Thanks a lot Steve for your constructive comments. > That's expected behaviour. The EVP_get_digestbynid funtion expects a digest > NID > whereas you are passing a signature NID instead. It does accept some signature > NIDs for historical compatibility reasons.
I now understand that the code I extended for EC support was abusing EVP_get_digestbynid(), which worked just for compatibility reasons for RSA (only). Yet why not broaden this function (or better its underlying mapping) to handle ECDSA (and possibly any other types of) signatures. > The thread you mention shows you how to convert a signature NID into the > digest > and public key algorithm NID. The hint you gave in that thread was to use OBJ_find_sigid_algs() and this indeed works fine and is cleaner :-) > However I suspect you shouldn't be trying to do things at that level for > signatures. If you need to sign or verify ASN.1 data you can use > ASN1_item_sign > or ASN1_item_verify and key and digest handling and lookup is handled > automatically. Good point that they better should have used a more high-level signature/verification function. Yet the proposed functions, as well as ASN1_sign and ASN1_verify, still require the (plain) md parameter. And for instance the more abstract function int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) uses again md = EVP_get_digestbyobj(si->digest_alg->algorithm); such that the use of OBJ_find_sigid_algs() appears indispensable. David. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
