[thirdparty/openssl.git] / doc / man3 / ECDSA_SIG_new.pod

=pod

=head1 NAME

ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0,
ECDSA_SIG_new, ECDSA_SIG_free, i2d_ECDSA_SIG, d2i_ECDSA_SIG, ECDSA_size,
ECDSA_sign, ECDSA_do_sign, ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup,
ECDSA_sign_ex, ECDSA_do_sign_ex - low level elliptic curve digital signature
algorithm (ECDSA) functions

=head1 SYNOPSIS

 #include <openssl/ecdsa.h>

 ECDSA_SIG *ECDSA_SIG_new(void);
 void ECDSA_SIG_free(ECDSA_SIG *sig);
 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
 const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig);
 const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig);
 int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
 int i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp);
 ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, long len);
 int ECDSA_size(const EC_KEY *eckey);

 int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen,
                unsigned char *sig, unsigned int *siglen, EC_KEY *eckey);
 ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len,
                          EC_KEY *eckey);

 int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen,
                  const unsigned char *sig, int siglen, EC_KEY *eckey);
 int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
                     const ECDSA_SIG *sig, EC_KEY* eckey);

 ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen,
                             const BIGNUM *kinv, const BIGNUM *rp,
                             EC_KEY *eckey);
 int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **rp);
 int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen,
                   unsigned char *sig, unsigned int *siglen,
                   const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey);

=head1 DESCRIPTION

Note: these functions provide a low level interface to ECDSA. Most
applications should use the higher level B<EVP> interface such as
L<EVP_DigestSignInit(3)> or L<EVP_DigestVerifyInit(3)> instead.

B<ECDSA_SIG> is an opaque structure consisting of two BIGNUMs for the
B<r> and B<s> value of an ECDSA signature (see X9.62 or FIPS 186-2).

ECDSA_SIG_new() allocates an empty B<ECDSA_SIG> structure. Note: before
OpenSSL 1.1.0 the: the B<r> and B<s> components were initialised.

ECDSA_SIG_free() frees the B<ECDSA_SIG> structure B<sig>.

ECDSA_SIG_get0() returns internal pointers the B<r> and B<s> values contained
in B<sig> and stores them in B<*pr> and B<*ps>, respectively.
The pointer B<pr> or B<ps> can be NULL, in which case the corresponding value
is not returned.

The values B<r>, B<s> can also be retrieved separately by the corresponding
function ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s(), respectively.

The B<r> and B<s> values can be set by calling ECDSA_SIG_set0() and passing the
new values for B<r> and B<s> as parameters to the function. Calling this
function transfers the memory management of the values to the ECDSA_SIG object,
and therefore the values that have been passed in should not be freed directly
after this function has been called.

i2d_ECDSA_SIG() creates the DER encoding of the ECDSA signature B<sig> and
writes the encoded signature to B<*pp> (note: if B<pp> is NULL i2d_ECDSA_SIG()
returns the expected length in bytes of the DER encoded signature).
i2d_ECDSA_SIG() returns the length of the DER encoded signature (or 0 on
error).

d2i_ECDSA_SIG() decodes a DER encoded ECDSA signature and returns the decoded
signature in a newly allocated B<ECDSA_SIG> structure. B<*sig> points to the
buffer containing the DER encoded signature of size B<len>.

ECDSA_size() returns the maximum length of a DER encoded ECDSA signature
created with the private EC key B<eckey>.

ECDSA_sign() computes a digital signature of the B<dgstlen> bytes hash value
B<dgst> using the private EC key B<eckey>. The DER encoded signatures is
stored in B<sig> and its length is returned in B<sig_len>. Note: B<sig> must
point to ECDSA_size(eckey) bytes of memory. The parameter B<type> is currently
ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with B<kinv>
and B<rp> set to NULL.

ECDSA_do_sign() is similar to ECDSA_sign() except the signature is returned
as a newly allocated B<ECDSA_SIG> structure (or NULL on error). ECDSA_do_sign()
is a wrapper function for ECDSA_do_sign_ex() with B<kinv> and B<rp> set to
NULL.

ECDSA_verify() verifies that the signature in B<sig> of size B<siglen> is a
valid ECDSA signature of the hash value B<dgst> of size B<dgstlen> using the
public key B<eckey>.  The parameter B<type> is ignored.

ECDSA_do_verify() is similar to ECDSA_verify() except the signature is
presented in the form of a pointer to an B<ECDSA_SIG> structure.

The remaining functions utilise the internal B<kinv> and B<r> values used
during signature computation. Most applications will never need to call these
and some external ECDSA ENGINE implementations may not support them at all if
either B<kinv> or B<r> is not B<NULL>.

