2

I'm implementing hashing (aka. digest) and signing in an app that uses the OpenSSL EVP API. However the API has three very similar methods, which are confusing:

  • Sign which sounds like it should be used for signing, however EVP_SignInit is simply a #define to EVP_DigestInit
  • Digest which seems like it can only be used only for hash generation, there is no way to specify an EVP_PKEY.
  • DigestSign which looks like it does both the hashing and the signing.

But the documentation recomments to use DigestSign for signing (and not the actual Sign).

I'm not a cryptography expert, so this is very confusing to me. What is the difference between them? Which one is a good choice for implementing signing?

Venemo
  • 18,515
  • 13
  • 84
  • 125

1 Answers1

1

The following can be found in the documentation for EVP_SignInit:

Since the private key is passed in the call to EVP_SignFinal() any error relating to the private key (for example an unsuitable key and digest combination) will not be indicated until after potentially large amounts of data have been passed through EVP_SignUpdate().

It is not possible to change the signing parameters using these function.

The previous two bugs are fixed in the newer EVP_SignDigest() function.

Note: I copied this verbatim, the functions are called EVP_DigestSign not EVP_SignDigest.

So it is a replacement function for two bugs that couldn't be amended by the previous API. Of course you'd want to have the old API to be there and behave the same way for backward compatibility.

So the old API didn't adhere to the principles of fail fast or least surprise; you don't want to crash after hashing the message because a bad scheme is used: the scheme to use is generally established beforehand.

Community
  • 1
  • 1
Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • So if I understand correctly, `DigestSign` is the new API? There is no `SignDigest`. – Venemo Apr 13 '18 at 07:38
  • Yeah. Sorry about the typo, but I didn't make it, I copied it verbatim. – Maarten Bodewes Apr 13 '18 at 08:47
  • One more question: what exactly does `DigestSign` do? First calculate a digest and then sign it? Or...? – Venemo Apr 13 '18 at 09:15
  • Yep, that's the general order of signature generation. It would be tricky to do it the other way, right? – Maarten Bodewes Apr 13 '18 at 10:46
  • Is it possible to sign something without first hashing it? – Venemo Apr 13 '18 at 18:22
  • Generally that's not something that is ever performed. There are signatures with partial message recovery, but even those are first hashing the message, and then include (part of) the message *and* the hash in the RSA operation. – Maarten Bodewes Apr 14 '18 at 20:17
  • You can in principle forego the hashing and use the message, **if** the message is sufficiently small. Of course anybody that can decrypt can retrieve the message (which is generally no problem in sign-then-encrypt). You **do** however need to include the padding before you perform the modular exponentiation required for RSA. (EC)DSA is a different kettle of fish, and you may need to hash or exclude some message patterns. More info [here](https://crypto.stackexchange.com/q/12768/1172) – Maarten Bodewes Apr 14 '18 at 20:32