[openssl-users] How to plug in different digest algorithm implementation into the PKCS7 functions?
stm at pdflib.com
Thu Apr 28 13:08:16 UTC 2016
Am 26.04.16 um 16:25 schrieb Stephan Mühlstrasser:
> I'm trying to plug my own digest algorithm implementation into the PKCS7
> functions for creating a signature (using OpenSSL 1.0.2). The hash
> computation shall be performed on a hardware device.
> For that purpose I wanted to supply my own EVP_MD data structure to
> PKCS7_add_signature(). A rough sketch of my code for replacing the
> standard SHA-256 implementation looks like this:
> static const EVP_MD my_digest_impl =
> /* contains function pointers for my own implementation */
> PKCS7 *p7 = PKCS7_new();
> PKCS7_set_type(p7, NID_pkcs7_signed);
> PKCS7_SIGNER_INFO *si = PKCS7_add_signature(p7, cert, pkey,
> PKCS7_content_new(sig_parms->p7, NID_pkcs7_data);
> PKCS7_set_detached(p7, 1);
> BIO *p7bio = PKCS7_dataInit(p7, NULL);
> How can I plug in my own digest implementation? Do I need to implement a
> full OpenSSL engine for this purpose?
I was able to implement this requirement now by calling BIO_set_md() on
the BIO that is created by PKCS7_dataInit(). The code for replacing the
digest function looks like this (error checking omitted):
static const EVP_MD my_digest_impl =
/* contains function pointers for my own implementation */
BIO *p7bio = PKCS7_dataInit(p7, NULL);
ctx->flags |= EVP_MD_CTX_FLAG_NO_INIT;
ctx->update = my_digest_impl.update;
ctx->md_data = OPENSSL_malloc(my_digest_impl.ctx_size);
/* ... Now the ctx->md_data member is initialized with data specific to
the hardware device ... */
The use of the EVP_MD_CTX_FLAG_NO_INIT flag is necessary, because
otherwise the digests init() function would be called from BIO_set_md()
without the necessary information for initializing the hardware device.
With the flag being set the data can be assigned to the md_data member
after the call to BIO_set_md() and then the digest's init() function can
I'd appreciate any comments if there's a problem with this approach. So
far this seems to be working fine.
More information about the openssl-users