On 1/13/16, 16:19 , "openssl-dev on behalf of Dr. Stephen Henson"
<openssl-dev-boun...@openssl.org on behalf of st...@openssl.org> wrote:

>On Wed, Jan 13, 2016, Blumenthal, Uri - 0553 - MITLL wrote:
>> 
>> 
>> If the input to "pkeyutl -sign" is supposed to be digest output only -
>>then
>> what’s the point of having command line arguments specifying the digest
>>to
>> use? And if the input can be an arbitrary file (like for “dgst"), then
>>why
>> it doesn’t seem to work?
>> 
>> I’d appreciate comments, guidance, etc.
>> 
>
>The dgst utility performs hash+sign; the pkeyutl utility is supplied with
>the
>data to sign (which is usually but not always a hash).

I see. Thank you for explaining!

>The reason you can specify which hash the digest is for is that without
>that
>the utility just sees binary data of a certain length. By specifying the
>digest it can sanity check the length and in some schemes (e.g.  RSA)
>include
>the digest algorithm in the data being signed (PKCS#1 DigestInfo structure
>for some RSA padding modes).

Can I suggest and ask that all of the above explanation is added
to/included in the pkeyutl man page? I’m sure it would save some grief to
other users.

Thanks!

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to