1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5e71b7053SJung-uk KimEVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal, 6e71b7053SJung-uk KimEVP_DigestSign - EVP signing functions 7e71b7053SJung-uk Kim 8e71b7053SJung-uk Kim=head1 SYNOPSIS 9e71b7053SJung-uk Kim 10e71b7053SJung-uk Kim #include <openssl/evp.h> 11e71b7053SJung-uk Kim 12e71b7053SJung-uk Kim int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, 13e71b7053SJung-uk Kim const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); 14e71b7053SJung-uk Kim int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); 15e71b7053SJung-uk Kim int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen); 16e71b7053SJung-uk Kim 17e71b7053SJung-uk Kim int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, 18e71b7053SJung-uk Kim size_t *siglen, const unsigned char *tbs, 19e71b7053SJung-uk Kim size_t tbslen); 20e71b7053SJung-uk Kim 21e71b7053SJung-uk Kim=head1 DESCRIPTION 22e71b7053SJung-uk Kim 23e71b7053SJung-uk KimThe EVP signature routines are a high level interface to digital signatures. 24e71b7053SJung-uk Kim 25e71b7053SJung-uk KimEVP_DigestSignInit() sets up signing context B<ctx> to use digest B<type> from 26e71b7053SJung-uk KimENGINE B<e> and private key B<pkey>. B<ctx> must be created with 27e71b7053SJung-uk KimEVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL, the 28e71b7053SJung-uk KimEVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can 29e71b7053SJung-uk Kimbe used to set alternative signing options. Note that any existing value in 30e71b7053SJung-uk KimB<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be freed 31e71b7053SJung-uk Kimdirectly by the application if B<ctx> is not assigned an EVP_PKEY_CTX value before 32e71b7053SJung-uk Kimbeing passed to EVP_DigestSignInit() (which means the EVP_PKEY_CTX is created 33e71b7053SJung-uk Kiminside EVP_DigestSignInit() and it will be freed automatically when the 34e71b7053SJung-uk KimEVP_MD_CTX is freed). 35e71b7053SJung-uk Kim 36e71b7053SJung-uk KimThe digest B<type> may be NULL if the signing algorithm supports it. 37e71b7053SJung-uk Kim 38*da327cd2SJung-uk KimNo B<EVP_PKEY_CTX> will be created by EVP_DigestSignInit() if the passed B<ctx> 39e71b7053SJung-uk Kimhas already been assigned one via L<EVP_MD_CTX_set_ctx(3)>. See also L<SM2(7)>. 40e71b7053SJung-uk Kim 41e71b7053SJung-uk KimOnly EVP_PKEY types that support signing can be used with these functions. This 42e71b7053SJung-uk Kimincludes MAC algorithms where the MAC generation is considered as a form of 43e71b7053SJung-uk Kim"signing". Built-in EVP_PKEY types supported by these functions are CMAC, 44e71b7053SJung-uk KimPoly1305, DSA, ECDSA, HMAC, RSA, SipHash, Ed25519 and Ed448. 45e71b7053SJung-uk Kim 46e71b7053SJung-uk KimNot all digests can be used for all key types. The following combinations apply. 