Creating a raw signature of a hex string

Viktor Dukhovni openssl-users at
Sun Apr 23 16:04:46 UTC 2023

On Sun, Apr 23, 2023 at 09:56:40AM -0400, Robert Moskowitz wrote:

> I have a 136 byte object:
> 2e4a3f5b5e07a1fb254b811f5a1002b10a5fda326d944758324d7f16972aa2f63c4722b92001003ffe001405

For the record, that's not 136 bytes, it is 88 hex digits (representing
44 bytes).

> I want the 64 byte signature.


    $ openssl pkeyutl -sign -inkey edkey.pem -in /tmp/foo.dat -rawin | xxd -p -c 66

One essential ingredient is the "-rawin" option, which bypasses running
the data through any digest algorithm.  OpenSSL presently supports only
the oneshot "pure" EdDSA signature algorithms, and the "rawin" option is
necessary to enable their use.

Another essential ingredient is that the input must be available all at
once (not streamed in chunks), and therefore the input data must be in
a file, not read from stdin.

On Sun, Apr 23, 2023 at 11:38:39AM -0400, James Muir wrote:

> I think you would need an extra step to convert your message from hex to
> binary.

Indeed it is important to know whether you're signing the hexadecimal
string, or the underlying binary data.  If it is the hex string, make
sure the input does not include a terminating newline (LF or CRLF) if
the signature is to cover just the hex data.


More information about the openssl-users mailing list