[thirdparty/openssl.git] / doc / man3 / ECDSA_SIG_new.pod

=pod

=head1 NAME

ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0,
ECDSA_SIG_new, ECDSA_SIG_free, ECDSA_size, ECDSA_sign, ECDSA_do_sign,
ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, ECDSA_sign_ex,
ECDSA_do_sign_ex - low level elliptic curve digital signature algorithm (ECDSA)
functions

=head1 SYNOPSIS

 #include <openssl/ecdsa.h>

 ECDSA_SIG *ECDSA_SIG_new(void);
 void ECDSA_SIG_free(ECDSA_SIG *sig);
 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
 const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig);
 const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig);
 int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);

Deprecated since OpenSSL 3.0, can be hidden entirely by defining
B<OPENSSL_API_COMPAT> with a suitable version value, see
L<openssl_user_macros(7)>:

 int ECDSA_size(const EC_KEY *eckey);

 int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen,
                unsigned char *sig, unsigned int *siglen, EC_KEY *eckey);
 ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len,
                          EC_KEY *eckey);

 int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen,
                  const unsigned char *sig, int siglen, EC_KEY *eckey);
 int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
                     const ECDSA_SIG *sig, EC_KEY* eckey);

 ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen,
                             const BIGNUM *kinv, const BIGNUM *rp,
                             EC_KEY *eckey);
 int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **rp);
 int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen,
                   unsigned char *sig, unsigned int *siglen,
                   const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey);

=head1 DESCRIPTION

B<ECDSA_SIG> is an opaque structure consisting of two BIGNUMs for the
B<r> and B<s> value of an ECDSA signature (see X9.62 or FIPS 186-2).

ECDSA_SIG_new() allocates an empty B<ECDSA_SIG> structure. Note: before
OpenSSL 1.1.0 the: the B<r> and B<s> components were initialised.

ECDSA_SIG_free() frees the B<ECDSA_SIG> structure B<sig>.

ECDSA_SIG_get0() returns internal pointers the B<r> and B<s> values contained
in B<sig> and stores them in B<*pr> and B<*ps>, respectively.
The pointer B<pr> or B<ps> can be NULL, in which case the corresponding value
is not returned.

The values B<r>, B<s> can also be retrieved separately by the corresponding
function ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s(), respectively.

The B<r> and B<s> values can be set by calling ECDSA_SIG_set0() and passing the
new values for B<r> and B<s> as parameters to the function. Calling this
function transfers the memory management of the values to the ECDSA_SIG object,
and therefore the values that have been passed in should not be freed directly
after this function has been called.

See L<i2d_ECDSA_SIG(3)> and L<d2i_ECDSA_SIG(3)> for information about encoding
and decoding ECDSA signatures to/from DER.

All of the functions described below are deprecated. Applications should
use the higher level B<EVP> interface such as L<EVP_DigestSignInit(3)>
or L<EVP_DigestVerifyInit(3)> instead.

ECDSA_size() returns the maximum length of a DER encoded ECDSA signature
created with the private EC key B<eckey>. To obtain the actual signature
size use L<EVP_PKEY_sign(3)> with a NULL B<sig> parameter.

ECDSA_sign() computes a digital signature of the B<dgstlen> bytes hash value
B<dgst> using the private EC key B<eckey>. The DER encoded signatures is
stored in B<sig> and its length is returned in B<sig_len>. Note: B<sig> must
point to ECDSA_size(eckey) bytes of memory. The parameter B<type> is currently
ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with B<kinv>
and B<rp> set to NULL.

ECDSA_do_sign() is similar to ECDSA_sign() except the signature is returned
as a newly allocated B<ECDSA_SIG> structure (or NULL on error). ECDSA_do_sign()
is a wrapper function for ECDSA_do_sign_ex() with B<kinv> and B<rp> set to
NULL.

ECDSA_verify() verifies that the signature in B<sig> of size B<siglen> is a
valid ECDSA signature of the hash value B<dgst> of size B<dgstlen> using the
public key B<eckey>.  The parameter B<type> is ignored.

ECDSA_do_verify() is similar to ECDSA_verify() except the signature is
presented in the form of a pointer to an B<ECDSA_SIG> structure.

The remaining functions utilise the internal B<kinv> and B<r> values used
during signature computation. Most applications will never need to call these
and some external ECDSA ENGINE implementations may not support them at all if
either B<kinv> or B<r> is not B<NULL>.

ECDSA_sign_setup() may be used to precompute parts of the signing operation.
B<eckey> is the private EC key and B<ctx> is a pointer to B<BN_CTX> structure
(or NULL). The precomputed values or returned in B<kinv> and B<rp> and can be
used in a later call to ECDSA_sign_ex() or ECDSA_do_sign_ex().

ECDSA_sign_ex() computes a digital signature of the B<dgstlen> bytes hash value
B<dgst> using the private EC key B<eckey> and the optional pre-computed values
B<kinv> and B<rp>. The DER encoded signature is stored in B<sig> and its
length is returned in B<sig_len>. Note: B<sig> must point to ECDSA_size(eckey)
bytes of memory. The parameter B<type> is ignored.

ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is
returned as a newly allocated B<ECDSA_SIG> structure (or NULL on error).

=head1 RETURN VALUES

ECDSA_SIG_new() returns NULL if the allocation fails.

ECDSA_SIG_set0() returns 1 on success or 0 on failure.

ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s() return the corresponding value,
or NULL if it is unset.

ECDSA_size() returns the maximum length signature or 0 on error.

ECDSA_sign(), ECDSA_sign_ex() and ECDSA_sign_setup() return 1 if successful
or 0 on error.

ECDSA_do_sign() and ECDSA_do_sign_ex() return a pointer to an allocated
B<ECDSA_SIG> structure or NULL on error.

ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
signature, 0 for an invalid signature and -1 on error.
The error codes can be obtained by L<ERR_get_error(3)>.

=head1 EXAMPLES

Creating an ECDSA signature of a given SHA-256 hash value using the
named curve prime256v1 (aka P-256).

First step: create an EC_KEY object (note: this part is B<not> ECDSA
specific)

 int ret;
 ECDSA_SIG *sig;
 EC_KEY *eckey;

 eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
 if (eckey == NULL)
     /* error */
 if (EC_KEY_generate_key(eckey) == 0)
     /* error */

Second step: compute the ECDSA signature of a SHA-256 hash value
using ECDSA_do_sign():

 sig = ECDSA_do_sign(digest, 32, eckey);
 if (sig == NULL)
     /* error */

or using ECDSA_sign():

 unsigned char *buffer, *pp;
 int buf_len;

 buf_len = ECDSA_size(eckey);
 buffer = OPENSSL_malloc(buf_len);
 pp = buffer;
 if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0)
     /* error */

Third step: verify the created ECDSA signature using ECDSA_do_verify():

 ret = ECDSA_do_verify(digest, 32, sig, eckey);

or using ECDSA_verify():

 ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey);

and finally evaluate the return value:

 if (ret == 1)
     /* signature ok */
 else if (ret == 0)
     /* incorrect signature */
 else
     /* error */

=head1 CONFORMING TO

ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
(Digital Signature Standard, DSS)

=head1 SEE ALSO

L<EC_KEY_new(3)>,
L<EVP_DigestSignInit(3)>,
L<EVP_DigestVerifyInit(3)>,
L<EVP_PKEY_sign(3)>
L<i2d_ECDSA_SIG(3)>,
L<d2i_ECDSA_SIG(3)>

=head1 HISTORY

The ECDSA_size(), ECDSA_sign(), ECDSA_do_sign(), ECDSA_verify(),
ECDSA_do_verify(), ECDSA_sign_setup(), ECDSA_sign_ex() and ECDSA_do_sign_ex()
functions were deprecated in OpenSSL 3.0.

=head1 COPYRIGHT

Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
5075521e GT	1	=pod
	2
	3	=head1 NAME
	4
0396401d	5	ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0,
bbda7997 MC	6	ECDSA_SIG_new, ECDSA_SIG_free, ECDSA_size, ECDSA_sign, ECDSA_do_sign,
	7	ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, ECDSA_sign_ex,
	8	ECDSA_do_sign_ex - low level elliptic curve digital signature algorithm (ECDSA)
	9	functions
5075521e GT	10
	11	=head1 SYNOPSIS
	12
	13	#include <openssl/ecdsa.h>
	14
580b557b DSH	15	ECDSA_SIG *ECDSA_SIG_new(void);
580b557b DSH	16	void ECDSA_SIG_free(ECDSA_SIG *sig);
9267c11b	17	void ECDSA_SIG_get0(const ECDSA_SIG sig, const BIGNUM pr, const BIGNUM *ps);
0396401d DMSP	18	const BIGNUM ECDSA_SIG_get0_r(const ECDSA_SIG sig);
0396401d DMSP	19	const BIGNUM ECDSA_SIG_get0_s(const ECDSA_SIG sig);
7ca3ea22	20	int ECDSA_SIG_set0(ECDSA_SIG sig, BIGNUM r, BIGNUM *s);
579422c8 P	21
	22	Deprecated since OpenSSL 3.0, can be hidden entirely by defining
	23	B<OPENSSL_API_COMPAT> with a suitable version value, see
	24	L<openssl_user_macros(7)>:
	25
580b557b DSH	26	int ECDSA_size(const EC_KEY *eckey);
	27
	28	int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen,
	29	unsigned char sig, unsigned int siglen, EC_KEY *eckey);
	30	ECDSA_SIG ECDSA_do_sign(const unsigned char dgst, int dgst_len,
	31	EC_KEY *eckey);
	32
	33	int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen,
	34	const unsigned char sig, int siglen, EC_KEY eckey);
	35	int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
	36	const ECDSA_SIG sig, EC_KEY eckey);
	37
	38	ECDSA_SIG ECDSA_do_sign_ex(const unsigned char dgst, int dgstlen,
	39	const BIGNUM kinv, const BIGNUM rp,
	40	EC_KEY *eckey);
	41	int ECDSA_sign_setup(EC_KEY eckey, BN_CTX ctx, BIGNUM kinv, BIGNUM rp);
	42	int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen,
	43	unsigned char sig, unsigned int siglen,
	44	const BIGNUM kinv, const BIGNUM rp, EC_KEY *eckey);
5075521e	45
5075521e GT	46	=head1 DESCRIPTION
5075521e GT	47
580b557b DSH	48	B<ECDSA_SIG> is an opaque structure consisting of two BIGNUMs for the
580b557b DSH	49	B<r> and B<s> value of an ECDSA signature (see X9.62 or FIPS 186-2).
5075521e	50
721f3980 DSH	51	ECDSA_SIG_new() allocates an empty B<ECDSA_SIG> structure. Note: before
721f3980 DSH	52	OpenSSL 1.1.0 the: the B<r> and B<s> components were initialised.
5075521e GT	53
	54	ECDSA_SIG_free() frees the B<ECDSA_SIG> structure B<sig>.
	55
580b557b	56	ECDSA_SIG_get0() returns internal pointers the B<r> and B<s> values contained
0396401d DMSP	57	in B<sig> and stores them in B<pr> and B<ps>, respectively.
	58	The pointer B<pr> or B<ps> can be NULL, in which case the corresponding value
	59	is not returned.
	60
	61	The values B<r>, B<s> can also be retrieved separately by the corresponding
	62	function ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s(), respectively.
5075521e	63
6a571a18 TS	64	The B<r> and B<s> values can be set by calling ECDSA_SIG_set0() and passing the
	65	new values for B<r> and B<s> as parameters to the function. Calling this
	66	function transfers the memory management of the values to the ECDSA_SIG object,
	67	and therefore the values that have been passed in should not be freed directly
	68	after this function has been called.
	69
