openssl-prebuild/linux_amd64/share/doc/openssl/html/man7/provider-signature.html
2020-03-02 16:50:34 +00:00

272 lines
13 KiB
HTML
Executable File

<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>provider-signature</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:root@localhost" />
</head>
<body style="background-color: white">
<!-- INDEX BEGIN -->
<div name="index">
<p><a name="__index__"></a></p>
<ul>
<li><a href="#name">NAME</a></li>
<li><a href="#synopsis">SYNOPSIS</a></li>
<li><a href="#description">DESCRIPTION</a></li>
<ul>
<li><a href="#context_management_functions">Context Management Functions</a></li>
<li><a href="#signing_functions">Signing Functions</a></li>
<li><a href="#verify_functions">Verify Functions</a></li>
<li><a href="#verify_recover_functions">Verify Recover Functions</a></li>
<li><a href="#signature_parameters">Signature Parameters</a></li>
</ul>
<li><a href="#return_values">RETURN VALUES</a></li>
<li><a href="#see_also">SEE ALSO</a></li>
<li><a href="#history">HISTORY</a></li>
<li><a href="#copyright">COPYRIGHT</a></li>
</ul>
<hr name="index" />
</div>
<!-- INDEX END -->
<p>
</p>
<hr />
<h1><a name="name">NAME</a></h1>
<p>provider-signature - The signature library &lt;-&gt; provider functions</p>
<p>
</p>
<hr />
<h1><a name="synopsis">SYNOPSIS</a></h1>
<pre>
#include &lt;openssl/core_numbers.h&gt;
#include &lt;openssl/core_names.h&gt;</pre>
<pre>
/*
* None of these are actual functions, but are displayed like this for
* the function signatures for functions that are offered as function
* pointers in OSSL_DISPATCH arrays.
*/</pre>
<pre>
/* Context management */
void *OP_signature_newctx(void *provctx);
void OP_signature_freectx(void *ctx);
void *OP_signature_dupctx(void *ctx);</pre>
<pre>
/* Signing */
int OP_signature_sign_init(void *ctx, void *provkey);
int OP_signature_sign(void *ctx, unsigned char *sig, size_t *siglen,
size_t sigsize, const unsigned char *tbs, size_t tbslen);</pre>
<pre>
/* Verifying */
int OP_signature_verify_init(void *ctx, void *provkey);
int OP_signature_verify(void *ctx, const unsigned char *sig, size_t siglen,
const unsigned char *tbs, size_t tbslen);</pre>
<pre>
/* Verify Recover */
int OP_signature_verify_recover_init(void *ctx, void *provkey);
int OP_signature_verify_recover(void *ctx, unsigned char *rout,
size_t *routlen, size_t routsize,
const unsigned char *sig, size_t siglen);</pre>
<pre>
/* Signature parameters */
int OP_signature_get_ctx_params(void *ctx, OSSL_PARAM params[]);
const OSSL_PARAM *OP_signature_gettable_ctx_params(void);
int OP_signature_set_ctx_params(void *ctx, const OSSL_PARAM params[]);
const OSSL_PARAM *OP_signature_settable_ctx_params(void);</pre>
<p>
</p>
<hr />
<h1><a name="description">DESCRIPTION</a></h1>
<p>This documentation is primarily aimed at provider authors. See <em>provider(7)</em>
for further information.</p>
<p>The signature (OSSL_OP_SIGNATURE) operation enables providers to implement
signature algorithms and make them available to applications via the API
functions <em>EVP_PKEY_sign(3)</em>,
<em>EVP_PKEY_verify(3)</em>,
and <em>EVP_PKEY_verify_recover(3)</em> (as well
as other related functions).</p>
<p>All &quot;functions&quot; mentioned here are passed as function pointers between
<em class="file">libcrypto</em> and the provider in <strong>OSSL_DISPATCH</strong> arrays via
<strong>OSSL_ALGORITHM</strong> arrays that are returned by the provider's
<code>provider_query_operation()</code> function
(see <em>provider-base(7)/Provider Functions</em>).</p>
<p>All these &quot;functions&quot; have a corresponding function type definition
named <strong>OSSL_{name}_fn</strong>, and a helper function to retrieve the
function pointer from an <strong>OSSL_DISPATCH</strong> element named
<strong>OSSL_get_{name}</strong>.
