1 | =pod
|
---|
2 |
|
---|
3 | =head1 NAME
|
---|
4 |
|
---|
5 | EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal,
|
---|
6 | EVP_DigestVerify - EVP signature verification functions
|
---|
7 |
|
---|
8 | =head1 SYNOPSIS
|
---|
9 |
|
---|
10 | #include <openssl/evp.h>
|
---|
11 |
|
---|
12 | int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
---|
13 | const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
|
---|
14 | int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
|
---|
15 | int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
---|
16 | size_t siglen);
|
---|
17 | int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
---|
18 | size_t siglen, const unsigned char *tbs, size_t tbslen);
|
---|
19 |
|
---|
20 | =head1 DESCRIPTION
|
---|
21 |
|
---|
22 | The EVP signature routines are a high-level interface to digital signatures.
|
---|
23 |
|
---|
24 | EVP_DigestVerifyInit() sets up verification context B<ctx> to use digest
|
---|
25 | B<type> from ENGINE B<e> and public key B<pkey>. B<ctx> must be created
|
---|
26 | with EVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL, the
|
---|
27 | EVP_PKEY_CTX of the verification operation will be written to B<*pctx>: this
|
---|
28 | can be used to set alternative verification options. Note that any existing
|
---|
29 | value in B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be freed
|
---|
30 | directly by the application if B<ctx> is not assigned an EVP_PKEY_CTX value before
|
---|
31 | being passed to EVP_DigestVerifyInit() (which means the EVP_PKEY_CTX is created
|
---|
32 | inside EVP_DigestVerifyInit() and it will be freed automatically when the
|
---|
33 | EVP_MD_CTX is freed).
|
---|
34 |
|
---|
35 | No B<EVP_PKEY_CTX> will be created by EVP_DigestSignInit() if the passed B<ctx>
|
---|
36 | has already been assigned one via L<EVP_MD_CTX_set_pkey_ctx(3)>. See also L<SM2(7)>.
|
---|
37 |
|
---|
38 | EVP_DigestVerifyUpdate() hashes B<cnt> bytes of data at B<d> into the
|
---|
39 | verification context B<ctx>. This function can be called several times on the
|
---|
40 | same B<ctx> to include additional data. This function is currently implemented
|
---|
41 | using a macro.
|
---|
42 |
|
---|
43 | EVP_DigestVerifyFinal() verifies the data in B<ctx> against the signature in
|
---|
44 | B<sig> of length B<siglen>.
|
---|
45 |
|
---|
46 | EVP_DigestVerify() verifies B<tbslen> bytes at B<tbs> against the signature
|
---|
47 | in B<sig> of length B<siglen>.
|
---|
48 |
|
---|
49 | =head1 RETURN VALUES
|
---|
50 |
|
---|
51 | EVP_DigestVerifyInit() and EVP_DigestVerifyUpdate() return 1 for success and 0
|
---|
52 | for failure.
|
---|
53 |
|
---|
54 | EVP_DigestVerifyFinal() and EVP_DigestVerify() return 1 for success; any other
|
---|
55 | value indicates failure. A return value of zero indicates that the signature
|
---|
56 | did not verify successfully (that is, B<tbs> did not match the original data or
|
---|
57 | the signature had an invalid form), while other values indicate a more serious
|
---|
58 | error (and sometimes also indicate an invalid signature form).
|
---|
59 |
|
---|
60 | The error codes can be obtained from L<ERR_get_error(3)>.
|
---|
61 |
|
---|
62 | =head1 NOTES
|
---|
63 |
|
---|
64 | The B<EVP> interface to digital signatures should almost always be used in
|
---|
65 | preference to the low-level interfaces. This is because the code then becomes
|
---|
66 | transparent to the algorithm used and much more flexible.
|
---|
67 |
|
---|
68 | EVP_DigestVerify() is a one shot operation which verifies a single block of
|
---|
69 | data in one function. For algorithms that support streaming it is equivalent
|
---|
70 | to calling EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal(). For
|
---|
71 | algorithms which do not support streaming (e.g. PureEdDSA) it is the only way
|
---|
72 | to verify data.
|
---|
73 |
|
---|
74 | In previous versions of OpenSSL there was a link between message digest types
|
---|
75 | and public key algorithms. This meant that "clone" digests such as EVP_dss1()
|
---|
76 | needed to be used to sign using SHA1 and DSA. This is no longer necessary and
|
---|
77 | the use of clone digest is now discouraged.
|
---|
78 |
|
---|
79 | For some key types and parameters the random number generator must be seeded.
|
---|
80 | If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
|
---|
81 | external circumstances (see L<RAND(7)>), the operation will fail.
|
---|
82 |
|
---|
83 | The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest
|
---|
84 | context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can
|
---|
85 | be called later to digest and verify additional data.
|
---|
86 |
|
---|
87 | Since only a copy of the digest context is ever finalized, the context must
|
---|
88 | be cleaned up after use by calling EVP_MD_CTX_free() or a memory leak
|
---|
89 | will occur.
|
---|
90 |
|
---|
91 | =head1 SEE ALSO
|
---|
92 |
|
---|
93 | L<EVP_DigestSignInit(3)>,
|
---|
94 | L<EVP_DigestInit(3)>,
|
---|
95 | L<evp(7)>, L<HMAC(3)>, L<MD2(3)>,
|
---|
96 | L<MD5(3)>, L<MDC2(3)>, L<RIPEMD160(3)>,
|
---|
97 | L<SHA1(3)>, L<dgst(1)>,
|
---|
98 | L<RAND(7)>
|
---|
99 |
|
---|
100 | =head1 HISTORY
|
---|
101 |
|
---|
102 | EVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal()
|
---|
103 | were added in OpenSSL 1.0.0.
|
---|
104 |
|
---|
105 | =head1 COPYRIGHT
|
---|
106 |
|
---|
107 | Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
|
---|
108 |
|
---|
109 | Licensed under the OpenSSL license (the "License"). You may not use
|
---|
110 | this file except in compliance with the License. You can obtain a copy
|
---|
111 | in the file LICENSE in the source distribution or at
|
---|
112 | L<https://www.openssl.org/source/license.html>.
|
---|
113 |
|
---|
114 | =cut
|
---|