Refactring FIPS_escda_sign() for OpenSSL 3.0.0
Matt Caswell
matt at openssl.org
Thu Oct 28 09:00:11 UTC 2021
On 27/10/2021 19:04, Kory Hamzeh wrote:
>
> Hi,
>
> I am upgrading some 3RD party code which performs FIPS ECDSA AVS testing for FIPS 140-2 certification. The code uses FIPS_escda_sign(), which in Openssl-fips-2.0.5 is define as:
>
> ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key,
> const unsigned char *msg, size_t msglen
> , const EVP_MD *mhash)
>
>
> The full code is here:
>
> https://github.com/majek/openssl/blob/master/fips/ecdsa/fips_ecdsavs.c
>
> I have read through all of the ECDSA sign man pages, and I cannot find a functions that is close to accepting some of the same parameter. I could use some help please. I have very little experience with ECDSA.
You need to use the EVP_DigestSignInit_ex/Update/Final APIs instead. See
the man page here:
https://www.openssl.org/docs/man3.0/man3/EVP_DigestSignInit_ex.html
To do that you will need to have the key as an EVP_PKEY instead of an
EC_KEY. The code you pointed at generates a new key using
EC_KEY_generate_key(). Instead you can use EVP_PKEY_Q_keygen():
https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_Q_keygen.html
To get the public key x/y co-ords and the private key value you need to
use EVP_PKEY_get_bn_param:
https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_get_bn_param.html
See also:
https://www.openssl.org/docs/man3.0/man7/EVP_PKEY-EC.html
Matt
More information about the openssl-users
mailing list