For example, the &quot;function&quot; <code>OP_signature_newctx()</code> has these:</p>
<pre>
typedef void *(OSSL_OP_signature_newctx_fn)(void *provctx);
static ossl_inline OSSL_OP_signature_newctx_fn
OSSL_get_OP_signature_newctx(const OSSL_DISPATCH *opf);</pre>
<p><strong>OSSL_DISPATCH</strong> arrays are indexed by numbers that are provided as
macros in <em>openssl-core_numbers.h(7)</em>, as follows:</p>
<pre>
OP_signature_newctx OSSL_FUNC_SIGNATURE_NEWCTX
OP_signature_freectx OSSL_FUNC_SIGNATURE_FREECTX
OP_signature_dupctx OSSL_FUNC_SIGNATURE_DUPCTX</pre>
<pre>
OP_signature_sign_init OSSL_FUNC_SIGNATURE_SIGN_INIT
OP_signature_sign OSSL_FUNC_SIGNATURE_SIGN</pre>
<pre>
OP_signature_verify_init OSSL_FUNC_SIGNATURE_VERIFY_INIT
OP_signature_verify OSSL_FUNC_SIGNATURE_VERIFY</pre>
<pre>
OP_signature_verify_recover_init OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT
OP_signature_verify_recover OSSL_FUNC_SIGNATURE_VERIFY_RECOVER</pre>
<pre>
OP_signature_get_ctx_params OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS
OP_signature_gettable_ctx_params OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS
OP_signature_set_ctx_params OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS
OP_signature_settable_ctx_params OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS</pre>
<p>A signature algorithm implementation may not implement all of these functions.
In order to be a consistent set of functions a provider must implement
OP_signature_newctx and OP_signature_freectx.
It must also implement both of OP_signature_sign_init and OP_signature_sign,
or both of OP_signature_verify_init and OP_signature_verify, or both of
OP_signature_verify_recover_init and OP_signature_verify_recover.
All other functions are optional.</p>
<p>A signature algorithm must also implement some mechanism for generating,
loading or importing keys via the key management (OSSL_OP_KEYMGMT) operation.
See <em>provider-keymgmt(7)</em> for further details.</p>
<p>
</p>
<h2><a name="context_management_functions">Context Management Functions</a></h2>
<p><code>OP_signature_newctx()</code> should create and return a pointer to a provider side
structure for holding context information during a signature operation.
A pointer to this context will be passed back in a number of the other signature
operation function calls.
The parameter <em>provctx</em> is the provider context generated during provider
initialisation (see <em>provider(7)</em>).</p>
<p><code>OP_signature_freectx()</code> is passed a pointer to the provider side signature
context in the <em>ctx</em> parameter.
This function should free any resources associated with that context.</p>
<p><code>OP_signature_dupctx()</code> should duplicate the provider side signature context in
the <em>ctx</em> parameter and return the duplicate copy.</p>
<p>
</p>
<h2><a name="signing_functions">Signing Functions</a></h2>
<p><code>OP_signature_sign_init()</code> initialises a context for signing given a provider side
signature context in the <em>ctx</em> parameter, and a pointer to a provider key object
in the <em>provkey</em> parameter.
The key object should have been previously generated, loaded or imported into
the provider using the key management (OSSL_OP_KEYMGMT) operation (see
provider-keymgmt(7)&gt;.</p>
<p><code>OP_signature_sign()</code> performs the actual signing itself.
A previously initialised signature context is passed in the <em>ctx</em>
parameter.
The data to be signed is pointed to be the <em>tbs</em> parameter which is <em>tbslen</em>
bytes long.
Unless <em>sig</em> is NULL, the signature should be written to the location pointed
to by the <em>sig</em> parameter and it should not exceed <em>sigsize</em> bytes in length.
The length of the signature should be written to <em>*siglen</em>.
If <em>sig</em> is NULL then the maximum length of the signature should be written to
<em>*siglen</em>.</p>
<p>
</p>
<h2><a name="verify_functions">Verify Functions</a></h2>
<p><code>OP_signature_verify_init()</code> initialises a context for verifying a signature given
a provider side signature context in the <em>ctx</em> parameter, and a pointer to a
provider key object in the <em>provkey</em> parameter.
The key object should have been previously generated, loaded or imported into
the provider using the key management (OSSL_OP_KEYMGMT) operation (see
provider-keymgmt(7)&gt;.</p>
<p><code>OP_signature_verify()</code> performs the actual verification itself.
