# OpenSSL verification problem



## telltera (Sep 3, 2010)

Dear all,


I have to sign a message with a private key using the sha1 with RSA using the Java JCE(Bouncy Castle engine) on System A.

I then have to pass the public key, the original message and the signature to  System B which uses OpenSSL to verify the signature.

At the openSSL end, I use:

`openssl dgst -sha1 -verify pubkey.pem -signature s.sign data.sha1`


Where: pubkey.pem is the public key I pass as a PEM format.

s.sign= signature in hex format( here I am not sure what format to use)

data.sha1= I get send the original message to system B as a hex string. At System B I compute the sha1 digest of this hex string and store it at data.sha1 to verify.


However the verification always fails.


With this regard, what are the expected formats of the files?

Is there a way to use a hex file for data and signature? or even a base64 encoded signature and data for verification?

What am I doing wrong here?


Please help!!


----------



## ohauer (Sep 4, 2010)

given you will sign a file name foo.tgz

source file: foo.tgz 
signed digest: foo.tgz.sha1
private key: mykey.pem
public key: pubkey.pem

On the signer machine:

```
openssl dgst -sha1 -sign [color="Red"]mykey.pem[/color] -out [color="DarkOrange"]foo.tgz.sha1[/color] [color="Blue"]foo.tgz[/color]
```

Transfer the files foo.tgz, foo.tgz.sha1 and pubkey.pem to the target machine.

To check the signature on the target machine:

```
openssl dgst -sha1 -verify [color="SeaGreen"]pubkey.pem[/color] -signature [color="DarkOrange"]foo.tgz.sha1[/color] [color="Blue"]foo.tgz[/color]
```


----------

