How to verify sign using X509 Certificates

I have a requirement that using Certificates begins with -----BEGIN CERTIFICATE----- to verify signatures.
It’s unlike public key that can do with:

[entry] = :public_key.pem_decode(public_key_string)
pub_key = :public_key.pem_entry_decode(entry)
:public_key.verify(...)

I have search to where describe the Certificates https://erlang.org/doc/apps/public_key/using_public_key.html#x509-certificates . But cannot figure out how to solve it.

I would look into the X509 hex package, the git repo has some tests that do a sign/verify see here:

2 Likes

You’ll have to extract the public key from the certificate. While it is possible to do that directly using :public_key, with help of some Record imports, you may want to use the x509 package to simplify things:

{:ok, certificate} = X509.Certificate.from_pem(certificate_string)
public_key = X509.Certificate.public_key(certificate)
:public_key.verify(message, :sha256, signature, public_key)

Depending on the signature algorithm (ECDSA, RSASSA-PKCS1_5, RSASSA-PSS, …) it may be necessary to pass in additional options.

3 Likes

Thanks! @rjk and @voltone