I need to verify an ECDSA signature (found in an X509 CSR).
At first glance, Crypt::OpenSSL::ECDSA::ECDSA_do_verify should do the job.
I have a digest and a signature. I have the public key as a PEM (or DER) string. I know the OID of the curve. I'm missing a couple of pieces.
It appears that do_verify wants a Crypt::OpenSSL::EC_KEY object. But I don't see a method to import the DER into an EC.
Also, it appears that EC_KEY_new_by_curve_name wants an OpenSSL nid; I don't see a method to convert an OID (1.2.3.4...) to a nid (which is an index, not a name.)
Decoding the public key (e.g. using Convert::ASN1) and creating a key from the pieces seems impractical - given that I don't know what curve is in a given public key.
The more I look, the deeper I seem to sink :-)
Someone must have been here before. Any clue on how to get there from here? I'm not fixated on Crypt::OpenSSL::ECDSA, but I DON'T want to fork a process to run the OpenSSL command line.
I've gotten this far (omitting the obvious):
my $ecdsa = Crypt::OpenSSL::ECDSA::ECDSA_SIG->new(); $ecdsa->set_r( $sig->{r} ); $ecdsa->set_s( $sig->{s} ); my $nid = ???( '1.2.3.4' ); # Extracted from CSR my $key = Crypt::OpenSSL::EC::EC_KEY::new_by_curve_name( $nid); my $asn1PublicKey = "....I have this"; ???$asn1PublicKey = asn1_to_EC_POINT( $asn1PublicKey ); # How? Crypt::OpenSSL::EC::EC_KEY::set_public_key( $key,$asn1PublicKey ) or croak( "Failed to create key" ); my $verify = Crypt::OpenSSL::ECDSA::ECDSA_do_verify( sha256( $certificationRequest ), $ecdsa, $key ); # The equivalent for RSA is trivial: my $key = Crypt::OpenSSL::RSA->new_public_key( $asn1PublicKey ); $key->use_sha256_hash; $key->use_pkcs1_padding; $verify = $key->verify( $certificationRequest, $signature ); # DSA is similar
Thanks in advance for any help!
This communication may not represent my employer's views, if any, on the matters discussed.
In reply to Verifying an ECC signature (ECDSA)? by tlhackque
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |