SHA1 Hashing in FIPS Provider

Kevin Millson Kevin.Millson at
Fri Feb 11 08:35:59 UTC 2022

Hello OpenSSL Users,

I’m trying to use SHA1 message digest hashing in combination with the FIPS provider, but seem to be running into issues. My code looks like the following:

EVP_PKEY* privateKey = getPrivateKey();
EVP_MD_CTX* mdContex = EVP_MD_CTX_new();
if (mdContex != NULL) {
      const EVP_MD* messageDigest = EVP_MD_fetch(NULL, "SHA-1", "provider=fips");
      if (EVP_DigestSignInit(mdContex, NULL, messageDigest, NULL, privateKey) == 1) {
            std::cout << "Success";
      } else {
            std::cout << "EVP_DigestSignInit failed";

The call to EVP_DigestSignInit() always fails. If I switch to SHA-256 then it works fine. I thought SHA-1 wasn’t allowed for raw sign operations, but was still okay for message digests calculated via the EVP_MD related methods, is that thinking incorrect? And in fact, all use of SHA-1 with FIPS is disallowed?

Kevin Millson.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list