Michael Kelley <[email protected]> wrote:
> Pardon my ignorance of the signing details, but I don't see an indication
> of having selected PKCS#7 with SHA1 in my .config. What am I looking for?
Actually, if you have openssl >= 1.0.0 then it sign-file will be built to use
CMS rather than PKCS#7, and will use the configured hash algo, so you can
ignore this.
> The symbols CMS_NO_SIGNING_TIME,
I can probably just not add that.
> EVP_PKEY_is_a()
I guess I can probably make this contingent on >= 3.0.0.
> and OPENSSL_VERSION_MAJOR don't exist in the include/openssl/* files for
> that old version.
I should probably use OPENSSL_VERSION_NUMBER instead - though we already use
it for selecting #includes (I guess #if doesn't complain).
Do the attached changes work for you?
David
---
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 547b97097230..78276b15ab23 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -27,7 +27,7 @@
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/err.h>
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
# define USE_PKCS11_PROVIDER
# include <openssl/provider.h>
# include <openssl/store.h>
@@ -323,18 +323,21 @@ int main(int argc, char **argv)
CMS_DETACHED |
CMS_STREAM |
CMS_NOSMIMECAP |
+#ifdef CMS_NO_SIGNING_TIME
CMS_NO_SIGNING_TIME |
+#endif
use_keyid;
- if ((EVP_PKEY_is_a(private_key, "ML-DSA-44") ||
- EVP_PKEY_is_a(private_key, "ML-DSA-65") ||
- EVP_PKEY_is_a(private_key, "ML-DSA-87")) &&
- OPENSSL_VERSION_MAJOR < 4) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER <
0x40000000L
+ if (EVP_PKEY_is_a(private_key, "ML-DSA-44") ||
+ EVP_PKEY_is_a(private_key, "ML-DSA-65") ||
+ EVP_PKEY_is_a(private_key, "ML-DSA-87")) {
/* ML-DSA + CMS_NOATTR is not supported in openssl-3.5
* and before.
*/
use_signed_attrs = 0;
}
+#endif
flags |= use_signed_attrs;
