Providers: Setting the Signature OID and Parameters

Tomas Mraz tomas at
Wed Aug 30 08:52:17 UTC 2023

On Tue, 2023-08-29 at 13:56 -0600, Dr. Pala wrote:
> Hello OpenSSL Community,
> this might be a "newbie" question related to the 3.x providers
> architecture, but I am having some issues understanding where the
> signature OID should be actually set when generating a new signature.
> Similarly, when validating signatures, which are the functions that
> are supposed to check / use the signature OIDs and parameters?
> For example, are these the functions where you are supposed to set
> the signature OIDs (sign/digest sign)?
>  * OSSL_FUNC_signature_sign_init_fn
>  * OSSL_FUNC_signature_sign_fn
>  * OSSL_FUNC_signature_digest_sign_init_fn
>  * OSSL_FUNC_signature_digest_sign_fn
> or maybe it is done through the signature ctx params?
>  * OSSL_FUNC_signature_set_ctx_params
>  * OSSL_FUNC_signature_settable_ctx_params
> or, again, this is the more appropriate set of functions?
>  * OSSL_FUNC_signature_set_ctx_md_params
>  * OSSL_FUNC_signature_settable_ctx_md_params
> If I understand the documentation here:
>  *
> The "algorithm-id" and the "digest" can be set/get via the
> OSSL_FUNC_signature_gettable_ctx_params() and
> OSSL_FUNC_signature_settable_ctx_params() where, I guess, you use the
> context to save/get the algorithm(s)... but where can I get the
> pointer to the X509_ALGOR to get/set OIDs and parameter(s)?
> Thanks,
>  Max

The algorithm-id parameter is gettable only. I.e. the application is
supposed to get the algorithm-id in the DER encoded from by using
EVP_PKEY_CTX_get_params() which in turn calls the get_ctx_params
function from your proovider.

Generating the algorithm-id is a responsibility of your provider based
on the algorithm parameters set by the application. You can look at the
existing provider code for an inspiration.

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list