Refactring FIPS_escda_sign() for OpenSSL 3.0.0

Matt Caswell matt at
Thu Oct 28 09:00:11 UTC 2021

On 27/10/2021 19:04, Kory Hamzeh wrote:
> Hi,
> I am upgrading some 3RD party code which performs FIPS ECDSA AVS testing for FIPS 140-2 certification. The code uses FIPS_escda_sign(), which in Openssl-fips-2.0.5 is define as:
> ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key,
> 			const unsigned char *msg, size_t msglen
> ,			const EVP_MD *mhash)
> The full code is here:
> I have read through all of the ECDSA sign man pages, and I cannot find a functions that is close to accepting some of the same parameter. I could use some help please. I have very little experience with ECDSA.

You need to use the EVP_DigestSignInit_ex/Update/Final APIs instead. See 
the man page here:

To do that you will need to have the key as an EVP_PKEY instead of an 
EC_KEY. The code you pointed at generates a new key using 
EC_KEY_generate_key(). Instead you can use EVP_PKEY_Q_keygen():

To get the public key x/y co-ords and the private key value you need to 
use EVP_PKEY_get_bn_param:

See also:


More information about the openssl-users mailing list