How to define/change "Signature Algorithm"?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to define/change "Signature Algorithm"?

Ben Wailea, openssl-users
in openssl.cnf, i've set:

        [ CA_default ]
        ...
        default_md = sha512
        ...

for RSA request generation, my certs reqs report:

        ...
        message digest is sha512
        ...
        Signature Algorithm: sha1WithRSAEncryption
        ...

for EC request generation, my certs reqport:

        ...
        message digest is sha512
        ...
        Signature Algorithm: ecdsa-with-SHA1
        ...

Where/how are these 'Signature Algorithms' defined?

for EC, e.g., I've found only,

        grep ecdsa-with- ./crypto/objects/objects.txt -B2
                !Alias id-ecSigType ansi-X9-62 4
                !global
                X9-62_id-ecSigType 1 : ecdsa-with-SHA1

but not at all certain what that restricts/allows.

Is it possible to define other (SHA512, SHA256, etc)
SignatureAlgorithms for use?

Thanks,

Ben
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to define/change "Signature Algorithm"?

Larry Bugbee-2
> Is it possible to define other (SHA512, SHA256, etc)
> SignatureAlgorithms for use?

Yes, if you use 0.9.9-dev.  Take a look at ftp.openssl.org.  (Cert  
sigs using 0.9.8 always used SHA-1 regardless of how I attempted to  
specify SHA-256 etc.)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to define/change "Signature Algorithm"?

Ben Wailea, openssl-users
On Fri, Aug 15, 2008 at 8:15 PM, Larry Bugbee <[hidden email]> wrote:
>> Is it possible to define other (SHA512, SHA256, etc)
>> SignatureAlgorithms for use?
>
> Yes, if you use 0.9.9-dev.  Take a look at ftp.openssl.org.  (Cert sigs
> using 0.9.8 always used SHA-1 regardless of how I attempted to specify
> SHA-256
> etc.)______________________________________________________________________

actually, i think i stumbled on the solution -- with 'just'

  openssl version
    OpenSSL 0.9.8g 19 Oct 2007

seems the 'openssl req ...' step for cert signing ignores the settings
in openssl.cnf. at least, i have not found a setting that it does
grab.

but, if in that original cert signing i specify,

        openssl req \
        -new -newkey rsa \
        -x509 \
--> -sha512 \
        ...

then the cert picks that up, and i get the desired,

openssl x509 -noout -text -in ca.crt | grep Signature
        Signature Algorithm: sha512WithRSAEncryption

not terribly clear to me in the docs.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]