On Tue, 2009-03-31 at 08:50 -0700, Beneš Vladimír wrote: > Hi, > > there is mentioned command option "-md" on official documentation - > http://www.openssl.org/docs/apps/smime.html# > """ > SYNOPSIS > openssl smime ... [-md digest] ... > ... > COMMAND OPTIONS > ... > -md digest > digest algorithm to use when signing or resigning. If not present then the > default digest algorithm for the signing key will be used (usually SHA1). > ... > """ > > But if I try to use it (in the latest version - OpenSSL 0.9.8k 25 Mar > 2009), it seems that this is quite unknown option (it only puts into stderr > available options - without "-md" option). > > So how option "-md" could by used in "openssl smime"? > Or - how could be created and verificated PKCS#7 signatures with the > sha512 (or sha256) message digest algorithm?
As you have noticed, apps/smime.c doesn't implement the -md command-line switch. The bit of code that actually specifies the message digest to use for signing is in PKCS7_sign() in crypto/pkcs7/pk7_smime.c. It is hard-coded to use SHA1. I changed EVP_sha1 to EVP_sha256 in the call to PKCS7_add_signature(), and it seems to work fine. (By that, I mean SHA256 is actually getting used and signatures verify OK.) There's almost certainly a better way to go about this, but I didn't need a general solution to the command-line problem. Paul ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
