[openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files
Richard Levitte via RT
rt at openssl.org
Fri Sep 2 12:34:43 UTC 2016
On Thu Sep 01 13:18:44 2016, steffen at sdaoden.eu wrote:
> Hello.
>
> From the documentation i cannot tell what is wrong with the
> following:
>
> echo abc > a; echo def > b; echo ghi > c
> openssl genpkey -algorithm RSA -out k.prv
> openssl pkey -in k.prv -pubout -out k.pub
> openssl dgst -sha512 -sign k.prv -out .sig a b c
> openssl dgst -sha512 -verify k.pub -signature .sig a b c
> rm k.prv k.pub a b c
The manual for dgst has this little note
The signing and verify options should only be used if a single file is being
signed or verified.
In other words, don't do that.
While I can understand the desire to do multiple files in one swoop, the
signature file (.sig in this case) isn't formatted in any special way, it's
litterally just a stream of bytes. So it does contain all the signatures, but
in an unstructured format. Verification will read that file and use the first n
bytes from it when verifying each file you give it. That's why you get correct
verification on the first file but not the others.
The solution to this is to enhance dgst so it loudly refuses to sign or verify
more than one file.
Cheers,
Richard
--
Richard Levitte
levitte at openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list