On Sun, Apr 23, 2023 at 09:56:40AM -0400, Robert Moskowitz wrote:
> I have a 136 byte object:
>
> 2e4a3f5b5e07a1fb254b811f5a1002b10a5fda326d944758324d7f16972aa2f63c4722b92001003ffe001405
For the record, that's not 136 bytes, it is 88 hex digits (representing
44 bytes).
> I want the 64 byte signature.
Example:
$ openssl pkeyutl -sign -inkey edkey.pem -in /tmp/foo.dat -rawin | xxd -p -c 66
4865baed71e2aaba0aef5de8f5f268c93715a9efd86e47de7babaec7868b7f60a9cea24b14016367564999cfa691abdcc0a88c68e6eec52e2476fcf782d93206
One essential ingredient is the "-rawin" option, which bypasses running
the data through any digest algorithm. OpenSSL presently supports only
the oneshot "pure" EdDSA signature algorithms, and the "rawin" option is
necessary to enable their use.
Another essential ingredient is that the input must be available all at
once (not streamed in chunks), and therefore the input data must be in
a file, not read from stdin.
On Sun, Apr 23, 2023 at 11:38:39AM -0400, James Muir wrote:
> I think you would need an extra step to convert your message from hex to
> binary.
Indeed it is important to know whether you're signing the hexadecimal
string, or the underlying binary data. If it is the hex string, make
sure the input does not include a terminating newline (LF or CRLF) if
the signature is to cover just the hex data.
--
Viktor.
