1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5*b077aed3SPierre ProncheryEVP_DigestVerifyInit_ex, EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, 6*b077aed3SPierre ProncheryEVP_DigestVerifyFinal, EVP_DigestVerify - EVP signature verification functions 7e71b7053SJung-uk Kim 8e71b7053SJung-uk Kim=head1 SYNOPSIS 9e71b7053SJung-uk Kim 10e71b7053SJung-uk Kim #include <openssl/evp.h> 11e71b7053SJung-uk Kim 12*b077aed3SPierre Pronchery int EVP_DigestVerifyInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, 13*b077aed3SPierre Pronchery const char *mdname, OSSL_LIB_CTX *libctx, 14*b077aed3SPierre Pronchery const char *props, EVP_PKEY *pkey, 15*b077aed3SPierre Pronchery const OSSL_PARAM params[]); 16e71b7053SJung-uk Kim int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, 17e71b7053SJung-uk Kim const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); 18e71b7053SJung-uk Kim int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); 19e71b7053SJung-uk Kim int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, 20e71b7053SJung-uk Kim size_t siglen); 21e71b7053SJung-uk Kim int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, 22e71b7053SJung-uk Kim size_t siglen, const unsigned char *tbs, size_t tbslen); 23e71b7053SJung-uk Kim 24e71b7053SJung-uk Kim=head1 DESCRIPTION 25e71b7053SJung-uk Kim 2658f35182SJung-uk KimThe EVP signature routines are a high-level interface to digital signatures. 27*b077aed3SPierre ProncheryInput data is digested first before the signature verification takes place. 28e71b7053SJung-uk Kim 29*b077aed3SPierre ProncheryEVP_DigestVerifyInit_ex() sets up verification context B<ctx> to use a 30*b077aed3SPierre Proncherydigest with the name B<mdname> and public key B<pkey>. The name of the digest to 31*b077aed3SPierre Proncherybe used is passed to the provider of the signature algorithm in use. How that 32*b077aed3SPierre Proncheryprovider interprets the digest name is provider specific. The provider may 33*b077aed3SPierre Proncheryimplement that digest directly itself or it may (optionally) choose to fetch it 34*b077aed3SPierre Pronchery(which could result in a digest from a different provider being selected). If 35*b077aed3SPierre Proncherythe provider supports fetching the digest then it may use the B<props> argument 36*b077aed3SPierre Proncheryfor the properties to be used during the fetch. Finally, the passed parameters 37*b077aed3SPierre ProncheryI<params>, if not NULL, are set on the context before returning. 38e71b7053SJung-uk Kim 39*b077aed3SPierre ProncheryThe I<pkey> algorithm is used to fetch a B<EVP_SIGNATURE> method implicitly, to 40*b077aed3SPierre Proncherybe used for the actual signing. See L<provider(7)/Implicit fetch> for 41*b077aed3SPierre Proncherymore information about implicit fetches. 42*b077aed3SPierre Pronchery 43*b077aed3SPierre ProncheryThe OpenSSL default and legacy providers support fetching digests and can fetch 44*b077aed3SPierre Proncherythose digests from any available provider. The OpenSSL FIPS provider also 45*b077aed3SPierre Proncherysupports fetching digests but will only fetch digests that are themselves 46*b077aed3SPierre Proncheryimplemented inside the FIPS provider. 47*b077aed3SPierre Pronchery 48*b077aed3SPierre ProncheryB<ctx> must be created with EVP_MD_CTX_new() before calling this function. If 49*b077aed3SPierre ProncheryB<pctx> is not NULL, the EVP_PKEY_CTX of the verification operation will be 50*b077aed3SPierre Proncherywritten to B<*pctx>: this can be used to set alternative verification options. 51*b077aed3SPierre ProncheryNote that any existing value in B<*pctx> is overwritten. The EVP_PKEY_CTX value 52*b077aed3SPierre Proncheryreturned must not be freed directly by the application if B<ctx> is not assigned 53*b077aed3SPierre Proncheryan EVP_PKEY_CTX value before being passed to EVP_DigestVerifyInit_ex() 54*b077aed3SPierre Pronchery(which means the EVP_PKEY_CTX is created inside 55*b077aed3SPierre ProncheryEVP_DigestVerifyInit_ex() and it will be freed automatically when the 56*b077aed3SPierre ProncheryEVP_MD_CTX is freed). If the EVP_PKEY_CTX to be used is created by 57*b077aed3SPierre ProncheryEVP_DigestVerifyInit_ex then it will use the B<OSSL_LIB_CTX> specified 58*b077aed3SPierre Proncheryin I<libctx> and the property query string specified in I<props>. 