On Tue, 2023-08-29 at 13:56 -0600, Dr. Pala wrote: > Hello OpenSSL Community, > this might be a "newbie" question related to the 3.x providers > architecture, but I am having some issues understanding where the > signature OID should be actually set when generating a new signature. > Similarly, when validating signatures, which are the functions that > are supposed to check / use the signature OIDs and parameters? > For example, are these the functions where you are supposed to set > the signature OIDs (sign/digest sign)? > * OSSL_FUNC_signature_sign_init_fn > * OSSL_FUNC_signature_sign_fn > * OSSL_FUNC_signature_digest_sign_init_fn > * OSSL_FUNC_signature_digest_sign_fn > or maybe it is done through the signature ctx params? > * OSSL_FUNC_signature_set_ctx_params > * OSSL_FUNC_signature_settable_ctx_params > or, again, this is the more appropriate set of functions? > * OSSL_FUNC_signature_set_ctx_md_params > * OSSL_FUNC_signature_settable_ctx_md_params > If I understand the documentation here: > * https://www.openssl.org/docs/man3.1/man7/provider-signature.html > The "algorithm-id" and the "digest" can be set/get via the > OSSL_FUNC_signature_gettable_ctx_params() and > OSSL_FUNC_signature_settable_ctx_params() where, I guess, you use the > context to save/get the algorithm(s)... but where can I get the > pointer to the X509_ALGOR to get/set OIDs and parameter(s)? > Thanks, > Max The algorithm-id parameter is gettable only. I.e. the application is supposed to get the algorithm-id in the DER encoded from by using EVP_PKEY_CTX_get_params() which in turn calls the get_ctx_params function from your proovider. Generating the algorithm-id is a responsibility of your provider based on the algorithm parameters set by the application. You can look at the existing provider code for an inspiration. https://github.com/openssl/openssl/tree/master/providers/common/der -- Tomáš Mráz, OpenSSL
