[openssl-users] EVP signing

Matt Caswell matt at openssl.org
Wed Mar 14 09:46:52 UTC 2018

On 14/03/18 09:20, Federico Buti wrote:
> Hi list.
> I'm currently implementing a signing routine and for that I'm using the
> high-level API EVP according to this page
> <https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying>. I'm
> using openssl 1.0.2m.
> I need to sign with hashing SHA256 and prime256v1, with the former
> retrieved via "EVP_get_digestbyname". The private key is stored in a PEM
> file and loaded via "PEM_read_bio_PrivateKey". It is correctly loaded
> and correctly recognized to be of type EC (408).
> So far so good, I am able to sign the payload and verify it. Hence, the
> procedure is correctly carried out. HOWEVER, once the signed payload is
> sent to the server, it is rejected. I believe the issue is with
> "prime256v1" because, as far as I can tell, that is not the default
> curve for EC signing.
> Looking into the documentation I tried to set the correct curve like
> this (smart pointers used, error handling ignored for the sake of brevity):
> EVP_PKEY_CTX*pctx;
> EVP_DigestSignInit(mdctx.get(), &pctx, digestFunction, NULL, key.get()))
> EVP_PKEY_paramgen_init(pctx);
> EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,NID_X9_62_prime256v1);
> // usual steps...
> But that leads to errors in "EVP_DigestSignFinal" and the inability to
> sign the payload. Probably this is not the correct way to set the curve.
> So, what's the correct way to sign a payload with SHA256 and prime256v1?
> Is EVP api the correct one?

Yes, EVP is the correct API. An EC private key is tied to the curve that
was used to generate it, so any signatures will be based on that curve.
If your private key isn't using prime256v1 and that curve is a
requirement then you'll need to generate a new key.


> Thanks in advance for the help.
> F.

More information about the openssl-users mailing list