How to verify sign using X509 Certificates

j-deng · March 12, 2020, 11:29am

I have a requirement that using Certificates begins with -----BEGIN CERTIFICATE----- to verify signatures.
It’s unlike public key that can do with:

[entry] = :public_key.pem_decode(public_key_string)
pub_key = :public_key.pem_entry_decode(entry)
:public_key.verify(...)

I have search to where describe the Certificates https://erlang.org/doc/apps/public_key/using_public_key.html#x509-certificates . But cannot figure out how to solve it.

rjk · March 12, 2020, 11:59am

I would look into the X509 hex package, the git repo has some tests that do a sign/verify see here:

github.com

voltone/x509/blob/3129908471ab32b7c7ac3e8080b564fa52fccccd/test/x509/public_key_test.exs

defmodule X509.PublicKeyTest do
  use ExUnit.Case
  import X509.{ASN1, PublicKey}

  doctest X509.PublicKey

  setup_all do
    rsa = X509.PrivateKey.new_rsa(512)
    ec = X509.PrivateKey.new_ec(:secp256r1)

    [
      rsa_key: rsa,
      rsa_pub: derive(rsa),
      ec_key: ec,
      ec_pub: derive(ec)
    ]
  end

  describe "RSA" do
    test "derive", context do

This file has been truncated. show original

voltone · March 12, 2020, 12:01pm

You’ll have to extract the public key from the certificate. While it is possible to do that directly using :public_key, with help of some Record imports, you may want to use the x509 package to simplify things:

{:ok, certificate} = X509.Certificate.from_pem(certificate_string)
public_key = X509.Certificate.public_key(certificate)
:public_key.verify(message, :sha256, signature, public_key)

Depending on the signature algorithm (ECDSA, RSASSA-PKCS1_5, RSASSA-PSS, …) it may be necessary to pass in additional options.

j-deng · March 12, 2020, 12:10pm

Thanks! @rjk and @voltone