[openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files
Steffen Nurpmeso via RT
rt at openssl.org
Fri Sep 2 13:16:51 UTC 2016
Richard Levitte via RT <rt at openssl.org> wrote:
|On Thu Sep 01 13:18:44 2016, steffen at sdaoden.eu wrote:
|> From the documentation i cannot tell what is wrong with the
|> following:
|>
|> echo abc > a; echo def > b; echo ghi > c
|> openssl genpkey -algorithm RSA -out k.prv
|> openssl pkey -in k.prv -pubout -out k.pub
|> openssl dgst -sha512 -sign k.prv -out .sig a b c
|> openssl dgst -sha512 -verify k.pub -signature .sig a b c
|> rm k.prv k.pub a b c
|
|The manual for dgst has this little note
|
|The signing and verify options should only be used if a single file \
|is being
|signed or verified.
|In other words, don't do that.
I really haven't seen that. It is the second last sentence. Hm.
|While I can understand the desire to do multiple files in one swoop, the
|signature file (.sig in this case) isn't formatted in any special way, it's
|litterally just a stream of bytes. So it does contain all the signatures, \
|but
|in an unstructured format. Verification will read that file and use \
|the first n
|bytes from it when verifying each file you give it. That's why you \
|get correct
|verification on the first file but not the others.
|
|The solution to this is to enhance dgst so it loudly refuses to sign \
|or verify
|more than one file.
If that is your way. I haven't actually tried it, but the
following should do what you want?!
Ciao,
--- dgst.c.orig 2016-09-02 15:06:08.952110179 +0200
+++ dgst.c 2016-09-02 15:13:57.592904667 +0200
@@ -369,6 +369,14 @@ int dgst_main(int argc, char **argv)
if (md)
md_name = EVP_MD_name(md);
}
+
+ if (argc > 1 && (sigbuf != NULL || sigkey != NULL)){
+ BIO_printf(bio_err, "Signing and verifying cannot be used with "
+ "multiple files\n");
+ ret = 1;
+ goto end;
+ }
+
ret = 0;
for (i = 0; i < argc; i++) {
int r;
--steffen
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list