Newbie question: RSA Signature Verification

[Sindolfo]

I need to read a public key from a certificate (cert.pem file) in
order to verify a signature.

My list of files is:

cert.pem (public key to be used in the verification)
application.zip (signed file)
signature.sig (the signature to be verified)

The code that I found at http://www.cryptopp.com/wiki/RSA_Cryptography
does not fit my needs because it reads a "key.pb" (public key) not a
PEM encoded file.

Can someone help me with some code to do the job?

Thanks in advance.

[v.miethe]

Hi,

all you need is a X.509 parser. It has nothing to do with the Crypto++
Library.

Sindolfo schrieb:

[Geoff Beier]

Crypto++ has all you need to extract the key and verify a signature.
It's worth observing that for most applications that use certificates,
this is not sufficient; you should first build the certificate path,
make sure that the signatures chain back to someone you trust, and
check the revocation status, validity dates, key usage restrictions,
certificate policies, etc. If you've taken care of appropriate
validation of the certificate and just want to use its key to verify a
signature, here's a function to get the key:

/**
* Reads an X.509 v3 certificate from certin, extracts the
subjectPublicKeyInfo structure
* (which is one way PK_Verifiers can get their key material) and
writes it to keyout
*
* @throws CryptoPP::BERDecodeError
*/
void GetPublicKeyFromCert(CryptoPP::BufferedTransformation & certin,
CryptoPP::BufferedTransformation & keyout)
{
BERSequenceDecoder x509Cert(certin);
BERSequenceDecoder tbsCert(x509Cert);
// ASN.1 from RFC 3280
// TBSCertificate ::= SEQUENCE {
// version [0] EXPLICIT Version DEFAULT v1,
BERGeneralDecoder context(tbsCert,0xa0); // consume the context tag
on the version
word32 ver;
BERDecodeUnsigned<word32>(context,ver,INTEGER,2,2); // only want a v3
cert
// serialNumber CertificateSerialNumber,
Integer serial;
serial.BERDecode(tbsCert);
// signature AlgorithmIdentifier,
BERSequenceDecoder signature(tbsCert);
signature.SkipAll();
// issuer Name,
BERSequenceDecoder issuerName(tbsCert);
issuerName.SkipAll();
// validity Validity,
BERSequenceDecoder validity(tbsCert);
validity.SkipAll();
// subject Name,
BERSequenceDecoder subjectName(tbsCert);
subjectName.SkipAll();
// subjectPublicKeyInfo SubjectPublicKeyInfo,
BERSequenceDecoder spki(tbsCert);
DERSequenceEncoder spkiEncoder(keyout);
spki.CopyTo(spkiEncoder);
spkiEncoder.MessageEnd();
spki.SkipAll();
tbsCert.SkipAll();
x509Cert.SkipAll();
}

I'd find it useful if a similar function made its way into crypto++ :)

If your certificate is in PEM format, be sure your
BufferedTransformation has a base64 decoding filter there.

I've attached a small test program that shows how to use the key from
the certificate to verify a signature. The test program just has a
couple of DER-encoded certificates pasted into the code as byte array
literals.

HTH,

Geoff