'pkeyparam' shares the same DH feature of its predecessors in that it ignores all content not included between the /*first*/ PEM header and its accompanying footer. that means virtually anything can surround the first param and will be ignored by whatever call(s) this wrapper is making. i can understand that this may have been coded this way to allow for the history DH param's have with openssl whereby only the PKCS#3 variant has been supported and that format might co-exist in some files.
however, it would seem prudent that everything outside the first DH param should not be completely ignored. to wit: consider the very real possibility that a programmatic error is made -- such as the dh2048.pem example, supra -- and an append is performed and the new param is completely ignored and nobody is the wiser. moreover, since it is remarkably unlikely that anyone is hand coding these files or that comments would be inserted; it seems to make a lot of sense for a utilizing module to _*warn*_ of excess content that is not PKCS and _*fail*_ if more than a single PEM-type param is included.
-- Thank you, Johann v. Preußen
smime.p7s
Description: S/MIME Cryptographic Signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
