Reputation: 12369
openssl command line to verify the signature
Hi I have generated a key pair and used the private key to generate a signature.
openssl rsautl -sign -in helloworld.txt -inkey aa.pem -out sig
However I am unable to verify the signature with my public key:
openssl rsautl -verify -in helloworld.txt -inkey aa.pub -sigfile sig
I know there -sigfile is deprecated. and some of the online doc from openssl.org is wrong.
Whats the command I should use to verify the sig with my public key?
Upvotes: 35
Views: 143080
Answers (4)
Reputation: 5774
I found two solutions to your problem.
You can use rsautl this way: (with private key: my.key and public key my-pub.pem)
$ openssl rsautl -sign -inkey my.key -out in.txt.rsa -in in.txt
Enter pass phrase for my.key:
$ openssl rsautl -verify -inkey my-pub.pem -in in.txt.rsa -pubin
Bonjour
With this method, the whole document is included within the signature file and is output by the final command.
But in my case, my certificate says: Signature Algorithm: sha1WithRSAEncryption. So I would recommend that you use the standard way of signing documents in 4 steps: (This method is used for all asymmetric electronic signatures in order not to overload the signature file and/or CPU usage)
- Create digest of document to sign (sender)
- Sign digest with private key (sender)
- Create digest of document to verify (recipient)
- Verify signature with public key (recipient)
OpenSSL does this in two steps:
$ openssl dgst -sha256 -sign my.key -out in.txt.sha256 in.txt
Enter pass phrase for my.key:
$ openssl dgst -sha256 -verify my-pub.pem -signature in.txt.sha256 in.txt
Verified OK
With this method, you send the recipient two documents: the original file plain text, the signature file signed digest. Attention: the signature file does not include the whole document! Only the digest.
Upvotes: 77
Reputation: 141
Verify using public key:
echo "plop" > "helloworld.txt"
openssl rsautl -sign -in helloworld.txt -inkey private.pem -out sig
openssl rsautl -verify -in sig -inkey public.pem -pubin
> plop
Upvotes: 5
Reputation: 41
your method is basically correct. What you miss is to tell rsautl that the inut key file file is a public key by add "-pubin". The item "-pubin" OpenSSL rsautl document isn't accurate " -pubin the input file is an RSA public key. " should be " -pubin the input key file is an RSA public key. " Since the input file should be a signature file.
Upvotes: 4
Reputation: 1851
You can check the doc for rsautl
In your example, this would give :
openssl rsautl -verify -in sig -inkey aa.pem
I have copied my full history below :
echo "plop" > "helloworld.txt"
openssl rsautl -sign -in helloworld.txt -inkey aa.pem -out sig
openssl rsautl -verify -in sig -inkey aa.pem
> plop
Upvotes: 1
Related Questions
- How to verify a ECC signature with OpenSSL command?
- Generating, Signing and Verifying Digital Signature
- Verifying Signed Document using Openssl
- How can I read certificate to verify signature with openssl?
- How to verify openssl certificate on raspberry pi?
- How to verify a digital signature with openssl
- verifying the signature of x509
- openssl verify signature error, but command line tools is ok
- verifying a file signature with openssl dgst
- How to verify a signature via PHP that was created on the OpenSSL command line?