That works, for both 1.1.1 and 1.0.2. Thanks. So I can do some spring cleaning and remove that particular #ifdef altogether... Regards, Andrew. -----Ursprüngliche Nachricht----- Von: Tomas Mraz <tomas@xxxxxxxxxxx> Gesendet: Samstag, 11. Februar 2023 14:24 An: Andrew Lynch <andrew.lynch@xxxxxxxx>; openssl-users@xxxxxxxxxxx Betreff: Re: OpenSSL 1.1.1: How to get signature algorithm id? (no EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) Caution: External email. Do not open attachments or click links, unless this email comes from a known sender and you know the content is safe. You can use OBJ_find_sigid_by_algs() and pass the EVP_PKEY_base_id(pkey) and EVP_MD_type(md) values to it. It should find the signature algorithm id. Tomas Mraz, OpenSSL On Thu, 2023-02-09 at 15:21 +0000, Andrew Lynch via openssl-users wrote: > Hi, > > I have some old code that determines the signature algorithm OID given > a combination of EVP_PKEY *pkey and EVP_MD *digest. It contains an > #ifdef EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. If true, it uses > OBJ_find_sigid_by_algs() with the digest and pkey->ameth- > >pkey_id to get the OID. The else case uses EVP_MD_pkey_type() with > only the digest. > > Given an ECDSA pkey and a SHA256 digest the application using OpenSSL > 1.0.2 outputs the expected ecdsa-with-SHA256. With OpenSSL 1.1.1 it > incorrectly outputs sha256WithRSAEncryption. > > OpenSSL 1.0.2 has the flag defined whereas it does not exist at all in > 1.1.1. As EVP_MD_pkey_type() only has the digest to work with it will > always return NID_sha256WithRSAEncryption regardless of the type of > EVP_PKEY that is actually used with the digest to create a signature. > > Which API calls can I use in OpenSSL 1.1.1 to get the correct > signature algorithm id given some combination of EVP_PKEY and EVP_MD? > > Regards, > Andrew. > -- Tomáš Mráz, OpenSSL
