[openssl-users] [openssl-dev] pkeyutl does not invoke hash?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu Jan 14 14:41:20 UTC 2016

If you already know what Dr. Henson explained in the quoted emails - then the man page is crystal clear. However, if you don't - then it is very easy (it was to me) to make an erroneous assumption (that is not explicitly contradicted) that the digest you specify would be applied to the data you are signing by pkeyutl itself. 

This is why I'm asking to include a statement (taking the relevant paragraph from Steve's email seems the best and the simplest way to me) somewhere in the beginning of the Notes section. That added statement/paragraph would makeit unambiguously clear that specified or implied digest and it's parameters are used by pkeyutl ONLY for sanity checks and inclusion into the signature structure, but are NOT applied to the input data by pkeyutl (which instead the user must himself perform prior to invoking pkeyutl).

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
  Original Message  
From: Hubert Kario
Sent: Thursday, January 14, 2016 07:34
To: openssl-dev at openssl.org; openssl-users at openssl.org
Reply To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] [openssl-users] pkeyutl does not invoke hash?

On Wednesday 13 January 2016 21:32:47 Blumenthal, Uri - 0553 - MITLL 
> On 1/13/16, 16:19 , "openssl-dev on behalf of Dr. Stephen Henson"
> <openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> 
> >The reason you can specify which hash the digest is for is that
> >without that
> >the utility just sees binary data of a certain length. By specifying
> >the digest it can sanity check the length and in some schemes (e.g. 
> >RSA) include
> >the digest algorithm in the data being signed (PKCS#1 DigestInfo
> >structure for some RSA padding modes).
> Can I suggest and ask that all of the above explanation is added
> to/included in the pkeyutl man page? I’m sure it would save some grief
> to other users.

from pkeyutl(1ssl) in OpenSSL 1.0.1:

Unless otherwise mentioned all algorithms support the digest:alg
option which specifies the digest in use for sign, verify and
verifyrecover operations. The value alg should represent a
digest name as used in the EVP_get_digestbyname() function for
example sha1.
In PKCS#1 padding if the message digest is not set then the
supplied data is signed or verified directly instead of using
a DigestInfo structure. If a digest is set then the a
DigestInfo structure is used and its the length must
correspond to the digest type.
Sign data using a message digest value (this is currently only
valid for RSA):

openssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt 

So it looks documented to me. What is missing in your opinion?

Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4350 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160114/d99bfbf6/attachment-0001.bin>

More information about the openssl-users mailing list