Use X509_get_signature_info to get signature strength.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)

1 files changed, 8 insertions, 9 deletions

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3c5e155066..9112a0c492 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2203,20 +2203,19 @@ static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
 static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
 {
     /* Lookup signature algorithm digest */
-    int secbits = -1, md_nid = NID_undef, sig_nid;
+    int secbits, nid, pknid;
     /* Don't check signature if self signed */
     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
         return 1;
-    sig_nid = X509_get_signature_nid(x);
-    if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) {
-        const EVP_MD *md;
-        if (md_nid && (md = EVP_get_digestbynid(md_nid)))
-            secbits = EVP_MD_size(md) * 4;
-    }
+    if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL))
+        secbits = -1;
+    /* If digest NID not defined use signature NID */
+    if (nid == NID_undef)
+        nid = pknid;
     if (s)
-        return ssl_security(s, op, secbits, md_nid, x);
+        return ssl_security(s, op, secbits, nid, x);
     else
-        return ssl_ctx_security(ctx, op, secbits, md_nid, x);
+        return ssl_ctx_security(ctx, op, secbits, nid, x);
 }
 
 int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)