Asymmetric cryptography (also known as public key cryptography) is a cryptographic system that uses a public and private key pair. Private key can be used for message signing and public key can be used for message verifying against the signature. This tutorial shows how to sign and verify file signature with public and private key using OpenSSL.
Let's say we have the following public key and private key:
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN/ovAmhoNOnE2VoJeUunpEB+CwTyPbK
I8VnQ+rLa75riBtmfYrGdUD8Cv/p+ioL86xwSvX+HYXnkPffEXc7IlUCAwEAAQ==
-----END PUBLIC KEY----------BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA3+i8CaGg06cTZWgl
5S6ekQH4LBPI9sojxWdD6strvmuIG2Z9isZ1QPwK/+n6KgvzrHBK9f4dheeQ998R
dzsiVQIDAQABAkA3eyS0wj7mkvykYPUa371csv86dMCUHixU6qySjkspSGcvdqNQ
UuAfRJ97n8m8wkNSHhF2HIWH2lPdC/MsZX/VAiEA8QLAZXzsUiEIQ04enLZRq0cv
YkD8mLyXVpT56ZrdEDsCIQDt1bMedIH1kCcAvg4PHAugXw1NeJSvpOpUqOyPwmB+
rwIhAJDhq5EW4OWaT+JOAt8IRt4k49o34OFcdcmpsvZ4jy3jAiA7n+2N3wuNspv0
lbEUnKVViT7egzJTbnbIzqivyb1DRQIhAKbr3cYY4mk0HKFQg3oEhWi2stSPulYz
KNkxLcXmqXjr
-----END PRIVATE KEY-----Signing
The openssl pkeyutl command can be used for signing and verifying input data using public and private key. To sign a file named data.txt with private key test.key, run the following command:
openssl pkeyutl -sign -rawin -inkey test.key -in data.txt -out data.sigCommand outputs signature which saved in file data.sig.
The meaning of options:
-sign- signs the input data with private key.-rawin- specifies that the input data is raw data, which is not hashed.-inkey test.key- specifies the filename to read a private key.-in data.txt- specifies input filename to read data.-out data.sig- specifies output filename to write signature.
Verifying
Run the following command to verify the file named data.txt against the signature file data.sig using public key test.pub:
openssl pkeyutl -verify -rawin -pubin -inkey test.pub -in data.txt -sigfile data.sigCommand indicates if the verification succeeded or failed.
The meaning of options:
-verify- verifies the input data against the signature.-rawin- specifies that the input data is raw data, which is not hashed.-pubin- reads public key instead of a private key.-inkey test.pub- specifies the filename to read a public key.-in data.txt- specifies input filename to read data.-sigfile data.sig- specifies filename to read signature.
The 2 Comments Found
The commands above don't work anymore. I found this on the Internet: "As of openssl 3.0.0 the -rawin option is required."
Signing:
openssl pkeyutl -sign -inkey test.key -rawin -in data.txt -out data.sig
Verifying:
openssl pkeyutl -verify -pubin -inkey test.pub -rawin -in data.txt -sigfile data.sig
The
-signand-verifyoptions accepts the input data, which must be a hash. The command does not hash the input data unless the-rawinoption is specified. The-rawinoption is available since OpenSSL 3.0. I updated the commands in the tutorial. Thanks, very well observed.Leave a Comment
Cancel reply