OpenSSL ECDSA sign and verify file

Question

I would like to sign and verify a pdf with elliptic curve. I got some code but it dosen't work.

Create private key:

openssl ecparam -genkey -name secp384r1 -noout -out private.pem

Create public key:

openssl ec -in private.pem -pubout -out public.pem

Sign file:

openssl dgst -ecdsa-with-SHA1 test.pdf > hash openssl dgst
openssl dgst -ecdsa-with-SHA1 -inkey private.pem -keyform PEM -in hash > signature

Verify file:

openssl dgst -ecdsa-with-SHA1 -verify public.pem -signature signature.bin data

The part to sign and verify dosen't work.

Just a caution for incoming readers: **native PDF signatures according to ISO 32000 do not simply calculate the hash over the entire raw file**. So in the current question, the file `test.pdf` could be interpreted as if it had any other extension, e.g. `.txt`. This means that the signature will be calculated over the entire raw file and it won't produce a native PDF signature, i.e. the type of signature that can be interpreted by Adobe Acrobat. — Jaime Hablutzel, Jan 27 '19 at 22:39

score 10 · Accepted Answer · answered Apr 04 '14 at 09:14

10

I think you are not actually signing the file, but signing the hash.

I tried the following and it gave me the desired output:

Create signature:
openssl dgst -ecdsa-with-SHA1 -sign private.pem test.pdf > signature.bin

Verify signature:
openssl dgst -ecdsa-with-SHA1 -verify public.pem -signature signature.bin test.pdf

answered Apr 04 '14 at 09:14

mtak

16,513
2
52
64

How do you do it in an OpenSSL session, for the case you use an engine? – lalebarde Dec 04 '14 at 15:14

score 8 · Answer 2 · answered Feb 07 '16 at 23:48

8

Since -ecda-with-SHA1 is not in the man for dgst and there is no -ecda-with-SHA256 I would recommend :

Sign :

openssl dgst -sha1 -sign private.pem test.pdf > signature.bin

Verify :

openssl dgst -sha1 -verify public.pem -signature signature.bin test.pdf

answered Feb 07 '16 at 23:48

Olivier Lasne

181
1
2

source : http://stackoverflow.com/questions/22856059/openssl-ecdsa-sign-and-verify-file – Olivier Lasne Feb 07 '16 at 23:49
Wouldn't work. ```$ openssl dgst -sha1 -sign private.pem test.pdf > signature.bin Error Signing Data 8123:error:0606B06E:digital envelope routines:EVP_SignFinal:wrong public key type:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/evp/p_sign.c:99:``` – Tankman六四 Nov 25 '17 at 22:04

score 2 · Answer 3 · answered Dec 04 '14 at 15:32

Or if you need an engine, you can also do it in an OpenSSL session:

openssl
OpenSSL> engine -vvvv -t dynamic -pre SO_PATH:someengine.so -pre ID:someengine -pre LIST_ADD:1 -pre LOAD
OpenSSL> dgst -ecdsa-with-SHA1 -out signature.bin -sign private.pem test.pdf
OpenSSL> dgst -ecdsa-with-SHA1 -verify public.pem -signature signature.bin test.pdf

dgst offers also the -engine option, but here it takes the engine loaded earlier. If required, simply add -engine someengine.

OpenSSL ECDSA sign and verify file

3 Answers3

Linked