Regarding: PKCS7, X509 and DER

tags:

openssl

views:

339

answers:

+1 Q:

Regarding: PKCS7, X509 and DER

Hi, I am novice to the "World of cryptography". I started working with OPENSSL. I need some information and basically I do have some doubts. I have a DER format file. I read the file using following command, "openssl x509 -inform DER -in filename.der -text" I got what I supposed to be.

Following things I wanted to know: 1. What is the difference between PKCS7, DER and X509 ? (My understanding is, DER is format, X509 is certificate, and PKCS7 is the standard)

I wrote a test file which accepts the DER file and outputs the version, serial number, Subject, Validity date before and Validity date after, But I am unable to get certificate verified. Following is the API Used.

int i = X509_verify(X509 *x509 , X509_get_pubkey(X509 *x509)); But 'i' value is 'i' < 0(zero) This is why I am getting "Signature verification problems". How to overcome this?
In My test file I am unable to read the "Signature Algorithm", "Subject Public Key Info", "X509v3 extensions" and "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----"

Please give some inputs.

Thanks in Advance. openSid

+3 A:

PKCS#7 is a cryptography standard published by RSA Security in 1993 that deals with data that has cryptography applied to it. Its a standard for how to package data securely. PKCS#7 references the X.509 standard, as the source for certificate formatting.

X.509 is a wide ranging security standards document published in 1998 which includes amongst other things, certificate file formats.

X.509 specifies that certificates should be encoded using the Distinguished Encoding Rules of the ASN.1 (documented in the X.208 and now X.608) standard, first published in 1984.

So, DER says how to encode some strings and numeric source data into a binary format, X.509 says which data needs to go into a digital certificate, and PKCS#7 says how that certificate should be used, to digitally sign a message.

Privacy Enhanced Mail - some kind of tool released before OpenSSL - needed to pass PKCS#7 "wrapped" data around in email messages that at the time were exchanged on systems that only supported 7 bit ASCII characters - "PEM" created the standard of using Base64 to encoded the X.509 certificates required by PKCS#7, and storing the base64 inside -----BEGIN ???----- -----END ???----- where ??? can be a RSA PRIVATE KEY, PSA PUBLIC KEY, CERTIFICATE etc.

Chris Becke 2010-04-03 20:32:09

Hi Chris, Thanks alot for your brief explanation. In C, I am able to read the "Version", "Issuer", "Validity" & "Subject" But how do we get the "Signature Algorithm", "Subject Public Key Info" & The "Padding -----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----" and Verify with the Certificate ? My certificate is in DER format.

Please give some inputs.

Thanks in Advance. openSid

sid 2010-04-16 12:28:59

Asking more questions as an answer doesn't really make sense. To answer your question, I think more of a complete code sample demonstrating your problem would be helpful. I am not familiar with the actual OpenSSL API so I can't even hazzard a guess as to what you are trying to do without a compilable sample program.

Chris Becke 2010-04-16 13:04:22

ansaurus

tags:

views:

answers:

Regarding: PKCS7, X509 and DER

related questions