On Fri, Sep 12, 2014, Francis GASCHET wrote: > Hello, > > From the man page, it looks like signing packages always use SHA1, > and there is no argument to pkcs7_sign and cms_sign functions which > would allow to chose the algorithm. > May be I missed something... Or is there some method to sign with > another hsah algorithm ? >
CMS_sign() does use the default digest only. The cms application can use a different digest though. You can do the same: it's slightly more complex but not difficult. In outline you do this: Call CMS_sign() set the private key argument to NULL and include the flag CMS_PARTIAL (if you don't already). This just initialises the structure without actually signing anything. Add the signer(s) using CMS_add1_signer() you can specify the digest algorithm to use with this call. You can add multiplers signer using different digest algorithms here. If you're streaming call SMIME_write_CMS() as normal. If not call CMS_final() which will finalise the structure and you can then write it out. This finalises the strcutures and performs the content digesting and signing. There is an example of this for two signers (but which doesn't use a different digest) in demos/cms/cms_sign2.c Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
