[openssl-users] pkeyutl does not invoke hash?

Dr. Stephen Henson steve at openssl.org
Wed Jan 13 21:19:14 UTC 2016

On Wed, Jan 13, 2016, Blumenthal, Uri - 0553 - MITLL wrote:

> If the input to "pkeyutl ???sign??? is supposed to be digest output only ??? then
> what???s the point of having command line arguments specifying the digest to
> use? And if the input can be an arbitrary file (like for ???dgst???), then why
> it doesn???t seem to work?
> I???d appreciate comments, guidance, etc.

The dgst utility performs hash+sign the pkeyutl utility is supplied with the
data to sign (which is usually but not always a hash).

The reason you can specify which hash the digest is for is that without that
the utility just sees binary data of a certain length. By specifying the
digest it can sanity check the length and in some schemes (e.g.  RSA) include
the digest algorithm in the data being signed (PKCS#1 DigestInfo structure
for some RSA padding modes).

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list