Verify ASN1 Signatures

G5 Cyber Security

5 months ago

TL;DR

This guide shows you how to verify a digital signature encoded in ASN1 format. It covers checking the certificate chain, extracting the public key, and using OpenSSL to confirm the signature.

Verifying an ASN1 Signature: A Step-by-Step Guide

Understand the Components

ASN1 Structure: ASN1 (Abstract Syntax Notation One) is a standard for encoding data structures. Signatures are often stored within complex ASN1 sequences and sets.
Certificate Chain: A series of certificates linking back to a trusted root authority, proving the signer’s identity.
Public Key: Used to verify the signature; it’s part of the certificate.
Signature Data: The actual digital signature itself.
Original Data: The data that was signed. You need this to compare against the verified result.

Check the Certificate Chain Validity

Before verifying the signature, ensure the certificate chain is valid and trusted.

OpenSSL Command: Use OpenSSL to inspect the certificates.
```
openssl verify -CAfile ca_bundle.pem your_certificate.crt
```
(Replace ca_bundle.pem with a file containing trusted root and intermediate certificates, and your_certificate.crt with the signer’s certificate.)
Error Handling: If OpenSSL reports errors (e.g., “unable to get local issuer certificate”), you need to add the missing certificate(s) to your ca_bundle.pem file.

Extract the Public Key from the Certificate

You’ll need the public key in a format OpenSSL can use.

OpenSSL Command: Extract the public key.
```
openssl x509 -pubkey -noout -in your_certificate.crt | openssl pkey -pubin -outform PEM -out public_key.pem
```
(Replace your_certificate.crt with the signer’s certificate.) This creates a file named public_key.pem containing the key.

Verify the Signature Using OpenSSL

This is where you confirm if the signature matches the original data and public key.

OpenSSL Command: Verify the signature.
```
openssl dgst -sha256 -verify public_key.pem -signature signature_file your_data_file
```
(Replace public_key.pem with the extracted public key file, signature_file with the ASN1 encoded signature, and your_data_file with the original data.)
Output Interpretation:
- “Verified OK” means the signature is valid.
- “Verification Failure” indicates a problem – either the signature is incorrect, the data has been altered, or the wrong public key was used.

Dealing with Different Hash Algorithms

The example uses SHA256. If the signature uses a different algorithm (e.g., SHA1, SHA512), change the -sha256 option accordingly.

Common Options: Use -sha1 for SHA1, -sha512 for SHA512, etc.

Troubleshooting Common Issues

Incorrect File Formats: Ensure the signature file is in a format OpenSSL understands (often DER or PEM).
Data Mismatch: The data used for verification must be *exactly* the same as what was originally signed. Even a single character difference will cause failure.
Key Usage: Verify that the certificate’s key usage extension allows digital signatures.