-
-
Notifications
You must be signed in to change notification settings - Fork 11.1k
Description
The X509 signing still relies on some legacy (non xx_ex) functions, so the digest/signature algorithm selection does not follow the given propq. This can be tracked down to the following:
-
The
openssl reqdoesn't pass libctx/propq when signing the X509 CSR. It even cannot (see next item). -
There is no
X509_sign_exwith libctx/propq support. -
The
ASN1_item_sign_exis "half-migrated" only. It takes libctx/propq (which is good), but it also takesEVP_MDas input and callsEVP_DigestSignInit(without passing the libctx/propq). In my view, theASN1_item_sign_exshould take aconst char*digest name instead and callEVP_DigestSignInit_ex, which already exists and takes also libctx/propq. This ensures the correct cipher selection, which then manages the digest.