xref: /freebsd/crypto/openssl/doc/man3/X509_sign.pod (revision 6be3386466ab79a84b48429ae66244f21526d3df)
1=pod
2
3=head1 NAME
4
5X509_sign, X509_sign_ctx, X509_verify, X509_REQ_sign, X509_REQ_sign_ctx,
6X509_REQ_verify, X509_CRL_sign, X509_CRL_sign_ctx, X509_CRL_verify -
7sign or verify certificate, certificate request or CRL signature
8
9=head1 SYNOPSIS
10
11 #include <openssl/x509.h>
12
13 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
14 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
15 int X509_verify(X509 *a, EVP_PKEY *r);
16
17 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
18 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
19 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
20
21 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
22 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
23 int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
24
25=head1 DESCRIPTION
26
27X509_sign() signs certificate B<x> using private key B<pkey> and message
28digest B<md> and sets the signature in B<x>. X509_sign_ctx() also signs
29certificate B<x> but uses the parameters contained in digest context B<ctx>.
30
31X509_verify() verifies the signature of certificate B<x> using public key
32B<pkey>. Only the signature is checked: no other checks (such as certificate
33chain validity) are performed.
34
35X509_REQ_sign(), X509_REQ_sign_ctx(), X509_REQ_verify(),
36X509_CRL_sign(), X509_CRL_sign_ctx() and X509_CRL_verify() sign and verify
37certificate requests and CRLs respectively.
38
39=head1 NOTES
40
41X509_sign_ctx() is used where the default parameters for the corresponding
42public key and digest are not suitable. It can be used to sign keys using
43RSA-PSS for example.
44
45For efficiency reasons and to work around ASN.1 encoding issues the encoding
46of the signed portion of a certificate, certificate request and CRL is cached
47internally. If the signed portion of the structure is modified the encoding
48is not always updated meaning a stale version is sometimes used. This is not
49normally a problem because modifying the signed portion will invalidate the
50signature and signing will always update the encoding.
51
52=head1 RETURN VALUES
53
54X509_sign(), X509_sign_ctx(), X509_REQ_sign(), X509_REQ_sign_ctx(),
55X509_CRL_sign() and X509_CRL_sign_ctx() return the size of the signature
56in bytes for success and zero for failure.
57
58X509_verify(), X509_REQ_verify() and X509_CRL_verify() return 1 if the
59signature is valid and 0 if the signature check fails. If the signature
60could not be checked at all because it was invalid or some other error
61occurred then -1 is returned.
62
63=head1 SEE ALSO
64
65L<d2i_X509(3)>,
66L<ERR_get_error(3)>,
67L<X509_CRL_get0_by_serial(3)>,
68L<X509_get0_signature(3)>,
69L<X509_get_ext_d2i(3)>,
70L<X509_get_extension_flags(3)>,
71L<X509_get_pubkey(3)>,
72L<X509_get_subject_name(3)>,
73L<X509_get_version(3)>,
74L<X509_NAME_add_entry_by_txt(3)>,
75L<X509_NAME_ENTRY_get_object(3)>,
76L<X509_NAME_get_index_by_NID(3)>,
77L<X509_NAME_print_ex(3)>,
78L<X509_new(3)>,
79L<X509V3_get_d2i(3)>,
80L<X509_verify_cert(3)>
81
82=head1 HISTORY
83
84The X509_sign(), X509_REQ_sign() and X509_CRL_sign() functions are
85available in all versions of OpenSSL.
86
87The X509_sign_ctx(), X509_REQ_sign_ctx()
88and X509_CRL_sign_ctx() functions were added OpenSSL 1.0.1.
89
90=head1 COPYRIGHT
91
92Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
93
94Licensed under the OpenSSL license (the "License").  You may not use
95this file except in compliance with the License.  You can obtain a copy
96in the file LICENSE in the source distribution or at
97L<https://www.openssl.org/source/license.html>.
98
99=cut
100