ECDSA_sign_setup() may be used to precompute parts of the signing operation.
B<eckey> is the private EC key and B<ctx> is a pointer to B<BN_CTX> structure
(or NULL). The precomputed values or returned in B<kinv> and B<rp> and can be
used in a later call to ECDSA_sign_ex() or ECDSA_do_sign_ex().

ECDSA_sign_ex() computes a digital signature of the B<dgstlen> bytes hash value
B<dgst> using the private EC key B<eckey> and the optional pre-computed values
B<kinv> and B<rp>. The DER encoded signature is stored in B<sig> and its
length is returned in B<sig_len>. Note: B<sig> must point to ECDSA_size(eckey)
bytes of memory. The parameter B<type> is ignored.

ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is
returned as a newly allocated B<ECDSA_SIG> structure (or NULL on error).

=head1 RETURN VALUES

ECDSA_SIG_set0() returns 1 on success or 0 on failure.

ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s() return the corresponding value,
or NULL if it is unset.

ECDSA_size() returns the maximum length signature or 0 on error.

ECDSA_sign(), ECDSA_sign_ex() and ECDSA_sign_setup() return 1 if successful
or 0 on error.

ECDSA_do_sign() and ECDSA_do_sign_ex() return a pointer to an allocated
B<ECDSA_SIG> structure or NULL on error.

ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
signature, 0 for an invalid signature and -1 on error.
The error codes can be obtained by L<ERR_get_error(3)>.

=head1 EXAMPLES

Creating an ECDSA signature of a given SHA-256 hash value using the
named curve prime256v1 (aka P-256).

First step: create an EC_KEY object (note: this part is B<not> ECDSA
specific)

 int ret;
 ECDSA_SIG *sig;
 EC_KEY *eckey;

 eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
 if (eckey == NULL)
     /* error */
 if (EC_KEY_generate_key(eckey) == 0)
     /* error */

Second step: compute the ECDSA signature of a SHA-256 hash value
using ECDSA_do_sign():

 sig = ECDSA_do_sign(digest, 32, eckey);
 if (sig == NULL)
     /* error */

or using ECDSA_sign():

 unsigned char *buffer, *pp;
 int buf_len;

 buf_len = ECDSA_size(eckey);
 buffer = OPENSSL_malloc(buf_len);
 pp = buffer;
 if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0)
     /* error */

Third step: verify the created ECDSA signature using ECDSA_do_verify():

 ret = ECDSA_do_verify(digest, 32, sig, eckey);

or using ECDSA_verify():

 ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey);

and finally evaluate the return value:

 if (ret == 1)
     /* signature ok */
 else if (ret == 0)
     /* incorrect signature */
 else
     /* error */

=head1 CONFORMING TO

ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
(Digital Signature Standard, DSS)

