I want to sign hash with openssl pkeyutl
and verify with openssl dgst -verify
.
Down below are my testing private and public keys (EC keys):
private.pem:
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFYL7prqjwKcVpKp4VF0kSshVoNCu3QzFeJHjvq78n4FoAoGCCqGSM49
AwEHoUQDQgAEkcL/M+0hEuW/VUNCZT5Jc1pyw9gm4vphWldTdAqMJhC8eTiP/gao
rTkz6+iFfOPbJTEzRD8y36WqYAlS+65W8A==
-----END EC PRIVATE KEY-----
public.pem:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkcL/M+0hEuW/VUNCZT5Jc1pyw9gm
4vphWldTdAqMJhC8eTiP/gaorTkz6+iFfOPbJTEzRD8y36WqYAlS+65W8A==
-----END PUBLIC KEY-----
$ echo -n "123456" | openssl dgst -sha256
8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
S̶H̶A̶-̶2̶4̶5̶ SHA-246 of 123456 is 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
.
Let's sign SHA256(123456) with pkeyutl
$ echo -n "8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92" | openssl pkeyutl -inkey private.pem -sign | openssl base64 -e -A
MEYCIQDIJHf2SQJliMNvPwgCqanzqWxleK/YGSCd15RK8IYPEQIhAOlcvXH9ASQRMRNgKgMr4ZZLL3nyaCsTHBeU0iReZMmp
So we have signature encoded in base64 MEYCIQDIJHf2SQJliMNvPwgCqanzqWxleK/YGSCd15RK8IYPEQIhAOlcvXH9ASQRMRNgKgMr4ZZLL3nyaCsTHBeU0iReZMmp
Now let's verify with openssl pkeyutl -verify
$ openssl pkeyutl -verify -pubin -inkey public.pem -sigfile <(echo -n "MEYCIQDIJHf2SQJliMNvPwgCqanzqWxleK/YGSCd15RK8IYPEQIhAOlcvXH9ASQRMRNgKgMr4ZZLL3nyaCsTHBeU0iReZMmp" | openssl enc -A -base64 -d ) -in <(echo -n "8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92")
Signature Verified Successfully
So it has been verified successfully.
AND NOW the problematic part:
So original data we wanted to sign is "123456". Let's use openssl dgst
for this:
$ echo -n "123456" | openssl dgst -sha256 -verify public.pem -signature <(echo -n "MEYCIQDIJHf2SQJliMNvPwgCqanzqWxleK/YGSCd15RK8IYPEQIhAOlcvXH9ASQRMRNgKgMr4ZZLL3nyaCsTHBeU0iReZMmp" | openssl enc -A -base64 -d)
Verification Failure
Which returns Verification Failure.
Does openssl dgst
do something else while creating sha256 digest from original "123456" text?
From my understanding it should work because pkeyutl
signs the same sha256
hash as it is generated via openssl dgst -sha256
. Here we are using the same private and public keys so I dont get why the openssl dgst -verify
is not able to verify the signature genenrated via pkeyutl
,