[thirdparty/openssl.git] / doc / man3 / ECDSA_SIG_new.pod

=pod

=head1 NAME

ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0,
ECDSA_SIG_new, ECDSA_SIG_free, ECDSA_size, ECDSA_sign, ECDSA_do_sign,
ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, ECDSA_sign_ex,
ECDSA_do_sign_ex - low-level elliptic curve digital signature algorithm (ECDSA)
functions

=head1 SYNOPSIS

 #include <openssl/ecdsa.h>

 ECDSA_SIG *ECDSA_SIG_new(void);
 void ECDSA_SIG_free(ECDSA_SIG *sig);
 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
 const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig);
 const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig);
 int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);

The following functions have been deprecated since OpenSSL 3.0, and can be
hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
see L<openssl_user_macros(7)>:

 int ECDSA_size(const EC_KEY *eckey);

 int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen,
                unsigned char *sig, unsigned int *siglen, EC_KEY *eckey);
 ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len,
                          EC_KEY *eckey);

 int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen,
                  const unsigned char *sig, int siglen, EC_KEY *eckey);
 int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
                     const ECDSA_SIG *sig, EC_KEY* eckey);

 ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen,
                             const BIGNUM *kinv, const BIGNUM *rp,
                             EC_KEY *eckey);
 int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **rp);
 int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen,
                   unsigned char *sig, unsigned int *siglen,
                   const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey);

=head1 DESCRIPTION

B<ECDSA_SIG> is an opaque structure consisting of two BIGNUMs for the
I<r> and I<s> value of an ECDSA signature (see X9.62 or FIPS 186-2).

ECDSA_SIG_new() allocates an empty B<ECDSA_SIG> structure. Note: before
OpenSSL 1.1.0 the: the I<r> and I<s> components were initialised.

ECDSA_SIG_free() frees the B<ECDSA_SIG> structure I<sig>.

ECDSA_SIG_get0() returns internal pointers the I<r> and I<s> values contained
in I<sig> and stores them in I<*pr> and I<*ps>, respectively.
The pointer I<pr> or I<ps> can be NULL, in which case the corresponding value
is not returned.

The values I<r>, I<s> can also be retrieved separately by the corresponding
function ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s(), respectively.

Non-NULL I<r> and I<s> values can be set on the I<sig> by calling
ECDSA_SIG_set0(). Calling this function transfers the memory management of the
values to the B<ECDSA_SIG> object, and therefore the values that have been
passed in should not be freed by the caller.

See L<i2d_ECDSA_SIG(3)> and L<d2i_ECDSA_SIG(3)> for information about encoding
and decoding ECDSA signatures to/from DER.

All of the functions described below are deprecated. Applications should
use the higher level B<EVP> interface such as L<EVP_DigestSignInit(3)>
or L<EVP_DigestVerifyInit(3)> instead.

ECDSA_size() returns the maximum length of a DER encoded ECDSA signature
created with the private EC key I<eckey>. To obtain the actual signature
size use L<EVP_PKEY_sign(3)> with a NULL I<sig> parameter.

ECDSA_sign() computes a digital signature of the I<dgstlen> bytes hash value
I<dgst> using the private EC key I<eckey>. The DER encoded signatures is
stored in I<sig> and its length is returned in I<sig_len>. Note: I<sig> must
point to ECDSA_size(eckey) bytes of memory. The parameter I<type> is currently
ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with I<kinv>
and I<rp> set to NULL.

ECDSA_do_sign() is similar to ECDSA_sign() except the signature is returned
as a newly allocated B<ECDSA_SIG> structure (or NULL on error). ECDSA_do_sign()
is a wrapper function for ECDSA_do_sign_ex() with I<kinv> and I<rp> set to
NULL.

ECDSA_verify() verifies that the signature in I<sig> of size I<siglen> is a
valid ECDSA signature of the hash value I<dgst> of size I<dgstlen> using the
public key I<eckey>.  The parameter I<type> is ignored.

ECDSA_do_verify() is similar to ECDSA_verify() except the signature is
presented in the form of a pointer to an B<ECDSA_SIG> structure.

The remaining functions utilise the internal I<kinv> and I<r> values used
during signature computation. Most applications will never need to call these
and some external ECDSA ENGINE implementations may not support them at all if
either I<kinv> or I<r> is not NULL.

ECDSA_sign_setup() may be used to precompute parts of the signing operation.
I<eckey> is the private EC key and I<ctx> is a pointer to B<BN_CTX> structure
(or NULL). The precomputed values or returned in I<kinv> and I<rp> and can be
used in a later call to ECDSA_sign_ex() or ECDSA_do_sign_ex().

ECDSA_sign_ex() computes a digital signature of the I<dgstlen> bytes hash value
I<dgst> using the private EC key I<eckey> and the optional pre-computed values
I<kinv> and I<rp>. The DER encoded signature is stored in I<sig> and its
length is returned in I<sig_len>. Note: I<sig> must point to ECDSA_size(eckey)
bytes of memory. The parameter I<type> is ignored.

ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is
returned as a newly allocated B<ECDSA_SIG> structure (or NULL on error).

=head1 RETURN VALUES

ECDSA_SIG_new() returns NULL if the allocation fails.

ECDSA_SIG_set0() returns 1 on success or 0 on failure.

ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s() return the corresponding value,
or NULL if it is unset.

ECDSA_size() returns the maximum length signature or 0 on error.

ECDSA_sign(), ECDSA_sign_ex() and ECDSA_sign_setup() return 1 if successful
or 0 on error.

ECDSA_do_sign() and ECDSA_do_sign_ex() return a pointer to an allocated
B<ECDSA_SIG> structure or NULL on error.

ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
signature, 0 for an invalid signature and -1 on error.
The error codes can be obtained by L<ERR_get_error(3)>.

=head1 EXAMPLES

Creating an ECDSA signature of a given SHA-256 hash value using the
named curve prime256v1 (aka P-256).

First step: create an EC_KEY object (note: this part is B<not> ECDSA
specific)

 int ret;
 ECDSA_SIG *sig;
 EC_KEY *eckey;

 eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
 if (eckey == NULL)
     /* error */
 if (EC_KEY_generate_key(eckey) == 0)
     /* error */

Second step: compute the ECDSA signature of a SHA-256 hash value
using ECDSA_do_sign():

 sig = ECDSA_do_sign(digest, 32, eckey);
 if (sig == NULL)
     /* error */

or using ECDSA_sign():

 unsigned char *buffer, *pp;
 int buf_len;

 buf_len = ECDSA_size(eckey);
 buffer = OPENSSL_malloc(buf_len);
 pp = buffer;
 if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0)
     /* error */

Third step: verify the created ECDSA signature using ECDSA_do_verify():

 ret = ECDSA_do_verify(digest, 32, sig, eckey);

or using ECDSA_verify():

 ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey);

and finally evaluate the return value:

 if (ret == 1)
     /* signature ok */
 else if (ret == 0)
     /* incorrect signature */
 else
     /* error */

=head1 CONFORMING TO

ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
(Digital Signature Standard, DSS)

=head1 SEE ALSO

L<EC_KEY_new(3)>,
L<EVP_DigestSignInit(3)>,
L<EVP_DigestVerifyInit(3)>,
L<EVP_PKEY_sign(3)>
L<i2d_ECDSA_SIG(3)>,
L<d2i_ECDSA_SIG(3)>

=head1 HISTORY

The ECDSA_size(), ECDSA_sign(), ECDSA_do_sign(), ECDSA_verify(),
ECDSA_do_verify(), ECDSA_sign_setup(), ECDSA_sign_ex() and ECDSA_do_sign_ex()
functions were deprecated in OpenSSL 3.0.

