Page History
...
Table of Contents |
---|
Introduction
This document describes The article explains how to check the signature of a file signed with an X.509 certificate from the command line using OpenSSL.
The examples uses EC private keys only.
Extracting the Public Key from the X.509 Certificate
To check a signature with OpenSSL we use the public key related to the private key the file was signed with. We extract the public key to the pubkey.pem
file from the given certificate.pem
X.509 certificate file.
Code Block | ||
---|---|---|
| ||
openssl x509 -in certificate.pem -noout -pubkey > pubkey.pem |
Signing a File with a Private Key
In this step a file test.txt
is signed with the privkey.pem
private key file, the binary signature is stored to the test.txt.sig
file.
use EC Private Keys.
How to create a Signature for a File
Signing a File with a Private Key
This step is performed by the signer of a file.
In the below example the test.txt
file is signed with the privatekey.pem
Private Key file. The resulting binary signature is stored to the test.txt.sig
file.
The signer will make available the Certificate/Public Key and signature file to 3rd parties.
Code Block |
---|
openssl dgst -sign privatekey.pem -keyform pem -sha256 -out test.txt.sig -binary test.txt |
How to check the Signature of a File
Extracting the Public Key from the X.509 Certificate
This step is performed by a user who wants to verify the authenticity of a file from its signature.
To check a signature with OpenSSL use the Public Key that is related to the Private Key the given file was signed with. From the given certificate.pem
X.509 certificate file extract the Public Key to the publickey.pem
file .
Code Block | ||
---|---|---|
openssl x509 -in certificate.pem -noout -pubkey > publickey.pem | ||
Code Block | ||
| ||
openssl dgst -sign privkey.pem -keyform pem -sha256 -out test.txt.sig -binary test.txt |
Checking the Signature by use of the Public Key
In this step the pubkeypublickey.pem
public key Public Key file is used to check if the test.txt.sig
signature file matches the test.txt
file.
Code Block | language | bash
---|
openssl dgst -verify pubkeypublickey.pem -keyform pem -sha256 -signature test.txt.sig -binary test.txt |
Possible results are include
Verified OK
- The public key Public Key and signature for the signed file match.
Verification Failure
- The public key Public Key and signature for the signed file do not match.