47e71b7053SJung-uk Kim 48e71b7053SJung-uk Kim=over 4 49e71b7053SJung-uk Kim 50e71b7053SJung-uk Kim=item DSA 51e71b7053SJung-uk Kim 52e71b7053SJung-uk KimSupports SHA1, SHA224, SHA256, SHA384 and SHA512 53e71b7053SJung-uk Kim 54e71b7053SJung-uk Kim=item ECDSA 55e71b7053SJung-uk Kim 56e71b7053SJung-uk KimSupports SHA1, SHA224, SHA256, SHA384, SHA512 and SM3 57e71b7053SJung-uk Kim 58e71b7053SJung-uk Kim=item RSA with no padding 59e71b7053SJung-uk Kim 60e71b7053SJung-uk KimSupports no digests (the digest B<type> must be NULL) 61e71b7053SJung-uk Kim 62e71b7053SJung-uk Kim=item RSA with X931 padding 63e71b7053SJung-uk Kim 64e71b7053SJung-uk KimSupports SHA1, SHA256, SHA384 and SHA512 65e71b7053SJung-uk Kim 66e71b7053SJung-uk Kim=item All other RSA padding types 67e71b7053SJung-uk Kim 68e71b7053SJung-uk KimSupport SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2, 69e71b7053SJung-uk KimSHA3-224, SHA3-256, SHA3-384, SHA3-512 70e71b7053SJung-uk Kim 71e71b7053SJung-uk Kim=item Ed25519 and Ed448 72e71b7053SJung-uk Kim 73e71b7053SJung-uk KimSupport no digests (the digest B<type> must be NULL) 74e71b7053SJung-uk Kim 75e71b7053SJung-uk Kim=item HMAC 76e71b7053SJung-uk Kim 77e71b7053SJung-uk KimSupports any digest 78e71b7053SJung-uk Kim 79e71b7053SJung-uk Kim=item CMAC, Poly1305 and SipHash 80e71b7053SJung-uk Kim 81e71b7053SJung-uk KimWill ignore any digest provided. 82e71b7053SJung-uk Kim 83e71b7053SJung-uk Kim=back 84e71b7053SJung-uk Kim 85e71b7053SJung-uk KimIf RSA-PSS is used and restrictions apply then the digest must match. 86e71b7053SJung-uk Kim 87e71b7053SJung-uk KimEVP_DigestSignUpdate() hashes B<cnt> bytes of data at B<d> into the 88e71b7053SJung-uk Kimsignature context B<ctx>. This function can be called several times on the 89e71b7053SJung-uk Kimsame B<ctx> to include additional data. This function is currently implemented 90e71b7053SJung-uk Kimusing a macro. 91e71b7053SJung-uk Kim 92e71b7053SJung-uk KimEVP_DigestSignFinal() signs the data in B<ctx> and places the signature in B<sig>. 93e71b7053SJung-uk KimIf B<sig> is B<NULL> then the maximum size of the output buffer is written to 94e71b7053SJung-uk Kimthe B<siglen> parameter. If B<sig> is not B<NULL> then before the call the 95e71b7053SJung-uk KimB<siglen> parameter should contain the length of the B<sig> buffer. If the 96e71b7053SJung-uk Kimcall is successful the signature is written to B<sig> and the amount of data 97e71b7053SJung-uk Kimwritten to B<siglen>. 98e71b7053SJung-uk Kim 99e71b7053SJung-uk KimEVP_DigestSign() signs B<tbslen> bytes of data at B<tbs> and places the 100e71b7053SJung-uk Kimsignature in B<sig> and its length in B<siglen> in a similar way to 101e71b7053SJung-uk KimEVP_DigestSignFinal(). 102e71b7053SJung-uk Kim 103e71b7053SJung-uk Kim=head1 RETURN VALUES 104e71b7053SJung-uk Kim 105e71b7053SJung-uk KimEVP_DigestSignInit(), EVP_DigestSignUpdate(), EVP_DigestSignaFinal() and 106e71b7053SJung-uk KimEVP_DigestSign() return 1 for success and 0 or a negative value for failure. In 107e71b7053SJung-uk Kimparticular, a return value of -2 indicates the operation is not supported by the 108e71b7053SJung-uk Kimpublic key algorithm. 109e71b7053SJung-uk Kim 110e71b7053SJung-uk KimThe error codes can be obtained from L<ERR_get_error(3)>. 111e71b7053SJung-uk Kim 112e71b7053SJung-uk Kim=head1 NOTES 113e71b7053SJung-uk Kim 114e71b7053SJung-uk KimThe B<EVP> interface to digital signatures should almost always be used in 115e71b7053SJung-uk Kimpreference to the low level interfaces. This is because the code then becomes 116e71b7053SJung-uk Kimtransparent to the algorithm used and much more flexible. 