=head1 COPYRIGHT

Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
5075521e GT	1	=pod
	2
	3	=head1 NAME
	4
0396401d	5	ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0,
bbda7997 MC	6	ECDSA_SIG_new, ECDSA_SIG_free, ECDSA_size, ECDSA_sign, ECDSA_do_sign,
bbda7997 MC	7	ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, ECDSA_sign_ex,
8c1cbc72	8	ECDSA_do_sign_ex - low-level elliptic curve digital signature algorithm (ECDSA)
bbda7997	9	functions
5075521e GT	10
	11	=head1 SYNOPSIS
	12
	13	#include <openssl/ecdsa.h>
	14
580b557b DSH	15	ECDSA_SIG *ECDSA_SIG_new(void);
580b557b DSH	16	void ECDSA_SIG_free(ECDSA_SIG *sig);
9267c11b	17	void ECDSA_SIG_get0(const ECDSA_SIG sig, const BIGNUM pr, const BIGNUM *ps);
0396401d DMSP	18	const BIGNUM ECDSA_SIG_get0_r(const ECDSA_SIG sig);
0396401d DMSP	19	const BIGNUM ECDSA_SIG_get0_s(const ECDSA_SIG sig);
7ca3ea22	20	int ECDSA_SIG_set0(ECDSA_SIG sig, BIGNUM r, BIGNUM *s);
579422c8	21
3dbf8243 MC	22	The following functions have been deprecated since OpenSSL 3.0, and can be
	23	hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
	24	see L<openssl_user_macros(7)>:
579422c8	25
580b557b DSH	26	int ECDSA_size(const EC_KEY *eckey);
	27
	28	int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen,
	29	unsigned char sig, unsigned int siglen, EC_KEY *eckey);
	30	ECDSA_SIG ECDSA_do_sign(const unsigned char dgst, int dgst_len,
	31	EC_KEY *eckey);
	32
	33	int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen,
	34	const unsigned char sig, int siglen, EC_KEY eckey);
	35	int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
	36	const ECDSA_SIG sig, EC_KEY eckey);
	37
	38	ECDSA_SIG ECDSA_do_sign_ex(const unsigned char dgst, int dgstlen,
	39	const BIGNUM kinv, const BIGNUM rp,
	40	EC_KEY *eckey);
	41	int ECDSA_sign_setup(EC_KEY eckey, BN_CTX ctx, BIGNUM kinv, BIGNUM rp);
	42	int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen,
	43	unsigned char sig, unsigned int siglen,
	44	const BIGNUM kinv, const BIGNUM rp, EC_KEY *eckey);
5075521e	45
5075521e GT	46	=head1 DESCRIPTION
5075521e GT	47
580b557b	48	B<ECDSA_SIG> is an opaque structure consisting of two BIGNUMs for the
a7e62fbd	49	I<r> and I<s> value of an ECDSA signature (see X9.62 or FIPS 186-2).
5075521e	50
721f3980	51	ECDSA_SIG_new() allocates an empty B<ECDSA_SIG> structure. Note: before
a7e62fbd	52	OpenSSL 1.1.0 the: the I<r> and I<s> components were initialised.
5075521e	53
a7e62fbd	54	ECDSA_SIG_free() frees the B<ECDSA_SIG> structure I<sig>.
5075521e	55
a7e62fbd TM	56	ECDSA_SIG_get0() returns internal pointers the I<r> and I<s> values contained
	57	in I<sig> and stores them in I<pr> and I<ps>, respectively.
	58	The pointer I<pr> or I<ps> can be NULL, in which case the corresponding value
0396401d DMSP	59	is not returned.
0396401d DMSP	60
a7e62fbd	61	The values I<r>, I<s> can also be retrieved separately by the corresponding
0396401d	62	function ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s(), respectively.
5075521e	63
a7e62fbd TM	64	Non-NULL I<r> and I<s> values can be set on the I<sig> by calling
	65	ECDSA_SIG_set0(). Calling this function transfers the memory management of the
	66	values to the B<ECDSA_SIG> object, and therefore the values that have been
	67	passed in should not be freed by the caller.
6a571a18	68
bbda7997 MC	69	See L<i2d_ECDSA_SIG(3)> and L<d2i_ECDSA_SIG(3)> for information about encoding
bbda7997 MC	70	and decoding ECDSA signatures to/from DER.
5075521e	71
579422c8 P	72	All of the functions described below are deprecated. Applications should
	73	use the higher level B<EVP> interface such as L<EVP_DigestSignInit(3)>
	74	or L<EVP_DigestVerifyInit(3)> instead.
	75
580b557b	76	ECDSA_size() returns the maximum length of a DER encoded ECDSA signature
a7e62fbd TM	77	created with the private EC key I<eckey>. To obtain the actual signature
a7e62fbd TM	78	size use L<EVP_PKEY_sign(3)> with a NULL I<sig> parameter.
5075521e	79
