diff options
| author | Matt Caswell <matt@openssl.org> | 2019-08-30 14:33:10 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-09-09 14:52:26 +0200 |
| commit | dfcb5d29b525f5d2b6bd80602dca5efe5fca77bb (patch) | |
| tree | 2cfb247b0ec70de547f7d376a090e57727d49771 /crypto/pkcs7 | |
| parent | DH_check_pub_key_ex was accidentally calling DH_check, (diff) | |
| download | openssl-dfcb5d29b525f5d2b6bd80602dca5efe5fca77bb.tar.xz openssl-dfcb5d29b525f5d2b6bd80602dca5efe5fca77bb.zip | |
Add the ability to perform signatures in a provider
This makes EVP_PKEY_sign and EVP_PKEY_sign_init provider aware. It
also introduces the new type EVP_SIGNATURE to represent signature
algorithms. This also automatically makes the EVP_Sign* APIs provider
aware because they use EVP_Digest* (which is already provider aware)
and EVP_PKEY_sign(_init) under the covers.
At this stage there are no signature algorithms in any providers. That
will come in the following commits.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)
Diffstat (limited to 'crypto/pkcs7')
| -rw-r--r-- | crypto/pkcs7/pk7_doit.c | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 38277095ad..cc09bbf1f2 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -834,11 +834,29 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0) goto err; + /* + * TODO(3.0): This causes problems when providers are in use, so disabled + * for now. Can we get rid of this completely? AFAICT this ctrl has never + * been used since it was first put in. All internal implementations just + * return 1 and ignore this ctrl and have always done so by the looks of + * things. To fix this we could convert this ctrl into a param, which would + * require us to send all the signer info data as a set of params...but that + * is non-trivial and since this isn't used by anything it may be better + * just to remove it. The original commit that added it had this + * justification in CHANGES: + * + * "During PKCS7 signing pass the PKCS7 SignerInfo structure to the + * EVP_PKEY_METHOD before and after signing via the + * EVP_PKEY_CTRL_PKCS7_SIGN ctrl. It can then customise the structure + * before and/or after signing if necessary." + */ +#if 0 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) { PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); goto err; } +#endif alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr, &abuf, ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); @@ -856,11 +874,29 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0) goto err; + /* + * TODO(3.0): This causes problems when providers are in use, so disabled + * for now. Can we get rid of this completely? AFAICT this ctrl has never + * been used since it was first put in. All internal implementations just + * return 1 and ignore this ctrl and have always done so by the looks of + * things. To fix this we could convert this ctrl into a param, which would + * require us to send all the signer info data as a set of params...but that + * is non-trivial and since this isn't used by anything it may be better + * just to remove it. The original commit that added it had this + * justification in CHANGES: + * + * "During PKCS7 signing pass the PKCS7 SignerInfo structure to the + * EVP_PKEY_METHOD before and after signing via the + * EVP_PKEY_CTRL_PKCS7_SIGN ctrl. It can then customise the structure + * before and/or after signing if necessary." + */ +#if 0 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) { PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); goto err; } +#endif EVP_MD_CTX_free(mctx); |