You are right, that the toplevel API doesn't have take a digest parameter. The only kind of signature you get is the "default" where default is defined per-key-type.

We should probably have PKCS7_sign_ex() that took a "const EVP_MD*" parameter. It'd be trivial to do this. Same for CMS_sign. Please open a ticket.

--
Principal Security Engineer, Akamai Technologies
IM: rsalz-dbVaDHFsUTizQB+***@public.gmane.org Twitter: RichSalz

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

CMS_sign() does use the default digest only. The cms application can use
a different digest though. You can do the same: it's slightly more
complex but not difficult. In outline you do this:

Call CMS_sign() set the private key argument to NULL and include the flag
CMS_PARTIAL (if you don't already). This just initialises the structure
without actually signing anything.

Add the signer(s) using CMS_add1_signer() you can specify the digest algorithm
to use with this call. You can add multiplers signer using different digest
algorithms here.

If you're streaming call SMIME_write_CMS() as normal. If not call CMS_final()
which will finalise the structure and you can then write it out. This
finalises the strcutures and performs the content digesting and signing.

There is an example of this for two signers (but which doesn't use a different
digest) in demos/cms/cms_sign2.c

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org