-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request for an API to verify signatures #16
Comments
cc @mpcomplete |
@mpcomplete @sethladd Can one of you provide a link to the specification for the signature-verification algorithm you're referring to? |
I defer to @mpcomplete |
I can't find a spec, but it's part of the X509 signature block. I want to be able to verify a X509 SubjectPublicKeyInfo block using the sha256WithRSAEncryption algorithm. In other words, given a signature, key, and file generated on the command line like so: echo "Verified text." > file.txt I want to be able to do the equivalent to: openssl dgst -sha256 -verify publickey.pem -signature signature.sign file.txt ; # should verify OK This might just be a matter of exposing the appropriate openssl methods to dart. Something with the functionality of Chrome's SignatureVerifier would work: https://code.google.com/p/chromium/codesearch#chromium/src/crypto/signature_verifier_openssl.cc&sq=package:chromium&type=cs . |
It looks like
Unfortunately, there's not a good way to get access to native code in Dart, at least from a package. Unless we want to put this into the core libraries somehow, someone will need to port the algorithm to Dart. |
Actually, Julien Tinnes recommended against using RSA for signing purposes. Instead, he recommends "SHA256 + ECDSA on P-256". Equivalent openssl commands: echo "Verified text." > file.txt openssl dgst -sha256 -sign privatekey.pem -binary -out signature.sign file.txt openssl dgst -sha256 -verify publickey.pem -signature signature.sign file.txt |
A customer asked for "anything to help me check a payload against an RSA public key signature? (I think I want to use the sha256WithRSAEncryption algo)." and "I only need the functionality of Chrome's SignatureVerifier class[1], which uses openssl's EVP_PKEY_* and EVP_DigestVerify* and friends."
The text was updated successfully, but these errors were encountered: