Ignore the digest in req app if using EdDSA (f112dc82) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

apps/req.c

+10 −1

Original line number	Diff line number	Diff line
		@@ -1601,10 +1601,19 @@ static int do_sign_init(EVP_MD_CTX ctx, EVP_PKEY pkey,
		const EVP_MD md, STACK_OF(OPENSSL_STRING) sigopts)
		{
		EVP_PKEY_CTX *pkctx = NULL;
		int i;
		int i, def_nid;

		if (ctx == NULL)
		return 0;
		/*
		* EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory
		* for this algorithm.
		*/
		if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2
		&& def_nid == NID_undef) {
		/* The signing algorithm requires there to be no digest */
		md = NULL;
		}
		if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
		return 0;
		for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {

+5 −5

Original line number	Diff line number	Diff line
		@@ -209,7 +209,7 @@ the configuration file.

		Some public key algorithms may override this choice. For instance, DSA
		signatures always use SHA1, GOST R 34.10 signatures always use
		GOST R 34.11-94 (B<-md_gost94>).
		GOST R 34.11-94 (B<-md_gost94>), Ed25519 and Ed448 never use any digest.

		=item B<-config filename>

		@@ -394,10 +394,10 @@ option. For compatibility B<encrypt_rsa_key> is an equivalent option.

		=item B<default_md>

		This option specifies the digest algorithm to use.
		Any digest supported by the OpenSSL B<dgst> command can be used.
		If not present then MD5 is used.
		This option can be overridden on the command line.
		This option specifies the digest algorithm to use. Any digest supported by the
		OpenSSL B<dgst> command can be used. This option can be overridden on the
		command line. Certain signing algorithms (i.e. Ed25519 and Ed448) will ignore
		any digest that has been set.

		=item B<string_mask>