Allow the ca application to use EdDSA

Using the ca application to sign certificates with EdDSA failed because it is not possible to set the digest to "null". This adds the capability and updates the documentation accordingly. Fixes #6201 Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6286)

Allow the ca application to use EdDSA
Using the ca application to sign certificates with EdDSA failed because it is not possible to set the digest to "null". This adds the capability and updates the documentation accordingly. Fixes #6201 Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6286)
f3021aca · Matt Caswell · 8a59c085 · f3021aca · f3021aca · f3021aca
隐藏空白更改
内联并排

Showing with 16 addition and 11 deletion

apps/ca.c apps/ca.c +13 -9

crypto/ec/ecx_meth.c crypto/ec/ecx_meth.c +1 -1

doc/man1/ca.pod doc/man1/ca.pod +2 -1

未找到文件。
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -735,17 +735,21 @@ end_of_options:
    if (md == NULL && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL)
        goto end;

-    if (strcmp(md, "default") == 0) {
-        int def_nid;
-        if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
-            BIO_puts(bio_err, "no default digest\n");
-            goto end;
+    if (strcmp(md, "null") == 0) {
+        dgst = EVP_md_null();
+    } else {
+        if (strcmp(md, "default") == 0) {
+            int def_nid;
+            if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
+                BIO_puts(bio_err, "no default digest\n");
+                goto end;
+            }
+            md = (char *)OBJ_nid2sn(def_nid);
        }
-        md = (char *)OBJ_nid2sn(def_nid);
-    }

-    if (!opt_md(md, &dgst)) {
-        goto end;
+        if (!opt_md(md, &dgst)) {
+            goto end;
+        }
    }

    if (req) {

--- a/crypto/ec/ecx_meth.c
+++ b/crypto/ec/ecx_meth.c
@@ -778,7 +778,7 @@ static int pkey_ecd_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
    switch (type) {
    case EVP_PKEY_CTRL_MD:
        /* Only NULL allowed as digest */
-        if (p2 == NULL)
+        if (p2 == NULL || (const EVP_MD *)p2 == EVP_md_null())
            return 1;
        ECerr(EC_F_PKEY_ECD_CTRL, EC_R_INVALID_DIGEST_TYPE);
        return 0;

--- a/doc/man1/ca.pod
+++ b/doc/man1/ca.pod
@@ -184,7 +184,8 @@ The number of days to certify the certificate for.
 =item B<-md alg>

 The message digest to use.
-Any digest supported by the OpenSSL B<dgst> command can be used.
+Any digest supported by the OpenSSL B<dgst> command can be used. If the signing
+key is using Ed25519 or Ed448 then you should specify "null" for the digest.
 This option also applies to CRLs.

 =item B<-policy arg>