On 1/13/16, 16:19 , "openssl-dev on behalf of Dr. Stephen Henson" <openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> wrote: >On Wed, Jan 13, 2016, Blumenthal, Uri - 0553 - MITLL wrote: >> >> >> If the input to "pkeyutl -sign" is supposed to be digest output only - >>then >> what?s the point of having command line arguments specifying the digest >>to >> use? And if the input can be an arbitrary file (like for ?dgst"), then >>why >> it doesn?t seem to work? >> >> I?d appreciate comments, guidance, etc. >> > >The dgst utility performs hash+sign; the pkeyutl utility is supplied with >the >data to sign (which is usually but not always a hash). I see. Thank you for explaining! >The reason you can specify which hash the digest is for is that without >that >the utility just sees binary data of a certain length. By specifying the >digest it can sanity check the length and in some schemes (e.g. RSA) >include >the digest algorithm in the data being signed (PKCS#1 DigestInfo structure >for some RSA padding modes). Can I suggest and ask that all of the above explanation is added to/included in the pkeyutl man page? I?m sure it would save some grief to other users. Thanks! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4308 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160113/992a9801/attachment.bin>