=head1 SEE ALSO

L<DSA_new(3)>,
L<EVP_DigestSignInit(3)>,
L<EVP_DigestVerifyInit(3)>

=head1 COPYRIGHT

Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
5075521e GT	1	=pod
	2
	3	=head1 NAME
	4
0396401d	5	ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0,
580b557b DSH	6	ECDSA_SIG_new, ECDSA_SIG_free, i2d_ECDSA_SIG, d2i_ECDSA_SIG, ECDSA_size,
	7	ECDSA_sign, ECDSA_do_sign, ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup,
	8	ECDSA_sign_ex, ECDSA_do_sign_ex - low level elliptic curve digital signature
bb9ad09e	9	algorithm (ECDSA) functions
5075521e GT	10
	11	=head1 SYNOPSIS
	12
	13	#include <openssl/ecdsa.h>
	14
580b557b DSH	15	ECDSA_SIG *ECDSA_SIG_new(void);
580b557b DSH	16	void ECDSA_SIG_free(ECDSA_SIG *sig);
9267c11b	17	void ECDSA_SIG_get0(const ECDSA_SIG sig, const BIGNUM pr, const BIGNUM *ps);
0396401d DMSP	18	const BIGNUM ECDSA_SIG_get0_r(const ECDSA_SIG sig);
0396401d DMSP	19	const BIGNUM ECDSA_SIG_get0_s(const ECDSA_SIG sig);
7ca3ea22	20	int ECDSA_SIG_set0(ECDSA_SIG sig, BIGNUM r, BIGNUM *s);
580b557b DSH	21	int i2d_ECDSA_SIG(const ECDSA_SIG sig, unsigned char *pp);
	22	ECDSA_SIG d2i_ECDSA_SIG(ECDSA_SIG sig, const unsigned char *pp, long len);
	23	int ECDSA_size(const EC_KEY *eckey);
	24
	25	int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen,
	26	unsigned char sig, unsigned int siglen, EC_KEY *eckey);
	27	ECDSA_SIG ECDSA_do_sign(const unsigned char dgst, int dgst_len,
	28	EC_KEY *eckey);
	29
	30	int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen,
	31	const unsigned char sig, int siglen, EC_KEY eckey);
	32	int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
	33	const ECDSA_SIG sig, EC_KEY eckey);
	34
	35	ECDSA_SIG ECDSA_do_sign_ex(const unsigned char dgst, int dgstlen,
	36	const BIGNUM kinv, const BIGNUM rp,
	37	EC_KEY *eckey);
	38	int ECDSA_sign_setup(EC_KEY eckey, BN_CTX ctx, BIGNUM kinv, BIGNUM rp);
	39	int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen,
	40	unsigned char sig, unsigned int siglen,
	41	const BIGNUM kinv, const BIGNUM rp, EC_KEY *eckey);
5075521e	42
5075521e GT	43	=head1 DESCRIPTION
5075521e GT	44
580b557b DSH	45	Note: these functions provide a low level interface to ECDSA. Most
	46	applications should use the higher level B<EVP> interface such as
	47	L<EVP_DigestSignInit(3)> or L<EVP_DigestVerifyInit(3)> instead.
5075521e	48
580b557b DSH	49	B<ECDSA_SIG> is an opaque structure consisting of two BIGNUMs for the
580b557b DSH	50	B<r> and B<s> value of an ECDSA signature (see X9.62 or FIPS 186-2).
5075521e	51
721f3980 DSH	52	ECDSA_SIG_new() allocates an empty B<ECDSA_SIG> structure. Note: before
721f3980 DSH	53	OpenSSL 1.1.0 the: the B<r> and B<s> components were initialised.
5075521e GT	54
	55	ECDSA_SIG_free() frees the B<ECDSA_SIG> structure B<sig>.
	56
580b557b	57	ECDSA_SIG_get0() returns internal pointers the B<r> and B<s> values contained
0396401d DMSP	58	in B<sig> and stores them in B<pr> and B<ps>, respectively.
	59	The pointer B<pr> or B<ps> can be NULL, in which case the corresponding value
	60	is not returned.
	61
	62	The values B<r>, B<s> can also be retrieved separately by the corresponding
	63	function ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s(), respectively.
5075521e	64
6a571a18 TS	65	The B<r> and B<s> values can be set by calling ECDSA_SIG_set0() and passing the
	66	new values for B<r> and B<s> as parameters to the function. Calling this
	67	function transfers the memory management of the values to the ECDSA_SIG object,
	68	and therefore the values that have been passed in should not be freed directly
	69	after this function has been called.
	70
580b557b DSH	71	i2d_ECDSA_SIG() creates the DER encoding of the ECDSA signature B<sig> and
	72	writes the encoded signature to B<*pp> (note: if B<pp> is NULL i2d_ECDSA_SIG()
	73	returns the expected length in bytes of the DER encoded signature).
	74	i2d_ECDSA_SIG() returns the length of the DER encoded signature (or 0 on
	75	error).
5075521e	76
580b557b DSH	77	d2i_ECDSA_SIG() decodes a DER encoded ECDSA signature and returns the decoded
	78	signature in a newly allocated B<ECDSA_SIG> structure. B<*sig> points to the
	79	buffer containing the DER encoded signature of size B<len>.
5075521e	80
580b557b DSH	81	ECDSA_size() returns the maximum length of a DER encoded ECDSA signature
580b557b DSH	82	created with the private EC key B<eckey>.
5075521e	83
580b557b DSH	84	ECDSA_sign() computes a digital signature of the B<dgstlen> bytes hash value
580b557b DSH	85	B<dgst> using the private EC key B<eckey>. The DER encoded signatures is
424baabd	86	stored in B<sig> and its length is returned in B<sig_len>. Note: B<sig> must
580b557b DSH	87	point to ECDSA_size(eckey) bytes of memory. The parameter B<type> is currently
580b557b DSH	88	ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with B<kinv>
b67d9889 NL	89	and B<rp> set to NULL.
b67d9889 NL	90
580b557b DSH	91	ECDSA_do_sign() is similar to ECDSA_sign() except the signature is returned
	92	as a newly allocated B<ECDSA_SIG> structure (or NULL on error). ECDSA_do_sign()
	93	is a wrapper function for ECDSA_do_sign_ex() with B<kinv> and B<rp> set to
	94	NULL.
5075521e	95
580b557b DSH	96	ECDSA_verify() verifies that the signature in B<sig> of size B<siglen> is a
	97	valid ECDSA signature of the hash value B<dgst> of size B<dgstlen> using the
	98	public key B<eckey>. The parameter B<type> is ignored.
5075521e	99
580b557b DSH	100	ECDSA_do_verify() is similar to ECDSA_verify() except the signature is
	101	presented in the form of a pointer to an B<ECDSA_SIG> structure.
	102
	103	The remaining functions utilise the internal B<kinv> and B<r> values used
	104	during signature computation. Most applications will never need to call these
	105	and some external ECDSA ENGINE implementations may not support them at all if
	106	either B<kinv> or B<r> is not B<NULL>.
b67d9889	107
580b557b DSH	108	ECDSA_sign_setup() may be used to precompute parts of the signing operation.
	109	B<eckey> is the private EC key and B<ctx> is a pointer to B<BN_CTX> structure
	110	(or NULL). The precomputed values or returned in B<kinv> and B<rp> and can be
	111	used in a later call to ECDSA_sign_ex() or ECDSA_do_sign_ex().
5075521e	112
580b557b DSH	113	ECDSA_sign_ex() computes a digital signature of the B<dgstlen> bytes hash value
580b557b DSH	114	B<dgst> using the private EC key B<eckey> and the optional pre-computed values
424baabd	115	B<kinv> and B<rp>. The DER encoded signature is stored in B<sig> and its
580b557b DSH	116	length is returned in B<sig_len>. Note: B<sig> must point to ECDSA_size(eckey)
	117	bytes of memory. The parameter B<type> is ignored.
	118
	119	ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is
	120	returned as a newly allocated B<ECDSA_SIG> structure (or NULL on error).
5075521e GT	121
	122	=head1 RETURN VALUES
	123
6a571a18 TS	124	ECDSA_SIG_set0() returns 1 on success or 0 on failure.
6a571a18 TS	125
0396401d DMSP	126	ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s() return the corresponding value,
	127	or NULL if it is unset.
	128
5075521e GT	129	ECDSA_size() returns the maximum length signature or 0 on error.
5075521e GT	130
580b557b DSH	131	ECDSA_sign(), ECDSA_sign_ex() and ECDSA_sign_setup() return 1 if successful
	132	or 0 on error.
	133
	134	ECDSA_do_sign() and ECDSA_do_sign_ex() return a pointer to an allocated
	135	B<ECDSA_SIG> structure or NULL on error.
5075521e GT	136
	137	ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
	138	signature, 0 for an invalid signature and -1 on error.
9b86974e	139	The error codes can be obtained by L<ERR_get_error(3)>.
5075521e GT	140
	141	=head1 EXAMPLES
	142
580b557b DSH	143	Creating an ECDSA signature of a given SHA-256 hash value using the
580b557b DSH	144	named curve prime256v1 (aka P-256).
5075521e	145
b9b6a7e5	146	First step: create an EC_KEY object (note: this part is B<not> ECDSA
5075521e GT	147	specific)
5075521e GT	148
2947af32	149	int ret;
5075521e	150	ECDSA_SIG *sig;
2947af32	151	EC_KEY *eckey;
e9b77246	152
580b557b	153	eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2947af32 BB	154	if (eckey == NULL)
	155	/* error */
	156	if (EC_KEY_generate_key(eckey) == 0)
	157	/* error */
580b557b DSH	158
	159	Second step: compute the ECDSA signature of a SHA-256 hash value
	160	using ECDSA_do_sign():
	161
	162	sig = ECDSA_do_sign(digest, 32, eckey);
2947af32 BB	163	if (sig == NULL)
2947af32 BB	164	/* error */
580b557b DSH	165
580b557b DSH	166	or using ECDSA_sign():
5075521e GT	167
5075521e GT	168	unsigned char buffer, pp;
2947af32	169	int buf_len;
e9b77246	170
5075521e	171	buf_len = ECDSA_size(eckey);
2947af32	172	buffer = OPENSSL_malloc(buf_len);
5075521e	173	pp = buffer;
2947af32 BB	174	if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0)
2947af32 BB	175	/* error */
5075521e	176
580b557b	177	Third step: verify the created ECDSA signature using ECDSA_do_verify():
5075521e	178
580b557b	179	ret = ECDSA_do_verify(digest, 32, sig, eckey);
5075521e	180
580b557b	181	or using ECDSA_verify():
5075521e	182
580b557b	183	ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey);
5075521e GT	184
	185	and finally evaluate the return value:
	186
2947af32 BB	187	if (ret == 1)
	188	/* signature ok */
	189	else if (ret == 0)
	190	/* incorrect signature */
	191	else
	192	/* error */
5075521e GT	193
	194	=head1 CONFORMING TO
	195
	196	ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
	197	(Digital Signature Standard, DSS)
	198
	199	=head1 SEE ALSO
	200
b97fdb57	201	L<DSA_new(3)>,
580b557b DSH	202	L<EVP_DigestSignInit(3)>,
580b557b DSH	203	L<EVP_DigestVerifyInit(3)>
5075521e	204
e2f92610 RS	205	=head1 COPYRIGHT
	206
	207	Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
	208
	209	Licensed under the OpenSSL license (the "License"). You may not use
	210	this file except in compliance with the License. You can obtain a copy
	211	in the file LICENSE in the source distribution or at
	212	L<https://www.openssl.org/source/license.html>.
	213
	214	=cut