int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0;
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
- int rand_ser = 0, i, j, selfsign = 0;
+ int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret;
long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
unsigned long chtype = MBSTRING_ASC, certopt = 0;
X509 *x509 = NULL, *x509p = NULL, *x = NULL;
}
}
- if (md == NULL && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL)
- goto end;
-
- if (strcmp(md, "null") == 0) {
+ def_ret = EVP_PKEY_get_default_digest_nid(pkey, &def_nid);
+ /*
+ * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is
+ * mandatory for this algorithm.
+ */
+ if (def_ret == 2 && def_nid == NID_undef) {
+ /* The signing algorithm requires there to be no digest */
dgst = EVP_md_null();
+ } else if (md == NULL
+ && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) {
+ goto end;
} else {
if (strcmp(md, "default") == 0) {
- int def_nid;
- if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
+ if (def_ret <= 0) {
BIO_puts(bio_err, "no default digest\n");
goto end;
}
md = (char *)OBJ_nid2sn(def_nid);
}
- if (!opt_md(md, &dgst)) {
+ if (!opt_md(md, &dgst))
goto end;
- }
}
if (req) {
=item B<-md alg>
The message digest to use.
-Any digest supported by the OpenSSL B<dgst> command can be used. If the signing
-key is using Ed25519 or Ed448 then you should specify "null" for the digest.
-This option also applies to CRLs.
+Any digest supported by the OpenSSL B<dgst> command can be used. For signing
+algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message
+digest that is set is ignored. This option also applies to CRLs.
=item B<-policy arg>
=item B<default_md>
-The same as the B<-md> option. Mandatory.
+The same as the B<-md> option. Mandatory except where the signing algorithm does
+not require a digest (i.e. Ed25519 and Ed448).
=item B<database>
projects / oweals / openssl.git / commitdiff