OpenSSL 1.1.1: How to get signature algorithm id? (no EVP_MD_FLAG_PKEY_METHOD_SIGNATURE)
Andrew Lynch
andrew.lynch at atos.net
Thu Feb 9 15:21:27 UTC 2023
Hi,
I have some old code that determines the signature algorithm OID given a combination of EVP_PKEY *pkey and EVP_MD *digest. It contains an #ifdef EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. If true, it uses OBJ_find_sigid_by_algs() with the digest and pkey->ameth->pkey_id to get the OID. The else case uses EVP_MD_pkey_type() with only the digest.
Given an ECDSA pkey and a SHA256 digest the application using OpenSSL 1.0.2 outputs the expected ecdsa-with-SHA256. With OpenSSL 1.1.1 it incorrectly outputs sha256WithRSAEncryption.
OpenSSL 1.0.2 has the flag defined whereas it does not exist at all in 1.1.1. As EVP_MD_pkey_type() only has the digest to work with it will always return NID_sha256WithRSAEncryption regardless of the type of EVP_PKEY that is actually used with the digest to create a signature.
Which API calls can I use in OpenSSL 1.1.1 to get the correct signature algorithm id given some combination of EVP_PKEY and EVP_MD?
Regards,
Andrew.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230209/bbb2e1b0/attachment.htm>
More information about the openssl-users
mailing list