[openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files
Fix in place in master, OpenSSL_1_1_0-stable and OpenSSL_1_0_2-stable Closing ticket. Cheers, Richard On Fri Sep 02 14:57:41 2016, rs...@akamai.com wrote: > Yeah, something like that for 1.0.2; simpler for 1.1.0. I'll do it. > -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files
Yeah, something like that for 1.0.2; simpler for 1.1.0. I'll do it. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files
Yeah, something like that for 1.0.2; simpler for 1.1.0. I'll do it. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files
Richard Levitte via RT wrote:
|On Thu Sep 01 13:18:44 2016, stef...@sdaoden.eu wrote:
|> From the documentation i cannot tell what is wrong with the
|> following:
|>
|> echo abc > a; echo def > b; echo ghi > c
|> openssl genpkey -algorithm RSA -out k.prv
|> openssl pkey -in k.prv -pubout -out k.pub
|> openssl dgst -sha512 -sign k.prv -out .sig a b c
|> openssl dgst -sha512 -verify k.pub -signature .sig a b c
|> rm k.prv k.pub a b c
|
|The manual for dgst has this little note
|
|The signing and verify options should only be used if a single file \
|is being
|signed or verified.
|In other words, don't do that.
I really haven't seen that. It is the second last sentence. Hm.
|While I can understand the desire to do multiple files in one swoop, the
|signature file (.sig in this case) isn't formatted in any special way, it's
|litterally just a stream of bytes. So it does contain all the signatures, \
|but
|in an unstructured format. Verification will read that file and use \
|the first n
|bytes from it when verifying each file you give it. That's why you \
|get correct
|verification on the first file but not the others.
|
|The solution to this is to enhance dgst so it loudly refuses to sign \
|or verify
|more than one file.
If that is your way. I haven't actually tried it, but the
following should do what you want?!
Ciao,
--- dgst.c.orig 2016-09-02 15:06:08.952110179 +0200
+++ dgst.c 2016-09-02 15:13:57.592904667 +0200
@@ -369,6 +369,14 @@ int dgst_main(int argc, char **argv)
if (md)
md_name = EVP_MD_name(md);
}
+
+if (argc > 1 && (sigbuf != NULL || sigkey != NULL)){
+BIO_printf(bio_err, "Signing and verifying cannot be used with
"
+ "multiple files\n");
+ret = 1;
+goto end;
+}
+
ret = 0;
for (i = 0; i < argc; i++) {
int r;
--steffen
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files
Richard Levitte via RT wrote:
|On Thu Sep 01 13:18:44 2016, stef...@sdaoden.eu wrote:
|> From the documentation i cannot tell what is wrong with the
|> following:
|>
|> echo abc > a; echo def > b; echo ghi > c
|> openssl genpkey -algorithm RSA -out k.prv
|> openssl pkey -in k.prv -pubout -out k.pub
|> openssl dgst -sha512 -sign k.prv -out .sig a b c
|> openssl dgst -sha512 -verify k.pub -signature .sig a b c
|> rm k.prv k.pub a b c
|
|The manual for dgst has this little note
|
|The signing and verify options should only be used if a single file \
|is being
|signed or verified.
|In other words, don't do that.
I really haven't seen that. It is the second last sentence. Hm.
|While I can understand the desire to do multiple files in one swoop, the
|signature file (.sig in this case) isn't formatted in any special way, it's
|litterally just a stream of bytes. So it does contain all the signatures, \
|but
|in an unstructured format. Verification will read that file and use \
|the first n
|bytes from it when verifying each file you give it. That's why you \
|get correct
|verification on the first file but not the others.
|
|The solution to this is to enhance dgst so it loudly refuses to sign \
|or verify
|more than one file.
If that is your way. I haven't actually tried it, but the
following should do what you want?!
Ciao,
--- dgst.c.orig 2016-09-02 15:06:08.952110179 +0200
+++ dgst.c 2016-09-02 15:13:57.592904667 +0200
@@ -369,6 +369,14 @@ int dgst_main(int argc, char **argv)
if (md)
md_name = EVP_MD_name(md);
}
+
+if (argc > 1 && (sigbuf != NULL || sigkey != NULL)){
+BIO_printf(bio_err, "Signing and verifying cannot be used with
"
+ "multiple files\n");
+ret = 1;
+goto end;
+}
+
ret = 0;
for (i = 0; i < argc; i++) {
int r;
--steffen
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files
On Thu Sep 01 13:18:44 2016, stef...@sdaoden.eu wrote: > Hello. > > From the documentation i cannot tell what is wrong with the > following: > > echo abc > a; echo def > b; echo ghi > c > openssl genpkey -algorithm RSA -out k.prv > openssl pkey -in k.prv -pubout -out k.pub > openssl dgst -sha512 -sign k.prv -out .sig a b c > openssl dgst -sha512 -verify k.pub -signature .sig a b c > rm k.prv k.pub a b c The manual for dgst has this little note The signing and verify options should only be used if a single file is being signed or verified. In other words, don't do that. While I can understand the desire to do multiple files in one swoop, the signature file (.sig in this case) isn't formatted in any special way, it's litterally just a stream of bytes. So it does contain all the signatures, but in an unstructured format. Verification will read that file and use the first n bytes from it when verifying each file you give it. That's why you get correct verification on the first file but not the others. The solution to this is to enhance dgst so it loudly refuses to sign or verify more than one file. Cheers, Richard -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files
Hello. >From the documentation i cannot tell what is wrong with the following: echo abc > a; echo def > b; echo ghi > c openssl genpkey -algorithm RSA -out k.prv openssl pkey -in k.prv -pubout -out k.pub openssl dgst -sha512 -sign k.prv -out .sig a b c openssl dgst -sha512 -verify k.pub -signature .sig a b c rm k.prv k.pub a b c It gives me ?0[steffen@wales bin]$ sh /tmp/t.sh ..++ ...++ Verified OK Verification Failure Verification Failure And being able to produce textual output would be great. Thanks. --steffen -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
