libdigidocpp icon indicating copy to clipboard operation
libdigidocpp copied to clipboard
verified publisher icon open-eid

Support of OpenSSL providers for digest calculation

Open fl-ido opened this issue 6 months ago • 5 comments

Hello,

Since OpenSSL 3.0, providers API has been added (https://docs.openssl.org/3.5/man7/provider/), which allow users to fetch custom algorithm implementations when performing operations, such as digest calculation.

I am using libdigidocpp library for XADES signatures, and I have implemented an OpenSSL provider for digest. I would like to be able use it when doing a XADES signature with libdigidocpp, in order to be able to do specific processing during digest calculation. I see in the code that digest calculation is done in Digest class, with the initialization done with EVP_DigestInit function. Being compliant with OpenSSL providers would require : - To fetch the digest implementation explicitely with EVP_MD_fetch instead of implicitely with EVP_get_digestbynid, as it is possible to give a provider name as the third parameter of EVP_MD_fetch (you can give a property like "provider=myprovider"). - To use EVP_DigestInit_ex2 instead of EVP_DigestInit, allowing to give specific parameters during initialization that the provider will be able to recognize.

Furthermore, the use of explicit fetching could be better in terms of performance, according to OpenSSL : https://docs.openssl.org/master/man7/ossl-guide-libcrypto-introduction/#performance

I suppose this enhancement would thus require to add two parameters in the Conf, i.e. one for the properties to give during algorithm fetching (a string), and one for the parameters to give during digest context initialization (an OSSL_PARAM*, an object from OpenSSL).

What do you think about it ?

fl-ido avatar Jul 07 '25 10:07 fl-ido

I do not think it is that easy. Digest is only used some parts of XAdES validation and generation. XML DSig part is still validated with https://www.aleksey.com/xmlsec/ library.

metsma avatar Jul 08 '25 06:07 metsma

So if I understand right, xmlsec library is used for digest computing but only for signature verification ? I don't know what it would require to support OpenSSL digest providers for signature verification, but at least for signature generation when I do the modifications I mentioned to the code it works well.

fl-ido avatar Jul 08 '25 12:07 fl-ido

xmlsec1 is used to verify data references and signaturevalue https://github.com/open-eid/libdigidocpp/blob/master/src/XMLDocument.h#L415-L446 OCSP and timestamps use Digest object

metsma avatar Jul 08 '25 12:07 metsma

Seems like xmlsec1 uses fetch method https://github.com/lsh123/xmlsec/blob/master/src/openssl/digests.c#L313C67-L313C77

metsma avatar Jul 08 '25 15:07 metsma

Indeed, but it seems that they always give NULL as fetching properties parameter, and that they use EVP_DigestInit method https://github.com/lsh123/xmlsec/blob/a7e8464f2a2826820b94cc641ac0aae345641fc6/src/openssl/digests.c#L416

fl-ido avatar Jul 09 '25 07:07 fl-ido