If you already know what Dr. Henson explained in the quoted emails - then the man page is crystal clear. However, if you don't - then it is very easy (it was to me) to make an erroneous assumption (that is not explicitly contradicted) that the digest you specify would be applied to the data you are signing by pkeyutl itself.? This is why I'm asking to include a statement (taking the relevant paragraph from Steve's email seems the best and the simplest way to me) somewhere in the beginning of the Notes section. That added statement/paragraph would makeit unambiguously clear that specified or implied digest and it's parameters are used by pkeyutl ONLY for sanity checks and inclusion into the signature structure, but are NOT applied to the input data by pkeyutl (which instead the user must himself perform prior to invoking pkeyutl). Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network. ? Original Message ? From: Hubert Kario Sent: Thursday, January 14, 2016 07:34 To: openssl-dev at openssl.org; openssl-users at openssl.org Reply To: openssl-dev at openssl.org Subject: Re: [openssl-dev] pkeyutl does not invoke hash? On Wednesday 13 January 2016 21:32:47 Blumenthal, Uri - 0553 - MITLL wrote: > On 1/13/16, 16:19 , "openssl-dev on behalf of Dr. Stephen Henson" > > <openssl-dev-bounces at openssl.org on behalf of steve at openssl.org> wrote: > >The reason you can specify which hash the digest is for is that > >without that > >the utility just sees binary data of a certain length. By specifying > >the digest it can sanity check the length and in some schemes (e.g. > >RSA) include > >the digest algorithm in the data being signed (PKCS#1 DigestInfo > >structure for some RSA padding modes). > > Can I suggest and ask that all of the above explanation is added > to/included in the pkeyutl man page? I?m sure it would save some grief > to other users. from pkeyutl(1ssl) in OpenSSL 1.0.1: ----->8------ Unless otherwise mentioned all algorithms support the digest:alg option which specifies the digest in use for sign, verify and verifyrecover operations. The value alg should represent a digest name as used in the EVP_get_digestbyname() function for example sha1. (...) -rsa_padding_mode:mode (...) In PKCS#1 padding if the message digest is not set then the supplied data is signed or verified directly instead of using a DigestInfo structure. If a digest is set then the a DigestInfo structure is used and its the length must correspond to the digest type. (...) EXAMPLES (...) Sign data using a message digest value (this is currently only valid for RSA): openssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt digest:sha256 ----->8------ So it looks documented to me. What is missing in your opinion? -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purky?ova 99/71, 612 45, Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4350 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160114/d99bfbf6/attachment-0001.bin>
