| yuezonghe | 824eb0c | 2024-06-27 02:32:26 -0700 | [diff] [blame] | 1 | =pod |
| 2 | |
| 3 | =head1 NAME |
| 4 | |
| 5 | EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal, |
| 6 | EVP_DigestVerify - EVP signature verification functions |
| 7 | |
| 8 | =head1 SYNOPSIS |
| 9 | |
| 10 | #include <openssl/evp.h> |
| 11 | |
| 12 | int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, |
| 13 | const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); |
| 14 | int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); |
| 15 | int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, |
| 16 | size_t siglen); |
| 17 | int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, |
| 18 | size_t siglen, const unsigned char *tbs, size_t tbslen); |
| 19 | |
| 20 | =head1 DESCRIPTION |
| 21 | |
| 22 | The EVP signature routines are a high-level interface to digital signatures. |
| 23 | |
| 24 | EVP_DigestVerifyInit() sets up verification context B<ctx> to use digest |
| 25 | B<type> from ENGINE B<e> and public key B<pkey>. B<ctx> must be created |
| 26 | with EVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL, the |
| 27 | EVP_PKEY_CTX of the verification operation will be written to B<*pctx>: this |
| 28 | can be used to set alternative verification options. Note that any existing |
| 29 | value in B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be freed |
| 30 | directly by the application if B<ctx> is not assigned an EVP_PKEY_CTX value before |
| 31 | being passed to EVP_DigestVerifyInit() (which means the EVP_PKEY_CTX is created |
| 32 | inside EVP_DigestVerifyInit() and it will be freed automatically when the |
| 33 | EVP_MD_CTX is freed). |
| 34 | |
| 35 | No B<EVP_PKEY_CTX> will be created by EVP_DigestSignInit() if the passed B<ctx> |
| 36 | has already been assigned one via L<EVP_MD_CTX_set_pkey_ctx(3)>. See also L<SM2(7)>. |
| 37 | |
| 38 | EVP_DigestVerifyUpdate() hashes B<cnt> bytes of data at B<d> into the |
| 39 | verification context B<ctx>. This function can be called several times on the |
| 40 | same B<ctx> to include additional data. This function is currently implemented |
| 41 | using a macro. |
| 42 | |
| 43 | EVP_DigestVerifyFinal() verifies the data in B<ctx> against the signature in |
| 44 | B<sig> of length B<siglen>. |
| 45 | |
| 46 | EVP_DigestVerify() verifies B<tbslen> bytes at B<tbs> against the signature |
| 47 | in B<sig> of length B<siglen>. |
| 48 | |
| 49 | =head1 RETURN VALUES |
| 50 | |
| 51 | EVP_DigestVerifyInit() and EVP_DigestVerifyUpdate() return 1 for success and 0 |
| 52 | for failure. |
| 53 | |
| 54 | EVP_DigestVerifyFinal() and EVP_DigestVerify() return 1 for success; any other |
| 55 | value indicates failure. A return value of zero indicates that the signature |
| 56 | did not verify successfully (that is, B<tbs> did not match the original data or |
| 57 | the signature had an invalid form), while other values indicate a more serious |
| 58 | error (and sometimes also indicate an invalid signature form). |
| 59 | |
| 60 | The error codes can be obtained from L<ERR_get_error(3)>. |
| 61 | |
| 62 | =head1 NOTES |
| 63 | |
| 64 | The B<EVP> interface to digital signatures should almost always be used in |
| 65 | preference to the low-level interfaces. This is because the code then becomes |
| 66 | transparent to the algorithm used and much more flexible. |
| 67 | |
| 68 | EVP_DigestVerify() is a one shot operation which verifies a single block of |
| 69 | data in one function. For algorithms that support streaming it is equivalent |
| 70 | to calling EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal(). For |
| 71 | algorithms which do not support streaming (e.g. PureEdDSA) it is the only way |
| 72 | to verify data. |
| 73 | |
| 74 | In previous versions of OpenSSL there was a link between message digest types |
| 75 | and public key algorithms. This meant that "clone" digests such as EVP_dss1() |
| 76 | needed to be used to sign using SHA1 and DSA. This is no longer necessary and |
| 77 | the use of clone digest is now discouraged. |
| 78 | |
| 79 | For some key types and parameters the random number generator must be seeded. |
| 80 | If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to |
| 81 | external circumstances (see L<RAND(7)>), the operation will fail. |
| 82 | |
| 83 | The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest |
| 84 | context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can |
| 85 | be called later to digest and verify additional data. |
| 86 | |
| 87 | Since only a copy of the digest context is ever finalized, the context must |
| 88 | be cleaned up after use by calling EVP_MD_CTX_free() or a memory leak |
| 89 | will occur. |
| 90 | |
| 91 | =head1 SEE ALSO |
| 92 | |
| 93 | L<EVP_DigestSignInit(3)>, |
| 94 | L<EVP_DigestInit(3)>, |
| 95 | L<evp(7)>, L<HMAC(3)>, L<MD2(3)>, |
| 96 | L<MD5(3)>, L<MDC2(3)>, L<RIPEMD160(3)>, |
| 97 | L<SHA1(3)>, L<dgst(1)>, |
| 98 | L<RAND(7)> |
| 99 | |
| 100 | =head1 HISTORY |
| 101 | |
| 102 | EVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal() |
| 103 | were added in OpenSSL 1.0.0. |
| 104 | |
| 105 | =head1 COPYRIGHT |
| 106 | |
| 107 | Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. |
| 108 | |
| 109 | Licensed under the OpenSSL license (the "License"). You may not use |
| 110 | this file except in compliance with the License. You can obtain a copy |
| 111 | in the file LICENSE in the source distribution or at |
| 112 | L<https://www.openssl.org/source/license.html>. |
| 113 | |
| 114 | =cut |