[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA
David von Oheimb via RT
rt at openssl.org
Thu Jul 2 10:21:32 UTC 2015
Thanks a lot Steve for your constructive comments.
> That's expected behaviour. The EVP_get_digestbynid funtion expects a digest NID
> whereas you are passing a signature NID instead. It does accept some signature
> NIDs for historical compatibility reasons.
I now understand that the code I extended for EC support was abusing
EVP_get_digestbynid(), which worked just for compatibility reasons for
RSA (only). Yet why not broaden this function (or better its underlying
mapping) to handle ECDSA (and possibly any other types of) signatures.
> The thread you mention shows you how to convert a signature NID into the digest
> and public key algorithm NID.
The hint you gave in that thread was to use OBJ_find_sigid_algs()
and this indeed works fine and is cleaner :-)
> However I suspect you shouldn't be trying to do things at that level for
> signatures. If you need to sign or verify ASN.1 data you can use ASN1_item_sign
> or ASN1_item_verify and key and digest handling and lookup is handled automatically.
Good point that they better should have used a more high-level
signature/verification function. Yet the proposed functions, as well as
ASN1_sign and ASN1_verify, still require the (plain) md parameter.
And for instance the more abstract function
int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
uses again
md = EVP_get_digestbyobj(si->digest_alg->algorithm);
such that the use of OBJ_find_sigid_algs() appears indispensable.
David.
More information about the openssl-dev
mailing list