On Mon Mar 24 23:02:59 2014, truer...@sea.plala.or.jp wrote: > Hi, everyone. > > "openssl ts -reply ..." command always uses SHA-1 for signing. > This patch can specify the messege digest algorithm for signing; > > > openssl ts -reply -queryfile req.bin -config tsa.cnf -sha256 > resp.bin > > Please merge it.
While I agree with being able to change the digest there are several problems with the approach in this patch. It extends a structure defined in a public header file which introduces theorectical binary compatibility issues, consider an application allocating TS_RESP_CTX itself using older headers but a newer library. That could be overcome by using the flags field to indicate that the structure had come from TS_RESP_CTX_new(). Also the only way to set a digest is by accessing the structure directly. It should be through an accessor function. Something like TS_RESP_CTX_set_signer_md(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
