enable CMS sign/verify for provider-implemented PKEYs

We need to handle signatures with and without digest algs and we generalize the ossl_cms_ecdsa_dsa_sign() function to other algorithms that are handled in the same way. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17733)
author: Michael Baentsch <info@baentsch.ch> 2022-02-18 14:10:04 +0100
committer: Tomas Mraz <tomas@openssl.org> 2022-03-03 13:30:45 +0100
commit: d15d561844d8989e50896724d89681ae7ba81a74 (patch)
tree: 1dcd82903c4fb4e85d36d3929a41dc8a77207c16 /crypto/objects
parent: 13ba91cb02479a91b0743d2bf5f5ec7ce42860d0 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/crypto/objects/obj_xref.c b/crypto/objects/obj_xref.c
index 8b4980d5b5..fc870c5691 100644
--- a/crypto/objects/obj_xref.c
+++ b/crypto/objects/obj_xref.c
@@ -36,7 +36,14 @@ static int sigx_cmp(const nid_triple *const *a, const nid_triple *const *b)
     int ret;
 
     ret = (*a)->hash_id - (*b)->hash_id;
-    if (ret != 0)
+    /* The "b" side of the comparison carries the algorithms already
+     * registered. A NID_undef for 'hash_id' there means that the
+     * signature algorithm doesn't need a digest to operate OK. In
+     * such case, any hash_id/digest algorithm on the test side (a),
+     * incl. NID_undef, is acceptable. signature algorithm NID
+     * (pkey_id) must match in any case.
+     */
+    if ((ret != 0) && ((*b)->hash_id != NID_undef))
         return ret;
     return (*a)->pkey_id - (*b)->pkey_id;
 }
author	Michael Baentsch <info@baentsch.ch>	2022-02-18 14:10:04 +0100
committer	Tomas Mraz <tomas@openssl.org>	2022-03-03 13:30:45 +0100
commit	d15d561844d8989e50896724d89681ae7ba81a74 (patch)
tree	1dcd82903c4fb4e85d36d3929a41dc8a77207c16 /crypto/objects
parent	13ba91cb02479a91b0743d2bf5f5ec7ce42860d0 (diff)