Open sethladd opened 9 years ago
cc @mpcomplete
@mpcomplete @sethladd Can one of you provide a link to the specification for the signature-verification algorithm you're referring to?
I defer to @mpcomplete
I can't find a spec, but it's part of the X509 signature block. I want to be able to verify a X509 SubjectPublicKeyInfo block using the sha256WithRSAEncryption algorithm. In other words, given a signature, key, and file generated on the command line like so:
echo "Verified text." > file.txt echo "Invalid text." > tampered.txt openssl genrsa -out privatekey.pem 2048 openssl rsa -in privatekey.pem -outform PEM -pubout -out publickey.pem openssl dgst -sha256 -sign privatekey.pem -binary -out signature.sign file.txt
I want to be able to do the equivalent to:
openssl dgst -sha256 -verify publickey.pem -signature signature.sign file.txt ; # should verify OK openssl dgst -sha256 -verify publickey.pem -signature signature.sign tampered.txt ; # should FAIL
This might just be a matter of exposing the appropriate openssl methods to dart.
Something with the functionality of Chrome's SignatureVerifier would work: https://code.google.com/p/chromium/codesearch#chromium/src/crypto/signature_verifier_openssl.cc&sq=package:chromium&type=cs .
It looks like sha256WithRSAEncryption()
is described in RFC 5754, section 3.2, although I'm not sure how to read that.
This might just be a matter of exposing the appropriate openssl methods to dart.
Unfortunately, there's not a good way to get access to native code in Dart, at least from a package. Unless we want to put this into the core libraries somehow, someone will need to port the algorithm to Dart.
Actually, Julien Tinnes recommended against using RSA for signing purposes. Instead, he recommends "SHA256 + ECDSA on P-256".
Equivalent openssl commands:
echo "Verified text." > file.txt echo "Invalid text." > tampered.txt openssl ecparam -genkey -name prime256v1 -out privatekey.pem openssl ec -in privatekey.pem -outform PEM -pubout -out publickey.pem
openssl dgst -sha256 -sign privatekey.pem -binary -out signature.sign file.txt
openssl dgst -sha256 -verify publickey.pem -signature signature.sign file.txt openssl dgst -sha256 -verify publickey.pem -signature signature.sign tampered.txt
A customer asked for "anything to help me check a payload against an RSA public key signature? (I think I want to use the sha256WithRSAEncryption algo)." and "I only need the functionality of Chrome's SignatureVerifier class[1], which uses openssl's EVPPKEY* and EVP_DigestVerify* and friends."