diff options
author | Michael Baentsch <info@baentsch.ch> | 2022-02-18 14:10:04 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-03-03 13:30:45 +0100 |
commit | d15d561844d8989e50896724d89681ae7ba81a74 (patch) | |
tree | 1dcd82903c4fb4e85d36d3929a41dc8a77207c16 /crypto/objects | |
parent | 13ba91cb02479a91b0743d2bf5f5ec7ce42860d0 (diff) |
enable CMS sign/verify for provider-implemented PKEYs
We need to handle signatures with and without digest algs
and we generalize the ossl_cms_ecdsa_dsa_sign() function
to other algorithms that are handled in the same way.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17733)
Diffstat (limited to 'crypto/objects')
-rw-r--r-- | crypto/objects/obj_xref.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/crypto/objects/obj_xref.c b/crypto/objects/obj_xref.c index 8b4980d5b5..fc870c5691 100644 --- a/crypto/objects/obj_xref.c +++ b/crypto/objects/obj_xref.c @@ -36,7 +36,14 @@ static int sigx_cmp(const nid_triple *const *a, const nid_triple *const *b) int ret; ret = (*a)->hash_id - (*b)->hash_id; - if (ret != 0) + /* The "b" side of the comparison carries the algorithms already + * registered. A NID_undef for 'hash_id' there means that the + * signature algorithm doesn't need a digest to operate OK. In + * such case, any hash_id/digest algorithm on the test side (a), + * incl. NID_undef, is acceptable. signature algorithm NID + * (pkey_id) must match in any case. + */ + if ((ret != 0) && ((*b)->hash_id != NID_undef)) return ret; return (*a)->pkey_id - (*b)->pkey_id; } |