Sign and Verify File Signature with Public and Private Key using OpenSSL

Sign and Verify File Signature with Public and Private Key using OpenSSL

Asymmetric cryptography (also known as public key cryptography) is a cryptographic system that uses a public and private key pair. Private key can be used for message signing and public key can be used for message verifying against the signature. This tutorial shows how to sign and verify file signature with public and private key using OpenSSL.

Let's say we have the following public key and private key:

-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN/ovAmhoNOnE2VoJeUunpEB+CwTyPbK
I8VnQ+rLa75riBtmfYrGdUD8Cv/p+ioL86xwSvX+HYXnkPffEXc7IlUCAwEAAQ==
-----END PUBLIC KEY-----
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA3+i8CaGg06cTZWgl
5S6ekQH4LBPI9sojxWdD6strvmuIG2Z9isZ1QPwK/+n6KgvzrHBK9f4dheeQ998R
dzsiVQIDAQABAkA3eyS0wj7mkvykYPUa371csv86dMCUHixU6qySjkspSGcvdqNQ
UuAfRJ97n8m8wkNSHhF2HIWH2lPdC/MsZX/VAiEA8QLAZXzsUiEIQ04enLZRq0cv
YkD8mLyXVpT56ZrdEDsCIQDt1bMedIH1kCcAvg4PHAugXw1NeJSvpOpUqOyPwmB+
rwIhAJDhq5EW4OWaT+JOAt8IRt4k49o34OFcdcmpsvZ4jy3jAiA7n+2N3wuNspv0
lbEUnKVViT7egzJTbnbIzqivyb1DRQIhAKbr3cYY4mk0HKFQg3oEhWi2stSPulYz
KNkxLcXmqXjr
-----END PRIVATE KEY-----

Signing

The openssl pkeyutl command can be used for signing and verifying input data using public and private key. To sign a file named data.txt with private key test.key, run the following command:

openssl pkeyutl -sign -rawin -inkey test.key -in data.txt -out data.sig

Command outputs signature which saved in file data.sig.

The meaning of options:

  • -sign - signs the input data with private key.
  • -rawin - specifies that the input data is raw data, which is not hashed.
  • -inkey test.key - specifies the filename to read a private key.
  • -in data.txt - specifies input filename to read data.
  • -out data.sig - specifies output filename to write signature.

Verifying

Run the following command to verify the file named data.txt against the signature file data.sig using public key test.pub:

openssl pkeyutl -verify -rawin -pubin -inkey test.pub -in data.txt -sigfile data.sig

Command indicates if the verification succeeded or failed.

The meaning of options:

  • -verify - verifies the input data against the signature.
  • -rawin - specifies that the input data is raw data, which is not hashed.
  • -pubin - reads public key instead of a private key.
  • -inkey test.pub - specifies the filename to read a public key.
  • -in data.txt - specifies input filename to read data.
  • -sigfile data.sig - specifies filename to read signature.

Related

The 2 Comments Found

  1. Avatar
    MK Reply

    The commands above don't work anymore. I found this on the Internet: "As of openssl 3.0.0 the -rawin option is required."

    Signing:
    openssl pkeyutl -sign -inkey test.key -rawin -in data.txt -out data.sig

    Verifying:
    openssl pkeyutl -verify -pubin -inkey test.pub -rawin -in data.txt -sigfile data.sig

    • Avatar
      lindevs Reply

      The -sign and -verify options accepts the input data, which must be a hash. The command does not hash the input data unless the -rawin option is specified. The -rawin option is available since OpenSSL 3.0. I updated the commands in the tutorial. Thanks, very well observed.

Leave a Comment

Cancel reply

Your email address will not be published.