bbda7997 MC	70	See L<i2d_ECDSA_SIG(3)> and L<d2i_ECDSA_SIG(3)> for information about encoding
bbda7997 MC	71	and decoding ECDSA signatures to/from DER.
5075521e	72
579422c8 P	73	All of the functions described below are deprecated. Applications should
	74	use the higher level B<EVP> interface such as L<EVP_DigestSignInit(3)>
	75	or L<EVP_DigestVerifyInit(3)> instead.
	76
580b557b	77	ECDSA_size() returns the maximum length of a DER encoded ECDSA signature
579422c8 P	78	created with the private EC key B<eckey>. To obtain the actual signature
579422c8 P	79	size use L<EVP_PKEY_sign(3)> with a NULL B<sig> parameter.
5075521e	80
580b557b DSH	81	ECDSA_sign() computes a digital signature of the B<dgstlen> bytes hash value
580b557b DSH	82	B<dgst> using the private EC key B<eckey>. The DER encoded signatures is
424baabd	83	stored in B<sig> and its length is returned in B<sig_len>. Note: B<sig> must
580b557b DSH	84	point to ECDSA_size(eckey) bytes of memory. The parameter B<type> is currently
580b557b DSH	85	ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with B<kinv>
b67d9889 NL	86	and B<rp> set to NULL.
b67d9889 NL	87
580b557b DSH	88	ECDSA_do_sign() is similar to ECDSA_sign() except the signature is returned
	89	as a newly allocated B<ECDSA_SIG> structure (or NULL on error). ECDSA_do_sign()
	90	is a wrapper function for ECDSA_do_sign_ex() with B<kinv> and B<rp> set to
	91	NULL.
5075521e	92
580b557b DSH	93	ECDSA_verify() verifies that the signature in B<sig> of size B<siglen> is a
	94	valid ECDSA signature of the hash value B<dgst> of size B<dgstlen> using the
	95	public key B<eckey>. The parameter B<type> is ignored.
5075521e	96
580b557b DSH	97	ECDSA_do_verify() is similar to ECDSA_verify() except the signature is
	98	presented in the form of a pointer to an B<ECDSA_SIG> structure.
	99
	100	The remaining functions utilise the internal B<kinv> and B<r> values used
	101	during signature computation. Most applications will never need to call these
	102	and some external ECDSA ENGINE implementations may not support them at all if
	103	either B<kinv> or B<r> is not B<NULL>.
b67d9889	104
580b557b DSH	105	ECDSA_sign_setup() may be used to precompute parts of the signing operation.
	106	B<eckey> is the private EC key and B<ctx> is a pointer to B<BN_CTX> structure
	107	(or NULL). The precomputed values or returned in B<kinv> and B<rp> and can be
	108	used in a later call to ECDSA_sign_ex() or ECDSA_do_sign_ex().
5075521e	109
580b557b DSH	110	ECDSA_sign_ex() computes a digital signature of the B<dgstlen> bytes hash value
580b557b DSH	111	B<dgst> using the private EC key B<eckey> and the optional pre-computed values
424baabd	112	B<kinv> and B<rp>. The DER encoded signature is stored in B<sig> and its
580b557b DSH	113	length is returned in B<sig_len>. Note: B<sig> must point to ECDSA_size(eckey)
	114	bytes of memory. The parameter B<type> is ignored.
	115
	116	ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is
	117	returned as a newly allocated B<ECDSA_SIG> structure (or NULL on error).
5075521e GT	118
	119	=head1 RETURN VALUES
	120
6da34cfb KG	121	ECDSA_SIG_new() returns NULL if the allocation fails.
6da34cfb KG	122
6a571a18 TS	123	ECDSA_SIG_set0() returns 1 on success or 0 on failure.
6a571a18 TS	124
0396401d DMSP	125	ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s() return the corresponding value,
