enum ssl_private_key_result_t ssl_private_key_sign(
SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
uint16_t signature_algorithm, const uint8_t *in, size_t in_len) {
if (ssl->cert->key_method != NULL) {
if (ssl->cert->key_method->sign != NULL) {
return ssl->cert->key_method->sign(ssl, out, out_len, max_out,
signature_algorithm, in, in_len);
}
/* TODO(davidben): Remove support for |sign_digest|-only
* |SSL_PRIVATE_KEY_METHOD|s. */
const EVP_MD *md;
int curve;
if (!is_rsa_pkcs1(&md, signature_algorithm) &&
!is_ecdsa(&curve, &md, signature_algorithm)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
return ssl_private_key_failure;
}
uint8_t hash[EVP_MAX_MD_SIZE];
unsigned hash_len;
if (!EVP_Digest(in, in_len, hash, &hash_len, md, NULL)) {
return ssl_private_key_failure;
}
return ssl->cert->key_method->sign_digest(ssl, out, out_len, max_out, md,
hash, hash_len);
}
const EVP_MD *md;
if (is_rsa_pkcs1(&md, signature_algorithm) &&
ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
return ssl_sign_rsa_pkcs1(ssl, out, out_len, max_out, md, in, in_len)
? ssl_private_key_success
: ssl_private_key_failure;
}
int curve;
if (is_ecdsa(&curve, &md, signature_algorithm)) {
return ssl_sign_ecdsa(ssl, out, out_len, max_out, curve, md, in, in_len)
? ssl_private_key_success
: ssl_private_key_failure;
}
if (is_rsa_pss(&md, signature_algorithm)) {
return ssl_sign_rsa_pss(ssl, out, out_len, max_out, md, in, in_len)
? ssl_private_key_success
: ssl_private_key_failure;
}
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
return ssl_private_key_failure;
}
enum ssl_private_key_result_t ssl_private_key_sign(
SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
uint16_t signature_algorithm, const uint8_t *in, size_t in_len) {
if (ssl->cert->key_method != NULL) {
/* For now, custom private keys can only handle pre-TLS-1.3 signature
* algorithms.
*
* TODO(davidben): Switch SSL_PRIVATE_KEY_METHOD to message-based APIs. */
const EVP_MD *md;
int curve;
if (!is_rsa_pkcs1(&md, signature_algorithm) &&
!is_ecdsa(&curve, &md, signature_algorithm)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
return ssl_private_key_failure;
}
uint8_t hash[EVP_MAX_MD_SIZE];
unsigned hash_len;
if (!EVP_Digest(in, in_len, hash, &hash_len, md, NULL)) {
return ssl_private_key_failure;
}
return ssl->cert->key_method->sign(ssl, out, out_len, max_out, md, hash,
hash_len);
}
const EVP_MD *md;
if (is_rsa_pkcs1(&md, signature_algorithm)) {
return ssl_sign_rsa_pkcs1(ssl, out, out_len, max_out, md, in, in_len)
? ssl_private_key_success
: ssl_private_key_failure;
}
int curve;
if (is_ecdsa(&curve, &md, signature_algorithm)) {
return ssl_sign_ecdsa(ssl, out, out_len, max_out, curve, md, in, in_len)
? ssl_private_key_success
: ssl_private_key_failure;
}
if (is_rsa_pss(&md, signature_algorithm) &&
ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
return ssl_sign_rsa_pss(ssl, out, out_len, max_out, md, in, in_len)
? ssl_private_key_success
: ssl_private_key_failure;
}
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
return ssl_private_key_failure;
}
