[openssl-users] ECDSA digest configurations
Dr. Stephen Henson
steve at openssl.org
Tue Apr 28 11:13:18 UTC 2015
On Mon, Apr 27, 2015, Rajeswari K wrote:
> Hi Steve,
>
> Thanks for the response.
>
> We are using openssl-1.0.1j.
>
> Following is how have configured NID_sha1 and NID_ecdsa_with_sha1.
>
> We use our own signature and digest methods. But, i see modification of
> digest has issue. If i dont set any digest method, then our signature
> functions are getting used and for digest openssl's sha1, sha256 etc
> functions are getting used.
>
> I see that configuraiton of NID_ecdsa_with_sha1 has some issue on my setup.
> Please take a look at these configurations and provide your inputs.
>
>
> ECDSA digest structure :
>
> static const EVP_MD ios_ecdsa_sha1 =
> {
> NID_ecdsa_with_SHA1,
> NID_ecdsa_with_SHA1,
> SHA_DIGEST_LENGTH,
> EVP_MD_FLAG_PKEY_METHOD_SIGNATURE,
> sha1init,
> sha1update,
> sha1final,
> NULL,
> NULL,
> EVP_PKEY_ECDSA_method,
> SHA_CBLOCK,
> sizeof(EVP_MD *)+sizeof(SHA1_CTX)
> };
>
> RSA digest structure :
> static const EVP_MD ios_sha1_md =
> {
> NID_sha1,
> NID_sha1WithRSAEncryption,
> SHA_DIGEST_LENGTH,
> 0,
> sha1init,
> sha1update,
> sha1final,
> NULL,
> NULL,
> EVP_PKEY_RSA_method,
> SHA_CBLOCK,
> sizeof(EVP_MD *) + sizeof(SHA1_CTX)
> };
>
> With this update, only RSA ciphers are working fine. But not ECDSA ciphers.
>
As I said for OpenSSL 1.0.0 and later there is no need for an "ECDSA digest"
the SHA1 digest (which is the one you call "RSA digest") can be used to sign
any appropriate algorithm if you set EVP_MD_FLAG_PKEY_METHOD_SIGNATURE:
but in your example you've set it to 0.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list