Patch to /doc/apps/dgst.pod based on lessons I learned last week. Still love the project!
Cheers --Mike -- Michael J Smith, CISSP-ISSEP [email protected] http://www.guerilla-ciso.com/
--- dgst.orig.pod 2009-04-10 12:42:27.000000000 -0400 +++ dgst.pod 2009-11-29 18:27:11.000000000 -0500 @@ -2,12 +2,13 @@ =head1 NAME -dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests +dgst, dss1, md5, md4, md2, mdc2, ripemd160, sha, sha1, sha256 message digests +and digital signatures =head1 SYNOPSIS B<openssl> B<dgst> -[B<-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1>] +[B<-dss1|-md5|-md4|-md2|-mdc2|-ripemd160|-sha|-sha1|-sha256>] [B<-c>] [B<-d>] [B<-hex>] @@ -30,7 +31,8 @@ =head1 DESCRIPTION The digest functions output the message digest of a supplied file or files -in hexadecimal form. They can also be used for digital signing and verification. +in hexadecimal. The digest functions also generate and verify digital +signatures using message digests. =head1 OPTIONS @@ -48,7 +50,8 @@ =item B<-hex> digest is to be output as a hex dump. This is the default case for a "normal" -digest as opposed to a digital signature. +digest as opposed to a digital signature. See NOTES below for digital +signatures using -hex. =item B<-binary> @@ -145,6 +148,21 @@ =back + +=head1 EXAMPLES + +To create a hex-encoded message digest of a file: + openssl dgst -md5 -hex file.txt + +To sign a file using SHA-256 with binary file output: + openssl dgst -sha-256 -sign privatekey.pem -out signature.sign file.txt + +To verify a signature: + openssl dgst -sha256 -verify publickey.pem \ + -signature signature.sign \ + file.txt + + =head1 NOTES The digest of choice for all new applications is SHA1. Other digests are @@ -153,10 +171,24 @@ If you wish to sign or verify data using the DSA algorithm then the dss1 digest must be used. +When signing a file, openssl will automatically determine the algorithm +(RSA, ECC, etc) to use for signing based on the private key's ASN.1 info. + A source of random numbers is required for certain signing algorithms, in particular DSA. The signing and verify options should only be used if a single file is being signed or verified. +Hex signatures cannot be verified using openssl. Instead, use "xxd -r" +or similar program to transform the hex signature into a binary signature +prior to verification. + + +=head1 SEE ALSO + +L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>, L<ec(1)|ec(1)>, L<ecparam(1)|ecparam(1)>, L<genpkey(1)|genpkey(1)>, L<rsa(1)|rsa(1)>, + + + =cut
