RE: pkcs7_sign() / cms_sign() : using SHA256 hash
RT is sometimes slow. If you sent email to rt, give it a couple of days and resend. -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: pkcs7_sign() / cms_sign() : using SHA256 hash
Thank you Stephen. I'll try to do that and then I'll tell the others OFTP2 editors how to do ! BTW: Rich told me : "open a ticket". I tried to do by writing to r...@openssl.org but I got nothing back. Best regards, -- Francis Le 20/09/2014 01:36, Dr. Stephen Henson a écrit : On Fri, Sep 12, 2014, Francis GASCHET wrote: Hello, From the man page, it looks like signing packages always use SHA1, and there is no argument to pkcs7_sign and cms_sign functions which would allow to chose the algorithm. May be I missed something... Or is there some method to sign with another hsah algorithm ? CMS_sign() does use the default digest only. The cms application can use a different digest though. You can do the same: it's slightly more complex but not difficult. In outline you do this: Call CMS_sign() set the private key argument to NULL and include the flag CMS_PARTIAL (if you don't already). This just initialises the structure without actually signing anything. Add the signer(s) using CMS_add1_signer() you can specify the digest algorithm to use with this call. You can add multiplers signer using different digest algorithms here. If you're streaming call SMIME_write_CMS() as normal. If not call CMS_final() which will finalise the structure and you can then write it out. This finalises the strcutures and performs the content digesting and signing__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: pkcs7_sign() / cms_sign() : using SHA256 hash
On Fri, Sep 12, 2014, Francis GASCHET wrote: > Hello, > > From the man page, it looks like signing packages always use SHA1, > and there is no argument to pkcs7_sign and cms_sign functions which > would allow to chose the algorithm. > May be I missed something... Or is there some method to sign with > another hsah algorithm ? > CMS_sign() does use the default digest only. The cms application can use a different digest though. You can do the same: it's slightly more complex but not difficult. In outline you do this: Call CMS_sign() set the private key argument to NULL and include the flag CMS_PARTIAL (if you don't already). This just initialises the structure without actually signing anything. Add the signer(s) using CMS_add1_signer() you can specify the digest algorithm to use with this call. You can add multiplers signer using different digest algorithms here. If you're streaming call SMIME_write_CMS() as normal. If not call CMS_final() which will finalise the structure and you can then write it out. This finalises the strcutures and performs the content digesting and signing. There is an example of this for two signers (but which doesn't use a different digest) in demos/cms/cms_sign2.c Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: pkcs7_sign() / cms_sign() : using SHA256 hash
You are right, that the toplevel API doesn't have take a digest parameter. The only kind of signature you get is the "default" where default is defined per-key-type. We should probably have PKCS7_sign_ex() that took a "const EVP_MD*" parameter. It'd be trivial to do this. Same for CMS_sign. Please open a ticket. -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
pkcs7_sign() / cms_sign() : using SHA256 hash
Hello, From the man page, it looks like signing packages always use SHA1, and there is no argument to pkcs7_sign and cms_sign functions which would allow to chose the algorithm. May be I missed something... Or is there some method to sign with another hsah algorithm ? Thanks in advance. Best regards, -- Francis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
