[openssl-users] EVP_get_digestbyobj fails for ecdsa-with-SHA256

Jakob Bohm jb-openssl at wisemo.com
Thu Jul 7 18:54:50 UTC 2016 

On 07/07/2016 20:08, Chris Bare wrote:
> EVP_get_digestbyobj fails for ecdsa-with-SHA256
>
ecdsa-with-SHA256 is not a digest algorithm, it is a signature
algorithm with a specific choice of digest algorithm (SHA256).

In OpenSSL 1.0.2 and older there is a very old compatibility
feature which allows accessing a few old signature+digest
algorithm pairs via a digest algorithm object.

Specifically:

RSA with md2, md4, md5, mdc2, ripemd, SHA-0, SHA-1, SHA224,
          SHA256, SHA384 and SHA512
DSA with SHA-0 and SHA1
ECDSA with with SHA1

This has been deprecated for a long time, but the compatibility
code makes your code below work for the above algorithm pairs.

The reason this compatibility code is deprecated is that it
causes the RSA algorithm to be referenced every time someone
tries to reference just the hash algorithm object for one of
the digest algorithms listed above.
> I'm trying to perform a standard signature verification using the 
> EVP_* functions.
> I think my code is correct, because it all runs fine if the digest is 
> RSA-SHA256.
> I have an ASN1_OBJECT that specifics the signature/disgest type.
> Here is my code that dumps out all the intermediate steps called by 
> EVP_get_digestbyobj:
>
> ASN1_OBJECT * ;
>
> OBJ_obj2txt(name, 256, sig_alg_oid, 1);
> printf ("NAME %s", name);
> printf ("NID = %d", OBJ_obj2nid(sig_alg_oid));
> printf ("sn = %s", OBJ_nid2sn(OBJ_obj2nid(sig_alg_oid)));
> printf ("OBJ_NAME_get = %p", 
> OBJ_NAME_get(OBJ_nid2sn(OBJ_obj2nid(sig_alg_oid)),OBJ_NAME_TYPE_MD_METH));
> const EVP_MD* md = EVP_get_digestbyobj(sig_alg_oid);
> if(md == NULL)
>         printf ("EVP_get_digestbyobj failed");
>
> When I call this with the RSA-SHA256 I get:
> NAME 1.2.840.113549.1.1.11
> NID = 668
> sn = RSA-SHA256
> OBJ_NAME_get = 0x7fe8846f1ee0
>
> and the rest of the steps succeeed.
> Then when I call the same code (in the same program, so I'm sure the 
> openssl library is correctly initialized) with
> ecdsa-with-SHA256, I get:
> NAME 1.2.840.10045.4.3.2
> NID = 794
> sn = ecdsa-with-SHA256
> OBJ_NAME_get = (nil)
> EVP_get_digestbyobj failed
>
> So it looks like my sig_alg_oid is good, but OBJ_NAME_get fails.
>
> I am using openssl 1.0.2d-0ubuntu1.5 in ubuntu 15.10
>
> Am I doing something wrong, or could this be a bug in the library?
> Any suggestions appreciated.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list