[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA
Ah, the endless confusion of cipher vs signature NID's :) closing ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3922 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA
Thanks a lot Steve for your constructive comments. > That's expected behaviour. The EVP_get_digestbynid funtion expects a digest > NID > whereas you are passing a signature NID instead. It does accept some signature > NIDs for historical compatibility reasons. I now understand that the code I extended for EC support was abusing EVP_get_digestbynid(), which worked just for compatibility reasons for RSA (only). Yet why not broaden this function (or better its underlying mapping) to handle ECDSA (and possibly any other types of) signatures. > The thread you mention shows you how to convert a signature NID into the > digest > and public key algorithm NID. The hint you gave in that thread was to use OBJ_find_sigid_algs() and this indeed works fine and is cleaner :-) > However I suspect you shouldn't be trying to do things at that level for > signatures. If you need to sign or verify ASN.1 data you can use > ASN1_item_sign > or ASN1_item_verify and key and digest handling and lookup is handled > automatically. Good point that they better should have used a more high-level signature/verification function. Yet the proposed functions, as well as ASN1_sign and ASN1_verify, still require the (plain) md parameter. And for instance the more abstract function int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) uses again md = EVP_get_digestbyobj(si->digest_alg->algorithm); such that the use of OBJ_find_sigid_algs() appears indispensable. David. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA
On Mon Jun 22 20:07:43 2015, david.von.ohe...@siemens.com wrote: > Hi OpenSSL maintainers, > > I tried checking the status of the EVP_get_digestbynid issue via > http://rt.openssl.org/Install/index.html > but the server appears currently misconfigured: > > Config file /etc/request-tracker4/RT_SiteConfig.pm is locked > > Yet I found an old conversation on this topic: > http://openssl.6102.n7.nabble.com/Question-about-EVP-get-digestbynid- > and-ECDSA-td28312.html > > With OpenSSL 1.0.2 one still gets NULL when giving ECDSA NIDs as > input. > Here is the workaround we currently use for EC support in > CMPforOpenSSL: > That's expected behaviour. The EVP_get_digestbynid funtion expects a digest NID whereas you are passing a signature NID instead. It does accept some signature NIDs for historical compatibility reasons. The thread you mention shows you how to convert a signature NID into the digest and public key algorithm NID. However I suspect you shouldn't be trying to do things at that level for signatures. If you need to sign or verify ASN.1 data you can use ASN1_item_sign or ASN1_item_verify and key and digest handling and lookup is handled automatically. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA
Hi OpenSSL maintainers, I tried checking the status of the EVP_get_digestbynid issue via http://rt.openssl.org/Install/index.html but the server appears currently misconfigured: > Config file /etc/request-tracker4/RT_SiteConfig.pm is locked Yet I found an old conversation on this topic: http://openssl.6102.n7.nabble.com/Question-about-EVP-get-digestbynid-and-ECDSA-td28312.html With OpenSSL 1.0.2 one still gets NULL when giving ECDSA NIDs as input. Here is the workaround we currently use for EC support in CMPforOpenSSL: > const EVP_MD *extended_EVP_get_digestbynid(int nid) { > switch (nid) { > case NID_ecdsa_with_SHA1: > return EVP_sha1(); > case NID_ecdsa_with_SHA224: > return EVP_sha224(); > case NID_ecdsa_with_SHA256: > return EVP_sha256(); > case NID_ecdsa_with_SHA384: > return EVP_sha384(); > case NID_ecdsa_with_SHA512: > return EVP_sha512(); > default: > return EVP_get_digestbynid(nid); > } > } I just commented on this issue also at https://sourceforge.net/p/cmpforopenssl/bugs/14/ Regards, David -- +--<><-+ | Dr. David von OheimbSenior Key Expert Research Scientist| | Siemens CT RTC ITS SEA-DE Phone: +49 89 636 41173 | | Otto-Hahn-Ring 6Fax : +49 89 636 48000 | | D-81739 München, GermanyEMail: david.von.ohe...@siemens.com | | http://scd.siemens.de/db4/lookUp?tcgid=Z000ECRO http://ddvo.net/ | +--+ ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev