On Tue, Mar 09, 2010, Dr. Stephen Henson wrote: > On Tue, Mar 09, 2010, Martin Kaiser via RT wrote: > > > Hello Steve, > > > > Thus wrote Stephen Henson via RT (r...@openssl.org): > > > > > I'll look into PSS signing at some point too. > > > > Any chance I can contribute to this, based on your approach for > > verification? > > > > A while ago, I extended my patch to support basic PSS signing. For this, > > I added a -pss command line parameter to x509 which uses the default PSS > > parameters and does not explicitly encode them. Instead, an empty > > sequence is used to indicate default parameters. > > > > I'll have to think about that a bit more. I really want a general solution > where you can use all sorts of different algorithm types and parameters, both > at an application level and on the command line. There isn't currently an > actual framework to do that and some new APIs will be needed. > > I'm divided between something which uses ASN1 pre-setup to obtain the > parameters (which measn you need a generalised API to setup the ASN1 in the > first place) or something which takes an EVP_PKEY_CTX and uses that to setup > the ASN1. The latter is cleaner and already has application and command line > APIs but needs some way to transparently extract the data from an > EVP_PKEY_CTX: which is opaque at an application level. Some ctrls to get md's, > padding modes, salt lengths etc would work. >
There was something which felt wrong about that idea I couldn't pin down until I wrote it. I've realised what it is now... we should have a companion item_sign() function in the EVP_PKEY_ASN1_METHOD and that can get the digest directly and private key from EVP_MD_CTX. Then ASN1_item_sign() becomes ASN1_item_sign_ctx() and ASN1_item_sign() becomes a special case. I'll consider it a bit more but I think that could work and as a bonus would tidy up some code that's already there. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
