doc/a_verify.doc - third_party/openssl - Git at Google

 From eay@mincom.com Fri Oct  4 18:29:06 1996
 Received: by orb.mincom.oz.au id AA29080
   (5.65c/IDA-1.4.4 for eay); Fri, 4 Oct 1996 08:29:07 +1000
 Date: Fri, 4 Oct 1996 08:29:06 +1000 (EST)
 From: Eric Young <eay@mincom.oz.au>
 X-Sender: eay@orb
 To: wplatzer <wplatzer@iaik.tu-graz.ac.at>
 Cc: Eric Young <eay@mincom.oz.au>, SSL Mailing List <ssl-users@mincom.com>
 Subject: Re: Netscape's Public Key
 In-Reply-To: <19961003134837.NTM0049@iaik.tu-graz.ac.at>
 Message-Id: <Pine.SOL.3.91.961004081346.8018K-100000@orb>
 Mime-Version: 1.0
 Content-Type: TEXT/PLAIN; charset=US-ASCII
 Status: RO
 X-Status:

 On Thu, 3 Oct 1996, wplatzer wrote:
 > I get Public Key from Netscape (Gold 3.0b4), but cannot do anything
 > with it... It looks like (asn1parse):
 >
 > 0:d=0 hl=3 l=180 cons: SEQUENCE
 > 3:d=1 hl=2 l= 96 cons: SEQUENCE
 > 5:d=2 hl=2 l= 92 cons: SEQUENCE
 > 7:d=3 hl=2 l= 13 cons: SEQUENCE
 > 9:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
 > 20:d=4 hl=2 l= 0 prim: NULL
 > 22:d=3 hl=2 l= 75 prim: BIT STRING
 > 99:d=2 hl=2 l= 0 prim: IA5STRING :
 > 101:d=1 hl=2 l= 13 cons: SEQUENCE
 > 103:d=2 hl=2 l= 9 prim: OBJECT :md5withRSAEncryption
 > 114:d=2 hl=2 l= 0 prim: NULL
 > 116:d=1 hl=2 l= 65 prim: BIT STRING
 >
 > The first BIT STRING is the public key and the second BIT STRING is
 > the signature.
 > But a public key consists of the public exponent and the modulus. Are
 > both numbers in the first BIT STRING?
 > Is there a document simply describing this coding stuff (checking
 > signature, get the public key, etc.)?

 Minimal in SSLeay.  If you want to see what the modulus and exponent are,
 try asn1parse -offset 25 -length 75 <key.pem
 asn1parse will currently stuff up on the 'length 75' part (fixed in next
 release) but it will print the stuff.  If you are after more
 documentation on ASN.1, have a look at www.rsa.com and get their PKCS
 documents, most of my initial work on SSLeay was done using them.

 As for SSLeay,
 util/crypto.num and util/ssl.num are lists of all exported functions in
 the library (but not macros :-(.

 The ones for extracting public keys from certificates and certificate
 requests are EVP_PKEY *      X509_REQ_extract_key(X509_REQ *req);
 EVP_PKEY *      X509_extract_key(X509 *x509);

 To verify a signature on a signed ASN.1 object
 int X509_verify(X509 *a,EVP_PKEY *key);
 int X509_REQ_verify(X509_REQ *a,EVP_PKEY *key);
 int X509_CRL_verify(X509_CRL *a,EVP_PKEY *key);
 int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a,EVP_PKEY *key);

 I should mention that EVP_PKEY can be used to hold a public or a private key,
 since for  things like RSA and DSS, a public key is just a subset of what
 is stored for the private key.

 To sign any of the above structures

 int X509_sign(X509 *a,EVP_PKEY *key,EVP_MD *md);
 int X509_REQ_sign(X509_REQ *a,EVP_PKEY *key,EVP_MD *md);
 int X509_CRL_sign(X509_CRL *a,EVP_PKEY *key,EVP_MD *md);
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *a,EVP_PKEY *key,EVP_MD *md);

 where md is the message digest to sign with.

