apps/ca,req,x509: Switch to EVP_DigestSignInit_ex

Switch lib/apps.c do_sign_init() to use EVP_DigestSignInit_ex, so it works with external providers. Since EVP_DigestSignInit_ex requires a digest name instead of an EVP_MD pointer, the apps using do_sign_init() had to be modified to pass char* instead of EVP_MD*. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/15014)
author: Petr Gotthard <petr.gotthard@centrum.cz> 2021-04-24 12:40:36 +0200
committer: Dmitry Belyavskiy <beldmit@gmail.com> 2021-04-30 21:02:59 +0200
commit: 91034b68b39e3525f09fb263b9272de410a3ba4c (patch)
tree: 1594bb987f08265e80328f491f11fc4f1c5551ca /apps/lib/apps.c
parent: 4489655c23f1f7f412309e25a5b9fd7acf7db3f2 (diff)
1 files changed, 11 insertions, 9 deletions
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index d715e25ff1..bfea59bdc8 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2152,23 +2152,25 @@ static int do_x509_req_init(X509_REQ *x, STACK_OF(OPENSSL_STRING) *opts)
 }
 
 static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
-                        const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
+                        const char *md, STACK_OF(OPENSSL_STRING) *sigopts)
 {
     EVP_PKEY_CTX *pkctx = NULL;
-    int def_nid;
+    char def_md[80];
 
     if (ctx == NULL)
         return 0;
     /*
-     * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory
+     * EVP_PKEY_get_default_digest_name() returns 2 if the digest is mandatory
      * for this algorithm.
      */
-    if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2
-            && def_nid == NID_undef) {
+    if (EVP_PKEY_get_default_digest_name(pkey, def_md, sizeof(def_md)) == 2
+            && strcmp(def_md, "UNDEF") == 0) {
         /* The signing algorithm requires there to be no digest */
         md = NULL;
     }
-    return EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey)
+
+    return EVP_DigestSignInit_ex(ctx, &pkctx, md, app_get0_libctx(),
+                                 app_get0_propq(), pkey, NULL)
         && do_pkey_ctx_init(pkctx, sigopts);
 }
 
@@ -2201,7 +2203,7 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx,
 }
 
 /* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info */
-int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char *md,
                  STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx)
 {
     const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert);
@@ -2240,7 +2242,7 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md,
 }
 
 /* Sign the certificate request info */
-int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const char *md,
                      STACK_OF(OPENSSL_STRING) *sigopts)
 {
     int rv = 0;
@@ -2253,7 +2255,7 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
 }
 
 /* Sign the CRL info */
-int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md,
                      STACK_OF(OPENSSL_STRING) *sigopts)
 {
     int rv = 0;
author	Petr Gotthard <petr.gotthard@centrum.cz>	2021-04-24 12:40:36 +0200
committer	Dmitry Belyavskiy <beldmit@gmail.com>	2021-04-30 21:02:59 +0200
commit	91034b68b39e3525f09fb263b9272de410a3ba4c (patch)
tree	1594bb987f08265e80328f491f11fc4f1c5551ca /apps/lib/apps.c
parent	4489655c23f1f7f412309e25a5b9fd7acf7db3f2 (diff)