<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#000000">Hi list.<br></div><div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)">I'm currently implementing a signing routine and for that I'm using the high-level API EVP according to <a href="https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying">this page</a>. I'm using openssl 1.0.2m.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)">I need to sign with hashing SHA256 and prime256v1, with the former retrieved via "EVP_get_digestbyname". The private key is stored in a PEM file and loaded via "PEM_read_bio_PrivateKey". It is correctly loaded and correctly recognized to be of type EC (408).</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)">So far so good, I am able to sign the payload and verify it. Hence, the procedure is correctly carried out. HOWEVER, once the signed payload is sent to the server, it is rejected. I believe the issue is with "<span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">prime256v1" because, as far as I can tell, that is not the default curve for EC signing.</span></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Looking into the documentation I tried to set the correct curve like this (smart pointers used, error handling ignored for the sake of brevity):</span></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div class="gmail_default" style="font-size:small;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">

<pre style="font-family:arial,helvetica,sans-serif;white-space:normal;margin:0px;text-indent:0px"><span style="color:rgb(192,192,192)"> </span><span style="color:rgb(128,0,128)">EVP_PKEY_CTX</span><span style="color:rgb(192,192,192)"> </span>*<span style="color:rgb(192,192,192)"> </span><span style="color:rgb(9,46,100)">pctx</span>;</pre>
<pre style="margin:0px;text-indent:0px"><span style="font-family:arial,helvetica,sans-serif;white-space:normal;color:rgb(0,103,124)">EVP_DigestSignInit</span><font face="arial, helvetica, sans-serif"><span style="white-space:normal">(</span></font><span style="font-family:arial,helvetica,sans-serif;white-space:normal;color:rgb(9,46,100)">mdctx</span><font face="arial, helvetica, sans-serif"><span style="white-space:normal">.</span></font><span style="font-family:arial,helvetica,sans-serif;white-space:normal;color:rgb(0,103,124)">get</span><font face="arial, helvetica, sans-serif"><span style="white-space:normal">(), &</span></font><span style="font-family:arial,helvetica,sans-serif;white-space:normal;color:rgb(9,46,100)">pctx</span><span style="font-family:arial,helvetica,sans-serif;white-space:normal">,</span> <span style="font-family:arial,helvetica,sans-serif;white-space:normal;color:rgb(9,46,100)">digestFunction</span><span style="font-family:arial,helvetica,sans-serif;white-space:normal">, </span>NULL<span style="font-family:arial,helvetica,sans-serif;white-space:normal">, </span>key<span style="font-family:arial,helvetica,sans-serif;white-space:normal">.</span><span style="font-family:arial,helvetica,sans-serif;white-space:normal;color:rgb(0,103,124)">get</span><span style="font-family:arial,helvetica,sans-serif;white-space:normal">()))</span></pre>

<pre style="margin:0px;text-indent:0px">EVP_PKEY_paramgen_init(<span style="color:rgb(9,46,100)">pctx</span>);</pre><pre style="margin:0px;text-indent:0px"><span style="color:rgb(192,192,192)"></span><span style="color:rgb(0,0,128)">EVP_PKEY_CTX_set_ec_paramgen_curve_nid</span>(<span style="color:rgb(9,46,100)">pctx</span>,<span style="color:rgb(192,192,192)"> </span><span style="color:rgb(0,0,128)">NID_X9_62_prime256v1</span>);</pre>// usual steps...</span></div><div class="gmail_default" style="font-size:small;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div class="gmail_default" style="font-size:small;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">But that leads to errors in "EVP_DigestSignFinal" and the inability to sign the payload. Probably this is not the correct way to set the curve.</span></div><div class="gmail_default" style="font-size:small;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div class="gmail_default" style="font-size:small;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">So, what's the correct way to sign a payload with SHA256 and <span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">prime256v1? Is EVP api the correct one?</span></span></div><div class="gmail_default" style="font-size:small;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></span></div><div class="gmail_default" style="font-size:small;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Thanks in advance for the help.</span></span></div><div class="gmail_default" style="font-size:small;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">F.</span></span></div></div></div>