subject:"\[openssl\-dev\] \[openssl.org #3922\] Bug\: EVP_get

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

2016-06-13 Thread Rich Salz via RT

Ah, the endless confusion of cipher vs signature NID's :)

closing ticket.

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3922
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

2015-07-02 Thread David von Oheimb via RT

Thanks a lot Steve for your constructive comments.

 That's expected behaviour. The EVP_get_digestbynid funtion expects a digest 
 NID
 whereas you are passing a signature NID instead. It does accept some signature
 NIDs for historical compatibility reasons.

I now understand that the code I extended for EC support was abusing
EVP_get_digestbynid(), which worked just for compatibility reasons for
RSA (only). Yet why not broaden this function (or better its underlying
mapping) to handle ECDSA (and possibly any other types of) signatures.

 The thread you mention shows you how to convert a signature NID into the 
 digest
 and public key algorithm NID.

The hint you gave in that thread was to use  OBJ_find_sigid_algs()
and this indeed works fine and is cleaner :-)

 However I suspect you shouldn't be trying to do things at that level for
 signatures. If you need to sign or verify ASN.1 data you can use 
 ASN1_item_sign
 or ASN1_item_verify and key and digest handling and lookup is handled 
 automatically.

Good point that they better should have used a more high-level
signature/verification function. Yet the proposed functions, as well as
ASN1_sign and ASN1_verify, still require the (plain) md parameter.
And for instance the more abstract function
  int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
uses again
  md = EVP_get_digestbyobj(si-digest_alg-algorithm);
such that the use of OBJ_find_sigid_algs() appears indispensable.

David.


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

2015-06-23 Thread Stephen Henson via RT

On Mon Jun 22 20:07:43 2015, david.von.ohe...@siemens.com wrote:
 Hi OpenSSL maintainers,

 I tried checking the status of the EVP_get_digestbynid issue via
 http://rt.openssl.org/Install/index.html
 but the server appears currently misconfigured:
  Config file /etc/request-tracker4/RT_SiteConfig.pm is locked

 Yet I found an old conversation on this topic:
 http://openssl.6102.n7.nabble.com/Question-about-EVP-get-digestbynid-
 and-ECDSA-td28312.html

 With OpenSSL 1.0.2 one still gets NULL when giving ECDSA NIDs as
 input.
 Here is the workaround we currently use for EC support in
 CMPforOpenSSL:


That's expected behaviour. The EVP_get_digestbynid funtion expects a digest NID
whereas you are passing a signature NID instead. It does accept some signature
NIDs for historical compatibility reasons.

The thread you mention shows you how to convert a signature NID into the digest
and public key algorithm NID.

However I suspect you shouldn't be trying to do things at that level for
signatures. If you need to sign or verify ASN.1 data you can use ASN1_item_sign
or ASN1_item_verify and key and digest handling and lookup is handled
automatically.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

2015-06-22 Thread David von Oheimb via RT

Hi OpenSSL maintainers,

I tried checking the status of the EVP_get_digestbynid issue via
http://rt.openssl.org/Install/index.html
but the server appears currently misconfigured:
 Config file /etc/request-tracker4/RT_SiteConfig.pm is locked 

Yet I found an old conversation on this topic:
http://openssl.6102.n7.nabble.com/Question-about-EVP-get-digestbynid-and-ECDSA-td28312.html

With OpenSSL 1.0.2 one still gets NULL when giving ECDSA NIDs as input.
Here is the workaround we currently use for EC support in CMPforOpenSSL:

 const EVP_MD *extended_EVP_get_digestbynid(int nid) {
 switch (nid) {
 case  NID_ecdsa_with_SHA1:
 return EVP_sha1();
 case  NID_ecdsa_with_SHA224:
 return EVP_sha224();
 case  NID_ecdsa_with_SHA256:
 return EVP_sha256();
 case  NID_ecdsa_with_SHA384:
 return EVP_sha384();
 case  NID_ecdsa_with_SHA512:
 return EVP_sha512();
 default:
 return EVP_get_digestbynid(nid);
   }
 }

I just commented on this issue also at
https://sourceforge.net/p/cmpforopenssl/bugs/14/

Regards,
David

--
+---+
|  Dr. David von OheimbSenior Key Expert Research Scientist|
|  Siemens CT RTC ITS SEA-DE   Phone: +49 89 636 41173 |
|  Otto-Hahn-Ring 6Fax  : +49 89 636 48000 |
|  D-81739 München, GermanyEMail: david.von.ohe...@siemens.com |
|  http://scd.siemens.de/db4/lookUp?tcgid=Z000ECRO   http://ddvo.net/  |
+--+

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

Re: [openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

[openssl-dev] [openssl.org #3922] Bug: EVP_get_digestbynid() does not support ECDSA

4 matches

Site Navigation

Mail list logo

Footer information