subject:"\[openssl\-dev\] \[openssl.org #3922\] Bug\: EVP_get

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

2016-06-13 Thread Rich Salz via RT

Ah, the endless confusion of cipher vs signature NID's :)

closing ticket.

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3922
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

2015-07-02 Thread David von Oheimb via RT

Thanks a lot Steve for your constructive comments.

> That's expected behaviour. The EVP_get_digestbynid funtion expects a digest 
> NID
> whereas you are passing a signature NID instead. It does accept some signature
> NIDs for historical compatibility reasons.

I now understand that the code I extended for EC support was abusing
EVP_get_digestbynid(), which worked just for compatibility reasons for
RSA (only). Yet why not broaden this function (or better its underlying
mapping) to handle ECDSA (and possibly any other types of) signatures.

> The thread you mention shows you how to convert a signature NID into the 
> digest
> and public key algorithm NID.

The hint you gave in that thread was to use  OBJ_find_sigid_algs()
and this indeed works fine and is cleaner :-)

> However I suspect you shouldn't be trying to do things at that level for
> signatures. If you need to sign or verify ASN.1 data you can use 
> ASN1_item_sign
> or ASN1_item_verify and key and digest handling and lookup is handled 
> automatically.

Good point that they better should have used a more high-level
signature/verification function. Yet the proposed functions, as well as
ASN1_sign and ASN1_verify, still require the (plain) md parameter.
And for instance the more abstract function
  int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
uses again
  md = EVP_get_digestbyobj(si->digest_alg->algorithm);
such that the use of OBJ_find_sigid_algs() appears indispensable.

David.


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

2015-06-23 Thread Stephen Henson via RT

On Mon Jun 22 20:07:43 2015, david.von.ohe...@siemens.com wrote:
> Hi OpenSSL maintainers,
>
> I tried checking the status of the EVP_get_digestbynid issue via
> http://rt.openssl.org/Install/index.html
> but the server appears currently misconfigured:
> > Config file /etc/request-tracker4/RT_SiteConfig.pm is locked
>
> Yet I found an old conversation on this topic:
> http://openssl.6102.n7.nabble.com/Question-about-EVP-get-digestbynid-
> and-ECDSA-td28312.html
>
> With OpenSSL 1.0.2 one still gets NULL when giving ECDSA NIDs as
> input.
> Here is the workaround we currently use for EC support in
> CMPforOpenSSL:
>

That's expected behaviour. The EVP_get_digestbynid funtion expects a digest NID
whereas you are passing a signature NID instead. It does accept some signature
NIDs for historical compatibility reasons.

The thread you mention shows you how to convert a signature NID into the digest
and public key algorithm NID.

However I suspect you shouldn't be trying to do things at that level for
signatures. If you need to sign or verify ASN.1 data you can use ASN1_item_sign
or ASN1_item_verify and key and digest handling and lookup is handled
automatically.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

2015-06-22 Thread David von Oheimb via RT

Hi OpenSSL maintainers,

I tried checking the status of the EVP_get_digestbynid issue via
http://rt.openssl.org/Install/index.html
but the server appears currently misconfigured:
> Config file /etc/request-tracker4/RT_SiteConfig.pm is locked 

Yet I found an old conversation on this topic:
http://openssl.6102.n7.nabble.com/Question-about-EVP-get-digestbynid-and-ECDSA-td28312.html

With OpenSSL 1.0.2 one still gets NULL when giving ECDSA NIDs as input.
Here is the workaround we currently use for EC support in CMPforOpenSSL:

> const EVP_MD *extended_EVP_get_digestbynid(int nid) {
> switch (nid) {
> case  NID_ecdsa_with_SHA1:
> return EVP_sha1();
> case  NID_ecdsa_with_SHA224:
> return EVP_sha224();
> case  NID_ecdsa_with_SHA256:
> return EVP_sha256();
> case  NID_ecdsa_with_SHA384:
> return EVP_sha384();
> case  NID_ecdsa_with_SHA512:
> return EVP_sha512();
> default:
> return EVP_get_digestbynid(nid);
>   }
> }

I just commented on this issue also at
https://sourceforge.net/p/cmpforopenssl/bugs/14/

Regards,
David

--
+--<><-+
|  Dr. David von OheimbSenior Key Expert Research Scientist|
|  Siemens CT RTC ITS SEA-DE   Phone: +49 89 636 41173 |
|  Otto-Hahn-Ring 6Fax  : +49 89 636 48000 |
|  D-81739 München, GermanyEMail: david.von.ohe...@siemens.com |
|  http://scd.siemens.de/db4/lookUp?tcgid=Z000ECRO   http://ddvo.net/  |
+--+

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

Re: [openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

4 matches

Site Navigation

Mail list logo

Footer information