pkcs11-tool digest differences - not the same as openssl

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

pkcs11-tool digest differences - not the same as openssl


Using pkcs11-tool, with a SafeNet iKey 2032, I have noticed that SHA-1 hashes, created using:

C:\Program Files (x86)\OpenSC Project\OpenSC>pkcs11-tool --module c:\windows\system32\etpkcs11.dll -m SHA-1  --hash -i <filename> -o <digest.bin>

frequently differ from the hash produced by the openssl command:
C:\Program Files (x86)\OpenSC Project\OpenSC>openssl dgst -sha1 <filename>

By trying different input files  I  worked out that the difference is because pkcs11-tool process replaces CRLF by LF before passing it through the hash, whereas openssl passes the complete file contents through the hash.

Is this by design?  Am I obliged/expected to convert everything to Base-64 before I hash it if I want to use pkcs11-tool?  (I need to hash some pure binary files, which will inevitably contain CRLF by chance and wanted to avoid extra steps ;-) )

I couldn't find this mentioned anywhere else.  

Many thanks for any comments/suggestions.