[openssl-dev] [openssl-users] pkeyutl does not invoke hash?

Hubert Kario hkario at redhat.com
Thu Jan 14 12:33:59 UTC 2016 

On Wednesday 13 January 2016 21:32:47 Blumenthal, Uri - 0553 - MITLL 
wrote:
> On 1/13/16, 16:19 , "openssl-dev on behalf of Dr. Stephen Henson"
> 
> <openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> 
wrote:
> >The reason you can specify which hash the digest is for is that
> >without that
> >the utility just sees binary data of a certain length. By specifying
> >the digest it can sanity check the length and in some schemes (e.g. 
> >RSA) include
> >the digest algorithm in the data being signed (PKCS#1 DigestInfo
> >structure for some RSA padding modes).
> 
> Can I suggest and ask that all of the above explanation is added
> to/included in the pkeyutl man page? I’m sure it would save some grief
> to other users.

from pkeyutl(1ssl) in OpenSSL 1.0.1:

----->8------
       Unless otherwise mentioned all algorithms support the digest:alg
       option which specifies the digest in use for sign, verify and
       verifyrecover operations.  The value alg should represent a
       digest name as used in the EVP_get_digestbyname() function for
       example sha1.
(...)
       -rsa_padding_mode:mode
(...)
           In PKCS#1 padding if the message digest is not set then the
           supplied data is signed or verified directly instead of using
           a DigestInfo structure. If a digest is set then the a
           DigestInfo structure is used and its the length must
           correspond to the digest type.
(...)
EXAMPLES
(...)
       Sign data using a message digest value (this is currently only
       valid for RSA):

        openssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt 
digest:sha256
----->8------

So it looks documented to me. What is missing in your opinion?

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160114/4d6071e4/attachment.sig>

More information about the openssl-dev mailing list