See if we can add OSSL_FUNC_SIGNATURE_digest_sign support for ML-DSA

Unfortunately this is a problem deep into EVP_DigestSign().
openssl req calls: [do_X509_REQ_sign()](https://github.com/openssl/openssl/blob/46c8f2a78e24771466af0f15208214fe9e48920f/apps/lib/apps.c#L2369) which calls [X509_REQ_sign_ctx](https://github.com/openssl/openssl/blob/03a9584499589f14363de758fdfb887cbef84790/crypto/x509/x_all.c#L153) which calls [ASN1_item_sign_ctx](https://github.com/openssl/openssl/blob/03a9584499589f14363de758fdfb887cbef84790/crypto/asn1/a_sign.c#L147) which ultimately calls [EVP_DigestSign](https://github.com/openssl/openssl/blob/03a9584499589f14363de758fdfb887cbef84790/crypto/evp/m_sigver.c#L623) and this function fallbacks to EVP_DigestSignUpdate() + EVP_DigestSignFinal() because we do not have a digest_sign interaface internally.

I do not recall why we didn't add it, it may be due to the fact that technically ML-DSA does not allow what is traditionally a digest_sign API for OpenSSL as you can't select the digest for ML-DSA signatures.

I'll use this investigation to open a bug to see if we can add it safely w/o breaking other assumptions in OpenSSL.

_Originally posted by @simo5 in https://github.com/latchset/pkcs11-provider/discussions/638#discussioncomment-14500646_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

See if we can add OSSL_FUNC_SIGNATURE_digest_sign support for ML-DSA #640

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

See if we can add OSSL_FUNC_SIGNATURE_digest_sign support for ML-DSA #640

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions