[openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files

Steffen Nurpmeso via RT rt at openssl.org
Fri Sep 2 13:16:51 UTC 2016 

Richard Levitte via RT <rt at openssl.org> wrote:
 |On Thu Sep 01 13:18:44 2016, steffen at sdaoden.eu wrote:
 |> From the documentation i cannot tell what is wrong with the
 |> following:
 |>
 |> echo abc > a; echo def > b; echo ghi > c
 |> openssl genpkey -algorithm RSA -out k.prv
 |> openssl pkey -in k.prv -pubout -out k.pub
 |> openssl dgst -sha512 -sign k.prv -out .sig a b c
 |> openssl dgst -sha512 -verify k.pub -signature .sig a b c
 |> rm k.prv k.pub a b c
 |
 |The manual for dgst has this little note
 |
 |The signing and verify options should only be used if a single file \
 |is being
 |signed or verified.
 |In other words, don't do that.

I really haven't seen that.  It is the second last sentence.  Hm.

 |While I can understand the desire to do multiple files in one swoop, the
 |signature file (.sig in this case) isn't formatted in any special way, it's
 |litterally just a stream of bytes. So it does contain all the signatures, \
 |but
 |in an unstructured format. Verification will read that file and use \
 |the first n
 |bytes from it when verifying each file you give it. That's why you \
 |get correct
 |verification on the first file but not the others.
 |
 |The solution to this is to enhance dgst so it loudly refuses to sign \
 |or verify
 |more than one file.

If that is your way.  I haven't actually tried it, but the
following should do what you want?!
Ciao,

--- dgst.c.orig	2016-09-02 15:06:08.952110179 +0200
+++ dgst.c	2016-09-02 15:13:57.592904667 +0200
@@ -369,6 +369,14 @@ int dgst_main(int argc, char **argv)
             if (md)
                 md_name = EVP_MD_name(md);
         }
+
+        if (argc > 1 && (sigbuf != NULL || sigkey != NULL)){
+                BIO_printf(bio_err, "Signing and verifying cannot be used with "
+                           "multiple files\n");
+                ret = 1;
+                goto end;
+        }
+
         ret = 0;
         for (i = 0; i < argc; i++) {
             int r;

--steffen


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list