Folks,
This questions is regarding the demo openssl-0.9.8-stable-
SNAP-20061004/demos/ssltest-ecc, and in particular the ECCCcertgen.sh
script. What I've done is attempt to specify the hash digest like so:
#earlier in the script i set the digest I want
TEST_DIGEST="sha256"
# and here I've modified to specify the digest:
# Sign the certificate request in $TEST_CA_FILE.req.pem using the
# private key in $TEST_CA_FILE.key.pem and include the CA extension.
# Make the certificate valid for 1500 days from the time of signing.
# The certificate is written into $TEST_CA_FILE.cert.pem
$OPENSSL_CMD x509 -req -days $DAYS \
-in $CERTS_DIR/$TEST_CA_FILE.req.pem \
-extfile $OPENSSL_DIR/apps/openssl.cnf \
-extensions v3_ca \
-signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
-out $CERTS_DIR/$TEST_CA_FILE.cert.pem -$TEST_DIGEST
What I find though is that the resulting certificates are still
created with:
Signature Algorithm: ecdsa-with-SHA1
I'm looking for some advice/thoughts on the following three questions:
1) Perhaps I'm just using the CLI incorrectly. Does my method look
correct?
2) Perhaps openssl doesn't yet support ecdsa with SHA256?
If so I'd expect an error when I specify -sha256 (as it does if I
provide a bogus digest name). Looking through the code though there
doesn't appear to be an 'ecdsa-with-SHA256' or similar defined/used.
If this is true I guess I'll move over to openssl-dev and see if I
can help fix things.
3) Perhaps ecdsa is limited to sha-1?
This seems unlikely and the www.x9.org abstract for X9.62 (ecdsa)
seems to claim "The hash functions Approved at the time of
publication of this document are SHA-1 (see NOTE), SHA-224, SHA-256,
SHA-384 and SHA-512." But I don't have access to the entire document
and don't see the 'NOTE' and thus could very well be wrong on this
point.
Any responses appreciated. Thanks,
- max
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
