> From: [email protected] On Behalf Of Tatiana Evers
> Sent: Thursday, 15 December, 2011 14:55
> Thanks Dave. It worked fine :)
Apparently not completely because:
> Did you know how I get the digest algorithm for X.509 certificates.
> I saw something about OID, but I didn't find the list of valid OID
> and the corresponding algorithms.
That field is the OID for the *signature* algorithm,
which includes (implies) the digest algorithm (except for
raw signature, which in practice X.509 certs never use).
In particular, there have long been standard OIDs for
{MD2,MD4,MD5,SHA1}-RSA SHA1-DSA SHA1-ECDSA;
recently (variousSHA2)-{RSA,DSA,ECDSA} were added.
In practice I don't think anybody used {MD2,MD4}-RSA
for certs, but if your requirement is actually to exclude
insecure digests rather than excluding MD5 in particular
you probably want to exclude those also.
The OIDs known by OpenSSL, which I think includes all
relevant standards, are in crypto/objects/objects.txt and
obj_xref.txt, from which several files including objects.h
are autogenerated. obj_xref.txt in particular contains the
mapping of (named) signature OIDs to digest + rawsign parts,
and shows that there are two standard OIDs for MD5-RSA,
and none for MD5 with anything else.
You could just compare the cert sigalg to those OIDs,
but it's a bit inconvenient to manipulate OIDs directly.
OpenSSL mostly works by mapping known OIDs to an internal
integer called NID, hence as I suggested call OBJ_obj2nid
on the sigalg from the cert, and compare the returned NID
to the NIDs you don't want and to NID_undef = unknown.
If you need to deal with certs using nonstandard sigalgs,
it'll be a little harder. But since normally the purpose
of certs is to be interoperable, anyone using a nonstandard
sigalg in a cert may be suspect anyway.
> 2011/12/9 Dave Thompson <[email protected]>
> Just use x509->sig_alg->algorithm and maybe OBJ_obj2nid .
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
