[openssl-dev] [openssl-users] pkeyutl does not invoke hash?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Jan 13 21:32:47 UTC 2016


On 1/13/16, 16:19 , "openssl-dev on behalf of Dr. Stephen Henson"
<openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> wrote:

>On Wed, Jan 13, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
>> 
>> 
>> If the input to "pkeyutl -sign" is supposed to be digest output only -
>>then
>> what’s the point of having command line arguments specifying the digest
>>to
>> use? And if the input can be an arbitrary file (like for “dgst"), then
>>why
>> it doesn’t seem to work?
>> 
>> I’d appreciate comments, guidance, etc.
>> 
>
>The dgst utility performs hash+sign; the pkeyutl utility is supplied with
>the
>data to sign (which is usually but not always a hash).

I see. Thank you for explaining!

>The reason you can specify which hash the digest is for is that without
>that
>the utility just sees binary data of a certain length. By specifying the
>digest it can sanity check the length and in some schemes (e.g.  RSA)
>include
>the digest algorithm in the data being signed (PKCS#1 DigestInfo structure
>for some RSA padding modes).

Can I suggest and ask that all of the above explanation is added
to/included in the pkeyutl man page? I’m sure it would save some grief to
other users.

Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160113/992a9801/attachment.bin>


More information about the openssl-dev mailing list