 There are all defined in x509.h and all the _sign and _verify functions are
 actually macros to the ASN1_sign() and ASN1_verify() functions.
 These functions will put the correct algorithm identifiers in the correct
 places in the structures.

 eric
 --
 Eric Young                  | BOOL is tri-state according to Bill Gates.
 AARNet: eay@mincom.oz.au    | RTFM Win32 GetMessage().
	From eay@mincom.com Fri Oct 4 18:29:06 1996
	Received: by orb.mincom.oz.au id AA29080
	(5.65c/IDA-1.4.4 for eay); Fri, 4 Oct 1996 08:29:07 +1000
	Date: Fri, 4 Oct 1996 08:29:06 +1000 (EST)
	From: Eric Young <eay@mincom.oz.au>
	X-Sender: eay@orb
	To: wplatzer <wplatzer@iaik.tu-graz.ac.at>
	Cc: Eric Young <eay@mincom.oz.au>, SSL Mailing List <ssl-users@mincom.com>
	Subject: Re: Netscape's Public Key
	In-Reply-To: <19961003134837.NTM0049@iaik.tu-graz.ac.at>
	Message-Id: <Pine.SOL.3.91.961004081346.8018K-100000@orb>
	Mime-Version: 1.0
	Content-Type: TEXT/PLAIN; charset=US-ASCII
	Status: RO
	X-Status:

	On Thu, 3 Oct 1996, wplatzer wrote:
	> I get Public Key from Netscape (Gold 3.0b4), but cannot do anything
	> with it... It looks like (asn1parse):
	>
	> 0:d=0 hl=3 l=180 cons: SEQUENCE
	> 3:d=1 hl=2 l= 96 cons: SEQUENCE
	> 5:d=2 hl=2 l= 92 cons: SEQUENCE
	> 7:d=3 hl=2 l= 13 cons: SEQUENCE
	> 9:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
	> 20:d=4 hl=2 l= 0 prim: NULL
	> 22:d=3 hl=2 l= 75 prim: BIT STRING
	> 99:d=2 hl=2 l= 0 prim: IA5STRING :
	> 101:d=1 hl=2 l= 13 cons: SEQUENCE
	> 103:d=2 hl=2 l= 9 prim: OBJECT :md5withRSAEncryption
	> 114:d=2 hl=2 l= 0 prim: NULL
	> 116:d=1 hl=2 l= 65 prim: BIT STRING
	>
	> The first BIT STRING is the public key and the second BIT STRING is
	> the signature.
	> But a public key consists of the public exponent and the modulus. Are
	> both numbers in the first BIT STRING?
	> Is there a document simply describing this coding stuff (checking
	> signature, get the public key, etc.)?

	Minimal in SSLeay. If you want to see what the modulus and exponent are,
	try asn1parse -offset 25 -length 75 <key.pem
	asn1parse will currently stuff up on the 'length 75' part (fixed in next
	release) but it will print the stuff. If you are after more
	documentation on ASN.1, have a look at www.rsa.com and get their PKCS
	documents, most of my initial work on SSLeay was done using them.

	As for SSLeay,
	util/crypto.num and util/ssl.num are lists of all exported functions in
	the library (but not macros :-(.

	The ones for extracting public keys from certificates and certificate
	requests are EVP_PKEY * X509_REQ_extract_key(X509_REQ *req);
	EVP_PKEY * X509_extract_key(X509 *x509);

	To verify a signature on a signed ASN.1 object
	int X509_verify(X509 a,EVP_PKEY key);
	int X509_REQ_verify(X509_REQ a,EVP_PKEY key);
	int X509_CRL_verify(X509_CRL a,EVP_PKEY key);
	int NETSCAPE_SPKI_verify(NETSCAPE_SPKI a,EVP_PKEY key);

	I should mention that EVP_PKEY can be used to hold a public or a private key,
	since for things like RSA and DSS, a public key is just a subset of what
	is stored for the private key.

	To sign any of the above structures

	int X509_sign(X509 a,EVP_PKEY key,EVP_MD *md);
	int X509_REQ_sign(X509_REQ a,EVP_PKEY key,EVP_MD *md);
	int X509_CRL_sign(X509_CRL a,EVP_PKEY key,EVP_MD *md);
	int NETSCAPE_SPKI_sign(NETSCAPE_SPKI a,EVP_PKEY key,EVP_MD *md);

	where md is the message digest to sign with.

	There are all defined in x509.h and all the _sign and _verify functions are
	actually macros to the ASN1_sign() and ASN1_verify() functions.
	These functions will put the correct algorithm identifiers in the correct
	places in the structures.

	eric
	--
	Eric Young \| BOOL is tri-state according to Bill Gates.
	AARNet: eay@mincom.oz.au \| RTFM Win32 GetMessage().