enum ssl_private_key_result_t ssl_private_key_sign( SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t signature_algorithm, const uint8_t *in, size_t in_len) { if (ssl->cert->key_method != NULL) { if (ssl->cert->key_method->sign != NULL) { return ssl->cert->key_method->sign(ssl, out, out_len, max_out, signature_algorithm, in, in_len); } /* TODO(davidben): Remove support for |sign_digest|-only * |SSL_PRIVATE_KEY_METHOD|s. */ const EVP_MD *md; int curve; if (!is_rsa_pkcs1(&md, signature_algorithm) && !is_ecdsa(&curve, &md, signature_algorithm)) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY); return ssl_private_key_failure; } uint8_t hash[EVP_MAX_MD_SIZE]; unsigned hash_len; if (!EVP_Digest(in, in_len, hash, &hash_len, md, NULL)) { return ssl_private_key_failure; } return ssl->cert->key_method->sign_digest(ssl, out, out_len, max_out, md, hash, hash_len); } const EVP_MD *md; if (is_rsa_pkcs1(&md, signature_algorithm) && ssl3_protocol_version(ssl) < TLS1_3_VERSION) { return ssl_sign_rsa_pkcs1(ssl, out, out_len, max_out, md, in, in_len) ? ssl_private_key_success : ssl_private_key_failure; } int curve; if (is_ecdsa(&curve, &md, signature_algorithm)) { return ssl_sign_ecdsa(ssl, out, out_len, max_out, curve, md, in, in_len) ? ssl_private_key_success : ssl_private_key_failure; } if (is_rsa_pss(&md, signature_algorithm)) { return ssl_sign_rsa_pss(ssl, out, out_len, max_out, md, in, in_len) ? ssl_private_key_success : ssl_private_key_failure; } OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); return ssl_private_key_failure; }
enum ssl_private_key_result_t ssl_private_key_sign( SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t signature_algorithm, const uint8_t *in, size_t in_len) { if (ssl->cert->key_method != NULL) { /* For now, custom private keys can only handle pre-TLS-1.3 signature * algorithms. * * TODO(davidben): Switch SSL_PRIVATE_KEY_METHOD to message-based APIs. */ const EVP_MD *md; int curve; if (!is_rsa_pkcs1(&md, signature_algorithm) && !is_ecdsa(&curve, &md, signature_algorithm)) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY); return ssl_private_key_failure; } uint8_t hash[EVP_MAX_MD_SIZE]; unsigned hash_len; if (!EVP_Digest(in, in_len, hash, &hash_len, md, NULL)) { return ssl_private_key_failure; } return ssl->cert->key_method->sign(ssl, out, out_len, max_out, md, hash, hash_len); } const EVP_MD *md; if (is_rsa_pkcs1(&md, signature_algorithm)) { return ssl_sign_rsa_pkcs1(ssl, out, out_len, max_out, md, in, in_len) ? ssl_private_key_success : ssl_private_key_failure; } int curve; if (is_ecdsa(&curve, &md, signature_algorithm)) { return ssl_sign_ecdsa(ssl, out, out_len, max_out, curve, md, in, in_len) ? ssl_private_key_success : ssl_private_key_failure; } if (is_rsa_pss(&md, signature_algorithm) && ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { return ssl_sign_rsa_pss(ssl, out, out_len, max_out, md, in, in_len) ? ssl_private_key_success : ssl_private_key_failure; } OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); return ssl_private_key_failure; }