59*b077aed3SPierre Pronchery 60*b077aed3SPierre ProncheryNo B<EVP_PKEY_CTX> will be created by EVP_DigestVerifyInit_ex() if the 61*b077aed3SPierre Proncherypassed B<ctx> has already been assigned one via L<EVP_MD_CTX_set_pkey_ctx(3)>. 62*b077aed3SPierre ProncherySee also L<SM2(7)>. 63*b077aed3SPierre Pronchery 64*b077aed3SPierre ProncheryNot all digests can be used for all key types. The following combinations apply. 65*b077aed3SPierre Pronchery 66*b077aed3SPierre Pronchery=over 4 67*b077aed3SPierre Pronchery 68*b077aed3SPierre Pronchery=item DSA 69*b077aed3SPierre Pronchery 70*b077aed3SPierre ProncherySupports SHA1, SHA224, SHA256, SHA384 and SHA512 71*b077aed3SPierre Pronchery 72*b077aed3SPierre Pronchery=item ECDSA 73*b077aed3SPierre Pronchery 74*b077aed3SPierre ProncherySupports SHA1, SHA224, SHA256, SHA384, SHA512 and SM3 75*b077aed3SPierre Pronchery 76*b077aed3SPierre Pronchery=item RSA with no padding 77*b077aed3SPierre Pronchery 78*b077aed3SPierre ProncherySupports no digests (the digest B<type> must be NULL) 79*b077aed3SPierre Pronchery 80*b077aed3SPierre Pronchery=item RSA with X931 padding 81*b077aed3SPierre Pronchery 82*b077aed3SPierre ProncherySupports SHA1, SHA256, SHA384 and SHA512 83*b077aed3SPierre Pronchery 84*b077aed3SPierre Pronchery=item All other RSA padding types 85*b077aed3SPierre Pronchery 86*b077aed3SPierre ProncherySupport SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2, 87*b077aed3SPierre ProncherySHA3-224, SHA3-256, SHA3-384, SHA3-512 88*b077aed3SPierre Pronchery 89*b077aed3SPierre Pronchery=item Ed25519 and Ed448 90*b077aed3SPierre Pronchery 91*b077aed3SPierre ProncherySupport no digests (the digest B<type> must be NULL) 92*b077aed3SPierre Pronchery 93*b077aed3SPierre Pronchery=item HMAC 94*b077aed3SPierre Pronchery 95*b077aed3SPierre ProncherySupports any digest 96*b077aed3SPierre Pronchery 97*b077aed3SPierre Pronchery=item CMAC, Poly1305 and Siphash 98*b077aed3SPierre Pronchery 99*b077aed3SPierre ProncheryWill ignore any digest provided. 100*b077aed3SPierre Pronchery 101*b077aed3SPierre Pronchery=back 102*b077aed3SPierre Pronchery 103*b077aed3SPierre ProncheryIf RSA-PSS is used and restrictions apply then the digest must match. 104*b077aed3SPierre Pronchery 105*b077aed3SPierre ProncheryEVP_DigestVerifyInit() works in the same way as 106*b077aed3SPierre ProncheryEVP_DigestVerifyInit_ex() except that the B<mdname> parameter will be 107*b077aed3SPierre Proncheryinferred from the supplied digest B<type>, and B<props> will be NULL. Where 108*b077aed3SPierre Proncherysupplied the ENGINE B<e> will be used for the signature verification and digest 109*b077aed3SPierre Proncheryalgorithm implementations. B<e> may be NULL. 110e71b7053SJung-uk Kim 111e71b7053SJung-uk KimEVP_DigestVerifyUpdate() hashes B<cnt> bytes of data at B<d> into the 112e71b7053SJung-uk Kimverification context B<ctx>. This function can be called several times on the 113*b077aed3SPierre Proncherysame B<ctx> to include additional data. 114e71b7053SJung-uk Kim 115e71b7053SJung-uk KimEVP_DigestVerifyFinal() verifies the data in B<ctx> against the signature in 116e71b7053SJung-uk KimB<sig> of length B<siglen>. 117e71b7053SJung-uk Kim 118e71b7053SJung-uk KimEVP_DigestVerify() verifies B<tbslen> bytes at B<tbs> against the signature 119e71b7053SJung-uk Kimin B<sig> of length B<siglen>. 120e71b7053SJung-uk Kim 121e71b7053SJung-uk Kim=head1 RETURN VALUES 122e71b7053SJung-uk Kim 123e71b7053SJung-uk KimEVP_DigestVerifyInit() and EVP_DigestVerifyUpdate() return 1 for success and 0 124e71b7053SJung-uk Kimfor failure. 125e71b7053SJung-uk Kim 126e71b7053SJung-uk KimEVP_DigestVerifyFinal() and EVP_DigestVerify() return 1 for success; any other 127e71b7053SJung-uk Kimvalue indicates failure. A return value of zero indicates that the signature 128e71b7053SJung-uk Kimdid not verify successfully (that is, B<tbs> did not match the original data or 129e71b7053SJung-uk Kimthe signature had an invalid form), while other values indicate a more serious 130e71b7053SJung-uk Kimerror (and sometimes also indicate an invalid signature form). 