate validation [even the faq on the same heading ] specially verifying key part. I also went through verify.c in openssl but key verification is lost amongst the APIs. Here is my understanding on certificate validation
    >
    > A root certificate [signed by CA] comprises of version, serial num, issuer and subject details, public key algorithm details and a signature which is hash of the rest of cert details further encrypted using private key. This root cert is installed by browsers automatically. The web servers have their certificates signed by these CA.
    >
    > When a https site id accessed , the server sends a server certificate that contains most of the above details (except for changed subject name/validity etc.)along with the signature and a RSA public key
    >
    > Now for certificate validation:
    >



    > First we verify the credentials of issuer/common name etc.. that is clear to me
    >
    > Second step is to match the signature which I find a lil confusing
    >
    > Here do you use public key to decrypt the signature portion of your root certificate and compare it with,
    > the decrypted portion of server certificate (decrypted with public keythat appears in server certificate). Does this sound right?
    >
    > The root certificate has public key and signature and so does the server certificate.
    >
    > Please clarify as I am manually trying to verify certificates.
    > Any other C files within openssl which talks the details about signature validation.
    >
    > Thanks for your help
    > Regards
    > Geetha
    >
    >
    >
    > DISCLAIMER:
    > This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >
    >
    >



    --
    Dr Dominique LOHEZ
    ISEN
    41, Bd Vauban
    F59046 LILLE
    France

    Phone : +33 (0)3 20 30 40 71
    Email: Dominique.Lohez@isen.fr

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. RE: Signature validation in certificates

    Thanks Dominique. I guess the openssl verify does these steps to actually verify if an incoming server certificate compares to a root certificate.

    Regards
    Geetha

    -----Original Message-----
    From: owner-openssl-users@openssl.org [mailtowner-openssl-users@openssl.org] On Behalf Of Dominique Lohez
    Sent: Wednesday, July 09, 2008 7:33 PM
    To: openssl-users@openssl.org
    Subject: Re: Signature validation in certificates



    The signature checking work like this

    The SIGNER ( CA or SERVER ) build a digest with an appropriate
    algorithm
    then he encrypt the digest with its private key

    Within the certificate you know the digest algorithm so you can build
    this digest
    and then you decrypt thi sdsignature with the public key of the
    signer , this must be identical to the digest


    I hope this helps

    Dominique LOHEZ

    Geetha_Priya a écrit :
    > I have read numerous certification related docs. Being new to this technology I don't find any material detailing the manual certificate validation [even the faq on the same heading ] specially verifying key part. I also went through verify.c in openssl but key verification is lost amongst the APIs. Here is my understanding on certificate validation
    >
    > A root certificate [signed by CA] comprises of version, serial num, issuer and subject details, public key algorithm details and a signature which is hash of the rest of cert details further encrypted using private key. This root cert is installed by browsers automatically. The web servers have their certificates signed by these CA.
    >
    > When a https site id accessed , the server sends a server certificate that contains most of the above details (except for changed subject name/validity etc.)along with the signature and a RSA public key
    >
    > Now for certificate validation:
    >



    > First we verify the credentials of issuer/common name etc.. that is clearto me
    >
    > Second step is to match the signature which I find a lil confusing
    >
    > Here do you use public key to decrypt the signature portion of your root certificate and compare it with,
    > the decrypted portion of server certificate (decrypted with public key that appears in server certificate). Does this sound right?
    >
    > The root certificate has public key and signature and so does the server certificate.
    >
    > Please clarify as I am manually trying to verify certificates.
    > Any other C files within openssl which talks the details about signature validation.
    >
    > Thanks for your help
    > Regards
    > Geetha
    >
    >
    >
    > DISCLAIMER:
    > This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >
    >
    >



    --
    Dr Dominique LOHEZ
    ISEN
    41, Bd Vauban
    F59046 LILLE
    France

    Phone : +33 (0)3 20 30 40 71
    Email: Dominique.Lohez@isen.fr

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


    DISCLAIMER:
    This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard isappreciated.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread