Refactring FIPS_escda_sign() for OpenSSL 3.0.0

Matt Caswell matt at openssl.org
Thu Oct 28 09:00:11 UTC 2021



On 27/10/2021 19:04, Kory Hamzeh wrote:
> 
> Hi,
> 
> I am upgrading some 3RD party code which performs FIPS ECDSA AVS testing for FIPS 140-2 certification. The code uses FIPS_escda_sign(), which in Openssl-fips-2.0.5 is define as:
> 
> ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key,
> 			const unsigned char *msg, size_t msglen
> ,			const EVP_MD *mhash)
> 
> 
> The full code is here:
> 
> https://github.com/majek/openssl/blob/master/fips/ecdsa/fips_ecdsavs.c
> 
> I have read through all of the ECDSA sign man pages, and I cannot find a functions that is close to accepting some of the same parameter. I could use some help please. I have very little experience with ECDSA.

You need to use the EVP_DigestSignInit_ex/Update/Final APIs instead. See 
the man page here:

https://www.openssl.org/docs/man3.0/man3/EVP_DigestSignInit_ex.html

To do that you will need to have the key as an EVP_PKEY instead of an 
EC_KEY. The code you pointed at generates a new key using 
EC_KEY_generate_key(). Instead you can use EVP_PKEY_Q_keygen():

https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_Q_keygen.html

To get the public key x/y co-ords and the private key value you need to 
use EVP_PKEY_get_bn_param:

https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_get_bn_param.html

See also:

https://www.openssl.org/docs/man3.0/man7/EVP_PKEY-EC.html

Matt


More information about the openssl-users mailing list