[openssl-dev] [openssl-users] pkeyutl does not invoke hash?
Dr. Stephen Henson
steve at openssl.org
Wed Jan 13 21:19:14 UTC 2016
On Wed, Jan 13, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
>
>
> If the input to "pkeyutl ???sign??? is supposed to be digest output only ??? then
> what???s the point of having command line arguments specifying the digest to
> use? And if the input can be an arbitrary file (like for ???dgst???), then why
> it doesn???t seem to work?
>
> I???d appreciate comments, guidance, etc.
>
The dgst utility performs hash+sign the pkeyutl utility is supplied with the
data to sign (which is usually but not always a hash).
The reason you can specify which hash the digest is for is that without that
the utility just sees binary data of a certain length. By specifying the
digest it can sanity check the length and in some schemes (e.g. RSA) include
the digest algorithm in the data being signed (PKCS#1 DigestInfo structure
for some RSA padding modes).
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list