I need to verify an ECDSA signature (found in an X509 CSR).

At first glance, Crypt::OpenSSL::ECDSA::ECDSA_do_verify should do the job.

I have a digest and a signature. I have the public key as a PEM (or DER) string. I know the OID of the curve. I'm missing a couple of pieces.

It appears that do_verify wants a Crypt::OpenSSL::EC_KEY object. But I don't see a method to import the DER into an EC.

Also, it appears that EC_KEY_new_by_curve_name wants an OpenSSL nid; I don't see a method to convert an OID (1.2.3.4...) to a nid (which is an index, not a name.)

Decoding the public key (e.g. using Convert::ASN1) and creating a key from the pieces seems impractical - given that I don't know what curve is in a given public key.

The more I look, the deeper I seem to sink :-)

Someone must have been here before. Any clue on how to get there from here? I'm not fixated on Crypt::OpenSSL::ECDSA, but I DON'T want to fork a process to run the OpenSSL command line.

I've gotten this far (omitting the obvious):

my $ecdsa = Crypt::OpenSSL::ECDSA::ECDSA_SIG->new();

$ecdsa->set_r( $sig->{r} );
$ecdsa->set_s( $sig->{s} );

my $nid = ???( '1.2.3.4' ); # Extracted from CSR
my $key = Crypt::OpenSSL::EC::EC_KEY::new_by_curve_name( $nid);

my $asn1PublicKey = "....I have this";

???$asn1PublicKey = asn1_to_EC_POINT( $asn1PublicKey ); # How?

Crypt::OpenSSL::EC::EC_KEY::set_public_key( $key,$asn1PublicKey )
     or croak( "Failed to create key" );

my $verify = Crypt::OpenSSL::ECDSA::ECDSA_do_verify( 
    sha256( $certificationRequest ), $ecdsa, $key );

# The equivalent for RSA is trivial:

my $key = Crypt::OpenSSL::RSA->new_public_key( $asn1PublicKey );
$key->use_sha256_hash;
$key->use_pkcs1_padding;
$verify = $key->verify( $certificationRequest, $signature );

# DSA is similar
[download]

Thanks in advance for any help!