	126	or NULL if it is unset.
	127
5075521e GT	128	ECDSA_size() returns the maximum length signature or 0 on error.
5075521e GT	129
580b557b DSH	130	ECDSA_sign(), ECDSA_sign_ex() and ECDSA_sign_setup() return 1 if successful
	131	or 0 on error.
	132
	133	ECDSA_do_sign() and ECDSA_do_sign_ex() return a pointer to an allocated
	134	B<ECDSA_SIG> structure or NULL on error.
5075521e GT	135
	136	ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
	137	signature, 0 for an invalid signature and -1 on error.
9b86974e	138	The error codes can be obtained by L<ERR_get_error(3)>.
5075521e GT	139
	140	=head1 EXAMPLES
	141
580b557b DSH	142	Creating an ECDSA signature of a given SHA-256 hash value using the
580b557b DSH	143	named curve prime256v1 (aka P-256).
5075521e	144
b9b6a7e5	145	First step: create an EC_KEY object (note: this part is B<not> ECDSA
5075521e GT	146	specific)
5075521e GT	147
2947af32	148	int ret;
5075521e	149	ECDSA_SIG *sig;
2947af32	150	EC_KEY *eckey;
e9b77246	151
580b557b	152	eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2947af32 BB	153	if (eckey == NULL)
	154	/* error */
	155	if (EC_KEY_generate_key(eckey) == 0)
	156	/* error */
580b557b DSH	157
	158	Second step: compute the ECDSA signature of a SHA-256 hash value
	159	using ECDSA_do_sign():
	160
	161	sig = ECDSA_do_sign(digest, 32, eckey);
2947af32 BB	162	if (sig == NULL)
2947af32 BB	163	/* error */
580b557b DSH	164
580b557b DSH	165	or using ECDSA_sign():
5075521e GT	166
5075521e GT	167	unsigned char buffer, pp;
2947af32	168	int buf_len;
e9b77246	169
5075521e	170	buf_len = ECDSA_size(eckey);
2947af32	171	buffer = OPENSSL_malloc(buf_len);
5075521e	172	pp = buffer;
2947af32 BB	173	if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0)
2947af32 BB	174	/* error */
5075521e	175
580b557b	176	Third step: verify the created ECDSA signature using ECDSA_do_verify():
5075521e	177
580b557b	178	ret = ECDSA_do_verify(digest, 32, sig, eckey);
5075521e	179
580b557b	180	or using ECDSA_verify():
5075521e	181
580b557b	182	ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey);
5075521e GT	183
	184	and finally evaluate the return value:
	185
2947af32 BB	186	if (ret == 1)
	187	/* signature ok */
	188	else if (ret == 0)
	189	/* incorrect signature */
	190	else
	191	/* error */
5075521e GT	192
	193	=head1 CONFORMING TO
	194
	195	ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
	196	(Digital Signature Standard, DSS)
	197
	198	=head1 SEE ALSO
	199
87930507	200	L<EC_KEY_new(3)>,
580b557b	201	L<EVP_DigestSignInit(3)>,
bbda7997	202	L<EVP_DigestVerifyInit(3)>,
579422c8	203	L<EVP_PKEY_sign(3)>
bbda7997 MC	204	L<i2d_ECDSA_SIG(3)>,
bbda7997 MC	205	L<d2i_ECDSA_SIG(3)>
5075521e	206
579422c8 P	207	=head1 HISTORY
	208
	209	The ECDSA_size(), ECDSA_sign(), ECDSA_do_sign(), ECDSA_verify(),
	210	ECDSA_do_verify(), ECDSA_sign_setup(), ECDSA_sign_ex() and ECDSA_do_sign_ex()
	211	functions were deprecated in OpenSSL 3.0.
	212
e2f92610 RS	213	=head1 COPYRIGHT
e2f92610 RS	214
83cf7abf	215	Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	216
4746f25a	217	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	218	this file except in compliance with the License. You can obtain a copy
	219	in the file LICENSE in the source distribution or at
	220	L<https://www.openssl.org/source/license.html>.
	221
	222	=cut