[openssl-users] EVP_get_digestbyobj fails for ecdsa-with-SHA256

Chris Bare chris.bare at gmail.com
Thu Jul 7 19:09:16 UTC 2016


Ok, that makes sense with what I'm seeing. I just tried changing this:
    const EVP_MD* md = EVP_get_digestbyobj(sig_alg_oid);
to this:
    const EVP_MD* md = EVP_get_digestbyname("SHA256");

and it all worked correctly.
so given that I have an OID for ecdsa-with-SHA256, is there a function that
will return just the digest algorithm?
I'm trying to be as flexible as possible, so I don't want to hard code this
or have my own limited lookup table.

On Thu, Jul 7, 2016 at 2:54 PM, Jakob Bohm <jb-openssl at wisemo.com> wrote:

> On 07/07/2016 20:08, Chris Bare wrote:
>
>> EVP_get_digestbyobj fails for ecdsa-with-SHA256
>>
>> ecdsa-with-SHA256 is not a digest algorithm, it is a signature
> algorithm with a specific choice of digest algorithm (SHA256).
>
> In OpenSSL 1.0.2 and older there is a very old compatibility
> feature which allows accessing a few old signature+digest
> algorithm pairs via a digest algorithm object.
>
> Specifically:
>
> RSA with md2, md4, md5, mdc2, ripemd, SHA-0, SHA-1, SHA224,
>          SHA256, SHA384 and SHA512
> DSA with SHA-0 and SHA1
> ECDSA with with SHA1
>
> This has been deprecated for a long time, but the compatibility
> code makes your code below work for the above algorithm pairs.
>
> The reason this compatibility code is deprecated is that it
> causes the RSA algorithm to be referenced every time someone
> tries to reference just the hash algorithm object for one of
> the digest algorithms listed above.
>
> I'm trying to perform a standard signature verification using the EVP_*
>> functions.
>> I think my code is correct, because it all runs fine if the digest is
>> RSA-SHA256.
>> I have an ASN1_OBJECT that specifics the signature/disgest type.
>> Here is my code that dumps out all the intermediate steps called by
>> EVP_get_digestbyobj:
>>
>> ASN1_OBJECT * ;
>>
>> OBJ_obj2txt(name, 256, sig_alg_oid, 1);
>> printf ("NAME %s", name);
>> printf ("NID = %d", OBJ_obj2nid(sig_alg_oid));
>> printf ("sn = %s", OBJ_nid2sn(OBJ_obj2nid(sig_alg_oid)));
>> printf ("OBJ_NAME_get = %p",
>> OBJ_NAME_get(OBJ_nid2sn(OBJ_obj2nid(sig_alg_oid)),OBJ_NAME_TYPE_MD_METH));
>> const EVP_MD* md = EVP_get_digestbyobj(sig_alg_oid);
>> if(md == NULL)
>>         printf ("EVP_get_digestbyobj failed");
>>
>> When I call this with the RSA-SHA256 I get:
>> NAME 1.2.840.113549.1.1.11
>> NID = 668
>> sn = RSA-SHA256
>> OBJ_NAME_get = 0x7fe8846f1ee0
>>
>> and the rest of the steps succeeed.
>> Then when I call the same code (in the same program, so I'm sure the
>> openssl library is correctly initialized) with
>> ecdsa-with-SHA256, I get:
>> NAME 1.2.840.10045.4.3.2
>> NID = 794
>> sn = ecdsa-with-SHA256
>> OBJ_NAME_get = (nil)
>> EVP_get_digestbyobj failed
>>
>> So it looks like my sig_alg_oid is good, but OBJ_NAME_get fails.
>>
>> I am using openssl 1.0.2d-0ubuntu1.5 in ubuntu 15.10
>>
>> Am I doing something wrong, or could this be a bug in the library?
>> Any suggestions appreciated.
>>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
Chris Bare
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160707/fa5e4683/attachment.html>


More information about the openssl-users mailing list