<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
I hope some of you could give me advice on my project using openssl.<br>
<br>
Lets say I have a server/service on a machine processing a file a
corresponding client sends. That file is usually created by me on a
clean third machine. The server side is assumed to be uncompromised
(no hacker). The client side may be compromised. Now I need to make
sure that the service only accepts those files that are created by
me. I believe that is a very common requirement and has been done
alot of times - I just can't find tutorials on how to implement it.
Know any ?<br>
<br>
Lets assume I have an x509 cert together with its private key signed
by a ca owned by me. The trusted ca cert will be present on the
server side. This is what I plan to do:<br>
<br>
1.) Create the data files/blobs and sign them using the priv key of
the cert. Distribute the cert and the signature along with (or
inside) the data file.<br>
2.) Have the client send that data file to the server (cert/sig
first)<br>
3.) Service receives the cert, builds a cert store with the local ca
cert in it and verifies the client's cert with X509_verify_cert()<br>
4.) if cert verifies ok, service compares the signature against the
one calculated from the incoming data using the public key that came
inside the cert just verified<br>
<br>
Would this be the right approach considering that anything the
client sends may be forged (cert, sig, data...) ?<br>
Or would it be safer to have the cert used for signing stored on the
server side and not send with the data (instead just its subject
protected by the signature) ?<br>
<br>
Thanks alot,<br>
Marco<br>
<div style="position: absolute; top: -1999px; left: -1988px;"
id="stcpDiv">X509_verify_cert
<div style="position: absolute; top: -1999px; left: -1988px;"
id="stcpDiv">X509_verify_cert</div>
</div>
</body>
</html>