131e71b7053SJung-uk Kim 132e71b7053SJung-uk KimThe error codes can be obtained from L<ERR_get_error(3)>. 133e71b7053SJung-uk Kim 134e71b7053SJung-uk Kim=head1 NOTES 135e71b7053SJung-uk Kim 136e71b7053SJung-uk KimThe B<EVP> interface to digital signatures should almost always be used in 13758f35182SJung-uk Kimpreference to the low-level interfaces. This is because the code then becomes 138e71b7053SJung-uk Kimtransparent to the algorithm used and much more flexible. 139e71b7053SJung-uk Kim 140e71b7053SJung-uk KimEVP_DigestVerify() is a one shot operation which verifies a single block of 141e71b7053SJung-uk Kimdata in one function. For algorithms that support streaming it is equivalent 142e71b7053SJung-uk Kimto calling EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal(). For 143e71b7053SJung-uk Kimalgorithms which do not support streaming (e.g. PureEdDSA) it is the only way 144e71b7053SJung-uk Kimto verify data. 145e71b7053SJung-uk Kim 146e71b7053SJung-uk KimIn previous versions of OpenSSL there was a link between message digest types 147e71b7053SJung-uk Kimand public key algorithms. This meant that "clone" digests such as EVP_dss1() 148e71b7053SJung-uk Kimneeded to be used to sign using SHA1 and DSA. This is no longer necessary and 149e71b7053SJung-uk Kimthe use of clone digest is now discouraged. 150e71b7053SJung-uk Kim 151da327cd2SJung-uk KimFor some key types and parameters the random number generator must be seeded. 152da327cd2SJung-uk KimIf the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to 153da327cd2SJung-uk Kimexternal circumstances (see L<RAND(7)>), the operation will fail. 154e71b7053SJung-uk Kim 155e71b7053SJung-uk KimThe call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest 156e71b7053SJung-uk Kimcontext. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can 157e71b7053SJung-uk Kimbe called later to digest and verify additional data. 158e71b7053SJung-uk Kim 159*b077aed3SPierre ProncheryEVP_DigestVerifyInit() and EVP_DigestVerifyInit_ex() functions can be called 160*b077aed3SPierre Proncherymultiple times on a context and the parameters set by previous calls should be 161*b077aed3SPierre Proncherypreserved if the I<pkey> parameter is NULL. The call then just resets the state 162*b077aed3SPierre Proncheryof the I<ctx>. 163*b077aed3SPierre Pronchery 164*b077aed3SPierre ProncheryIgnoring failure returns of EVP_DigestVerifyInit() and EVP_DigestVerifyInit_ex() 165*b077aed3SPierre Proncheryfunctions can lead to subsequent undefined behavior when calling 166*b077aed3SPierre ProncheryEVP_DigestVerifyUpdate(), EVP_DigestVerifyFinal(), or EVP_DigestVerify(). 167e71b7053SJung-uk Kim 168e71b7053SJung-uk Kim=head1 SEE ALSO 169e71b7053SJung-uk Kim 170e71b7053SJung-uk KimL<EVP_DigestSignInit(3)>, 171e71b7053SJung-uk KimL<EVP_DigestInit(3)>, 172e71b7053SJung-uk KimL<evp(7)>, L<HMAC(3)>, L<MD2(3)>, 173e71b7053SJung-uk KimL<MD5(3)>, L<MDC2(3)>, L<RIPEMD160(3)>, 174*b077aed3SPierre ProncheryL<SHA1(3)>, L<openssl-dgst(1)>, 175da327cd2SJung-uk KimL<RAND(7)> 176e71b7053SJung-uk Kim 177e71b7053SJung-uk Kim=head1 HISTORY 178e71b7053SJung-uk Kim 179e71b7053SJung-uk KimEVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal() 1806935a639SJung-uk Kimwere added in OpenSSL 1.0.0. 181e71b7053SJung-uk Kim 182*b077aed3SPierre ProncheryEVP_DigestVerifyInit_ex() was added in OpenSSL 3.0. 183*b077aed3SPierre Pronchery 184*b077aed3SPierre ProncheryEVP_DigestVerifyUpdate() was converted from a macro to a function in OpenSSL 185*b077aed3SPierre Pronchery3.0. 186*b077aed3SPierre Pronchery 187e71b7053SJung-uk Kim=head1 COPYRIGHT 188e71b7053SJung-uk Kim 189*b077aed3SPierre ProncheryCopyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. 190e71b7053SJung-uk Kim 191*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 192e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 193e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 194e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 195e71b7053SJung-uk Kim 196e71b7053SJung-uk Kim=cut 197