A previously initialised signature context is passed in the <em>ctx</em> parameter.
The data that the signature covers is pointed to be the <em>tbs</em> parameter which
is <em>tbslen</em> bytes long.
The signature is pointed to by the <em>sig</em> parameter which is <em>siglen</em> bytes
long.</p>
<p>
</p>
<h2><a name="verify_recover_functions">Verify Recover Functions</a></h2>
<p><code>OP_signature_verify_recover_init()</code> initialises a context for recovering the
signed data given a provider side signature context in the <em>ctx</em> parameter, and
a pointer to a provider key object in the <em>provkey</em> parameter.
The key object should have been previously generated, loaded or imported into
the provider using the key management (OSSL_OP_KEYMGMT) operation (see
provider-keymgmt(7)&gt;.</p>
<p><code>OP_signature_verify_recover()</code> performs the actual verify recover itself.
A previously initialised signature context is passed in the <em>ctx</em> parameter.
The signature is pointed to by the <em>sig</em> parameter which is <em>siglen</em> bytes
long.
Unless <em>rout</em> is NULL, the recovered data should be written to the location
pointed to by <em>rout</em> which should not exceed <em>routsize</em> bytes in length.
The length of the recovered data should be written to <em>*routlen</em>.
If <em>rout</em> is NULL then the maximum size of the output buffer is written to
the <em>routlen</em> parameter.</p>
<p>
</p>
<h2><a name="signature_parameters">Signature Parameters</a></h2>
<p>See <em>OSSL_PARAM(3)</em> for further details on the parameters structure used by
the <code>OP_signature_get_ctx_params()</code> and <code>OP_signature_set_ctx_params()</code> functions.</p>
<p><code>OP_signature_get_ctx_params()</code> gets signature parameters associated with the
given provider side signature context <em>ctx</em> and stored them in <em>params</em>.
<code>OP_signature_set_ctx_params()</code> sets the signature parameters associated with the
given provider side signature context <em>ctx</em> to <em>params</em>.
Any parameter settings are additional to any that were previously set.</p>
<p>Parameters currently recognised by built-in signature algorithms are as
follows.
Not all parameters are relevant to, or are understood by all signature
algorithms:</p>
<dl>
<dt><strong><a name="digest_ossl_signature_param_digest_utf8_string" class="item">&quot;digest&quot; (<strong>OSSL_SIGNATURE_PARAM_DIGEST</strong>) &lt;UTF8 string&gt;</a></strong></dt>
<dd>
<p>Get or sets the name of the digest algorithm used for the input to the signature
functions.</p>
</dd>
<dt><strong><a name="digest_size_ossl_signature_param_digest_size_unsigned_integer" class="item">&quot;digest-size&quot; (<strong>OSSL_SIGNATURE_PARAM_DIGEST_SIZE</strong>) &lt;unsigned integer&gt;</a></strong></dt>
<dd>
<p>Gets or sets the output size of the digest algorithm used for the input to the
signature functions.
The length of the &quot;digest-size&quot; parameter should not exceed that of a <strong>size_t</strong>.</p>
</dd>
</dl>
<p><code>OP_signature_gettable_ctx_params()</code> and <code>OP_signature_settable_ctx_params()</code> get a
constant <strong>OSSL_PARAM</strong> array that describes the gettable and settable parameters,
i.e. parameters that can be used with <code>OP_signature_get_ctx_params()</code> and
<code>OP_signature_set_ctx_params()</code> respectively.
See <em>OSSL_PARAM(3)</em> for the use of <strong>OSSL_PARAM</strong> as parameter descriptor.</p>
<p>
</p>
<hr />
<h1><a name="return_values">RETURN VALUES</a></h1>
<p><code>OP_signature_newctx()</code> and <code>OP_signature_dupctx()</code> should return the newly created
provider side signature, or NULL on failure.</p>
<p>All other functions should return 1 for success or 0 on error.</p>
<p>
</p>
<hr />
<h1><a name="see_also">SEE ALSO</a></h1>
<p><em>provider(7)</em></p>
<p>
</p>
<hr />
<h1><a name="history">HISTORY</a></h1>
<p>The provider SIGNATURE interface was introduced in OpenSSL 3.0.</p>
<p>
</p>
<hr />
<h1><a name="copyright">COPYRIGHT</a></h1>
<p>Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.</p>
<p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
<a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
</body>
</html>