Providers: Setting the Signature OID and Parameters

[Tomas Mraz]

On Tue, 2023-08-29 at 13:56 -0600, Dr. Pala wrote:
> Hello OpenSSL Community,
> this might be a "newbie" question related to the 3.x providers
> architecture, but I am having some issues understanding where the
> signature OID should be actually set when generating a new signature.
> Similarly, when validating signatures, which are the functions that
> are supposed to check / use the signature OIDs and parameters?
> For example, are these the functions where you are supposed to set
> the signature OIDs (sign/digest sign)?
>  * OSSL_FUNC_signature_sign_init_fn
>  * OSSL_FUNC_signature_sign_fn
>  * OSSL_FUNC_signature_digest_sign_init_fn
>  * OSSL_FUNC_signature_digest_sign_fn
> or maybe it is done through the signature ctx params?
>  * OSSL_FUNC_signature_set_ctx_params
>  * OSSL_FUNC_signature_settable_ctx_params
> or, again, this is the more appropriate set of functions?
>  * OSSL_FUNC_signature_set_ctx_md_params
>  * OSSL_FUNC_signature_settable_ctx_md_params
> If I understand the documentation here:
>  * https://www.openssl.org/docs/man3.1/man7/provider-signature.html
> The "algorithm-id" and the "digest" can be set/get via the
> OSSL_FUNC_signature_gettable_ctx_params() and
> OSSL_FUNC_signature_settable_ctx_params() where, I guess, you use the
> context to save/get the algorithm(s)... but where can I get the
> pointer to the X509_ALGOR to get/set OIDs and parameter(s)?
> Thanks,
>  Max

The algorithm-id parameter is gettable only. I.e. the application is
supposed to get the algorithm-id in the DER encoded from by using
EVP_PKEY_CTX_get_params() which in turn calls the get_ctx_params
function from your proovider.

Generating the algorithm-id is a responsibility of your provider based
on the algorithm parameters set by the application. You can look at the
existing provider code for an inspiration.

https://github.com/openssl/openssl/tree/master/providers/common/der

-- 
Tomáš Mráz, OpenSSL