On Wed, Jan 13, 2016, Blumenthal, Uri - 0553 - MITLL wrote: > > > If the input to "pkeyutl ???sign??? is supposed to be digest output only ??? then > what???s the point of having command line arguments specifying the digest to > use? And if the input can be an arbitrary file (like for ???dgst???), then why > it doesn???t seem to work? > > I???d appreciate comments, guidance, etc. > The dgst utility performs hash+sign the pkeyutl utility is supplied with the data to sign (which is usually but not always a hash). The reason you can specify which hash the digest is for is that without that the utility just sees binary data of a certain length. By specifying the digest it can sanity check the length and in some schemes (e.g. RSA) include the digest algorithm in the data being signed (PKCS#1 DigestInfo structure for some RSA padding modes). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
