diff options
-rw-r--r-- | apps/req.c | 11 | ||||
-rw-r--r-- | doc/man1/req.pod | 10 |
2 files changed, 15 insertions, 6 deletions
diff --git a/apps/req.c b/apps/req.c index 48f3a3ab98..08a1468ef4 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1601,10 +1601,19 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { EVP_PKEY_CTX *pkctx = NULL; - int i; + int i, def_nid; if (ctx == NULL) return 0; + /* + * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory + * for this algorithm. + */ + if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2 + && def_nid == NID_undef) { + /* The signing algorithm requires there to be no digest */ + md = NULL; + } if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey)) return 0; for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { diff --git a/doc/man1/req.pod b/doc/man1/req.pod index db467bba17..51f3ec4494 100644 --- a/doc/man1/req.pod +++ b/doc/man1/req.pod @@ -209,7 +209,7 @@ the configuration file. Some public key algorithms may override this choice. For instance, DSA signatures always use SHA1, GOST R 34.10 signatures always use -GOST R 34.11-94 (B<-md_gost94>). +GOST R 34.11-94 (B<-md_gost94>), Ed25519 and Ed448 never use any digest. =item B<-config filename> @@ -394,10 +394,10 @@ option. For compatibility B<encrypt_rsa_key> is an equivalent option. =item B<default_md> -This option specifies the digest algorithm to use. -Any digest supported by the OpenSSL B<dgst> command can be used. -If not present then MD5 is used. -This option can be overridden on the command line. +This option specifies the digest algorithm to use. Any digest supported by the +OpenSSL B<dgst> command can be used. This option can be overridden on the +command line. Certain signing algorithms (i.e. Ed25519 and Ed448) will ignore +any digest that has been set. =item B<string_mask> |