117e71b7053SJung-uk Kim 118e71b7053SJung-uk KimEVP_DigestSign() is a one shot operation which signs a single block of data 119e71b7053SJung-uk Kimin one function. For algorithms that support streaming it is equivalent to 120e71b7053SJung-uk Kimcalling EVP_DigestSignUpdate() and EVP_DigestSignFinal(). For algorithms which 121e71b7053SJung-uk Kimdo not support streaming (e.g. PureEdDSA) it is the only way to sign data. 122e71b7053SJung-uk Kim 123e71b7053SJung-uk KimIn previous versions of OpenSSL there was a link between message digest types 124e71b7053SJung-uk Kimand public key algorithms. This meant that "clone" digests such as EVP_dss1() 125e71b7053SJung-uk Kimneeded to be used to sign using SHA1 and DSA. This is no longer necessary and 126e71b7053SJung-uk Kimthe use of clone digest is now discouraged. 127e71b7053SJung-uk Kim 128*da327cd2SJung-uk KimFor some key types and parameters the random number generator must be seeded. 129*da327cd2SJung-uk KimIf the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to 130*da327cd2SJung-uk Kimexternal circumstances (see L<RAND(7)>), the operation will fail. 131e71b7053SJung-uk Kim 132e71b7053SJung-uk KimThe call to EVP_DigestSignFinal() internally finalizes a copy of the digest 133e71b7053SJung-uk Kimcontext. This means that calls to EVP_DigestSignUpdate() and 134e71b7053SJung-uk KimEVP_DigestSignFinal() can be called later to digest and sign additional data. 135e71b7053SJung-uk Kim 136e71b7053SJung-uk KimSince only a copy of the digest context is ever finalized, the context must 137e71b7053SJung-uk Kimbe cleaned up after use by calling EVP_MD_CTX_free() or a memory leak 138e71b7053SJung-uk Kimwill occur. 139e71b7053SJung-uk Kim 140e71b7053SJung-uk KimThe use of EVP_PKEY_size() with these functions is discouraged because some 141e71b7053SJung-uk Kimsignature operations may have a signature length which depends on the 142e71b7053SJung-uk Kimparameters set. As a result EVP_PKEY_size() would have to return a value 143e71b7053SJung-uk Kimwhich indicates the maximum possible signature for any set of parameters. 144e71b7053SJung-uk Kim 145e71b7053SJung-uk Kim=head1 SEE ALSO 146e71b7053SJung-uk Kim 147e71b7053SJung-uk KimL<EVP_DigestVerifyInit(3)>, 148e71b7053SJung-uk KimL<EVP_DigestInit(3)>, 149e71b7053SJung-uk KimL<evp(7)>, L<HMAC(3)>, L<MD2(3)>, 150e71b7053SJung-uk KimL<MD5(3)>, L<MDC2(3)>, L<RIPEMD160(3)>, 151*da327cd2SJung-uk KimL<SHA1(3)>, L<dgst(1)>, 152*da327cd2SJung-uk KimL<RAND(7)> 153e71b7053SJung-uk Kim 154e71b7053SJung-uk Kim=head1 HISTORY 155e71b7053SJung-uk Kim 156e71b7053SJung-uk KimEVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal() 1576935a639SJung-uk Kimwere added in OpenSSL 1.0.0. 158e71b7053SJung-uk Kim 159e71b7053SJung-uk Kim=head1 COPYRIGHT 160e71b7053SJung-uk Kim 161*da327cd2SJung-uk KimCopyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. 162e71b7053SJung-uk Kim 163e71b7053SJung-uk KimLicensed under the OpenSSL license (the "License"). You may not use 164e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 165e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 166e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 167e71b7053SJung-uk Kim 168e71b7053SJung-uk Kim=cut 169