On 1/13/16, 16:19 , "openssl-dev on behalf of Dr. Stephen Henson" <openssl-dev-boun...@openssl.org on behalf of st...@openssl.org> wrote:
>On Wed, Jan 13, 2016, Blumenthal, Uri - 0553 - MITLL wrote: >> >> >> If the input to "pkeyutl -sign" is supposed to be digest output only - >>then >> what’s the point of having command line arguments specifying the digest >>to >> use? And if the input can be an arbitrary file (like for “dgst"), then >>why >> it doesn’t seem to work? >> >> I’d appreciate comments, guidance, etc. >> > >The dgst utility performs hash+sign; the pkeyutl utility is supplied with >the >data to sign (which is usually but not always a hash). I see. Thank you for explaining! >The reason you can specify which hash the digest is for is that without >that >the utility just sees binary data of a certain length. By specifying the >digest it can sanity check the length and in some schemes (e.g. RSA) >include >the digest algorithm in the data being signed (PKCS#1 DigestInfo structure >for some RSA padding modes). Can I suggest and ask that all of the above explanation is added to/included in the pkeyutl man page? I’m sure it would save some grief to other users. Thanks!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev