[openssl-dev] [openssl-users] pkeyutl does not invoke hash?
Hubert Kario
hkario at redhat.com
Thu Jan 14 12:33:59 UTC 2016
On Wednesday 13 January 2016 21:32:47 Blumenthal, Uri - 0553 - MITLL
wrote:
> On 1/13/16, 16:19 , "openssl-dev on behalf of Dr. Stephen Henson"
>
> <openssl-dev-bounces at openssl.org on behalf of steve at openssl.org>
wrote:
> >The reason you can specify which hash the digest is for is that
> >without that
> >the utility just sees binary data of a certain length. By specifying
> >the digest it can sanity check the length and in some schemes (e.g.
> >RSA) include
> >the digest algorithm in the data being signed (PKCS#1 DigestInfo
> >structure for some RSA padding modes).
>
> Can I suggest and ask that all of the above explanation is added
> to/included in the pkeyutl man page? I’m sure it would save some grief
> to other users.
from pkeyutl(1ssl) in OpenSSL 1.0.1:
----->8------
Unless otherwise mentioned all algorithms support the digest:alg
option which specifies the digest in use for sign, verify and
verifyrecover operations. The value alg should represent a
digest name as used in the EVP_get_digestbyname() function for
example sha1.
(...)
-rsa_padding_mode:mode
(...)
In PKCS#1 padding if the message digest is not set then the
supplied data is signed or verified directly instead of using
a DigestInfo structure. If a digest is set then the a
DigestInfo structure is used and its the length must
correspond to the digest type.
(...)
EXAMPLES
(...)
Sign data using a message digest value (this is currently only
valid for RSA):
openssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt
digest:sha256
----->8------
So it looks documented to me. What is missing in your opinion?
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160114/4d6071e4/attachment.sig>
More information about the openssl-dev
mailing list