Search code examples
androidopensslmd5shasign

Dynamically Selecting Signing Algorithm in OpenSSL

I am creating an android app which can perform basic email security operations like encryption, decryption, signing and verification. So far I am able to perform all 4 operations successfully. But one thing I still haven't figured out is how to specify Signing Algorithm at runtime.

I mean I want to have a drop downlist from which the user can select the signing algorithm algorithm.

I know how to do this in case of encryption. But for signing we are not specifying any algorithm in the PKCS7_Sign function call. So how do I mention which signing algorithm I should use while signing the mail.

Thanks in advance!

Solution

  • But for signing we are not specifying any algorithm in the PKCS7_sign function call. So how do I mention which signing algorithm I should use while signing the mail.

    Try PKCS7_add_signature. From <openssl dir>/crypto/pkcs7/pkcs7.h:

    PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509,
                                       EVP_PKEY *pkey, const EVP_MD *dgst);

    The implementation is in pk7_lib.c, which can be found at <openssl dir>/crypto/pkcs7/pk7_lib.c. There's not much to the function. It looks like the heavy lifting is done by PKCS7_SIGNER_INFO_set.

    Its used in a few places in the library. There is no demo in apps/:

    $ cd openssl-1.0.1h
$ grep -R PKCS7_add_signature *
crypto/pkcs7/enc.c: if (PKCS7_add_signature(p7,x509,pkey,EVP_sha1()) == NULL) goto err;
crypto/pkcs7/pk7_lib.c:PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
crypto/pkcs7/pk7_smime.c:       if (!(si = PKCS7_add_signature(p7,signcert,pkey, md)))
crypto/pkcs7/pkcs7.h:PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509,
crypto/pkcs7/pkcs7err.c:{ERR_FUNC(PKCS7_F_PKCS7_ADD_SIGNATURE), "PKCS7_add_signature"},
crypto/pkcs7/sign.c:    si=PKCS7_add_signature(p7,x509,pkey,EVP_sha1());
crypto/ts/ts_rsp_sign.c:        if (!(si = PKCS7_add_signature(p7, ctx->signer_cert,

    The openssl cms command should allow you to work from the command line. See "openssl smime ... [-md digest] ..." seems to be unknown option on the last version openssl. Its a bit old, but it should still hold.