a7e62fbd TM	80	ECDSA_sign() computes a digital signature of the I<dgstlen> bytes hash value
	81	I<dgst> using the private EC key I<eckey>. The DER encoded signatures is
	82	stored in I<sig> and its length is returned in I<sig_len>. Note: I<sig> must
	83	point to ECDSA_size(eckey) bytes of memory. The parameter I<type> is currently
	84	ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with I<kinv>
	85	and I<rp> set to NULL.
b67d9889	86
580b557b DSH	87	ECDSA_do_sign() is similar to ECDSA_sign() except the signature is returned
580b557b DSH	88	as a newly allocated B<ECDSA_SIG> structure (or NULL on error). ECDSA_do_sign()
a7e62fbd	89	is a wrapper function for ECDSA_do_sign_ex() with I<kinv> and I<rp> set to
580b557b	90	NULL.
5075521e	91
a7e62fbd TM	92	ECDSA_verify() verifies that the signature in I<sig> of size I<siglen> is a
	93	valid ECDSA signature of the hash value I<dgst> of size I<dgstlen> using the
	94	public key I<eckey>. The parameter I<type> is ignored.
5075521e	95
580b557b DSH	96	ECDSA_do_verify() is similar to ECDSA_verify() except the signature is
	97	presented in the form of a pointer to an B<ECDSA_SIG> structure.
	98
a7e62fbd	99	The remaining functions utilise the internal I<kinv> and I<r> values used
580b557b DSH	100	during signature computation. Most applications will never need to call these
580b557b DSH	101	and some external ECDSA ENGINE implementations may not support them at all if
a7e62fbd	102	either I<kinv> or I<r> is not NULL.
b67d9889	103
580b557b	104	ECDSA_sign_setup() may be used to precompute parts of the signing operation.
a7e62fbd TM	105	I<eckey> is the private EC key and I<ctx> is a pointer to B<BN_CTX> structure
a7e62fbd TM	106	(or NULL). The precomputed values or returned in I<kinv> and I<rp> and can be
580b557b	107	used in a later call to ECDSA_sign_ex() or ECDSA_do_sign_ex().
5075521e	108
a7e62fbd TM	109	ECDSA_sign_ex() computes a digital signature of the I<dgstlen> bytes hash value
	110	I<dgst> using the private EC key I<eckey> and the optional pre-computed values
	111	I<kinv> and I<rp>. The DER encoded signature is stored in I<sig> and its
	112	length is returned in I<sig_len>. Note: I<sig> must point to ECDSA_size(eckey)
	113	bytes of memory. The parameter I<type> is ignored.
580b557b DSH	114
	115	ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is
	116	returned as a newly allocated B<ECDSA_SIG> structure (or NULL on error).
5075521e GT	117
	118	=head1 RETURN VALUES
	119
6da34cfb KG	120	ECDSA_SIG_new() returns NULL if the allocation fails.
6da34cfb KG	121
6a571a18 TS	122	ECDSA_SIG_set0() returns 1 on success or 0 on failure.
6a571a18 TS	123
0396401d DMSP	124	ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s() return the corresponding value,
	125	or NULL if it is unset.
	126
5075521e GT	127	ECDSA_size() returns the maximum length signature or 0 on error.
5075521e GT	128
580b557b DSH	129	ECDSA_sign(), ECDSA_sign_ex() and ECDSA_sign_setup() return 1 if successful
	130	or 0 on error.
	131
	132	ECDSA_do_sign() and ECDSA_do_sign_ex() return a pointer to an allocated
	133	B<ECDSA_SIG> structure or NULL on error.
5075521e GT	134
	135	ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
	136	signature, 0 for an invalid signature and -1 on error.
9b86974e	137	The error codes can be obtained by L<ERR_get_error(3)>.
5075521e GT	138
	139	=head1 EXAMPLES
	140
580b557b DSH	141	Creating an ECDSA signature of a given SHA-256 hash value using the
580b557b DSH	142	named curve prime256v1 (aka P-256).
5075521e	143
b9b6a7e5	144	First step: create an EC_KEY object (note: this part is B<not> ECDSA
5075521e GT	145	specific)
5075521e GT	146
2947af32	147	int ret;
5075521e	148	ECDSA_SIG *sig;
2947af32	149	EC_KEY *eckey;
e9b77246	150
580b557b	151	eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2947af32 BB	152	if (eckey == NULL)
	153	/* error */
	154	if (EC_KEY_generate_key(eckey) == 0)
	155	/* error */
580b557b DSH	156
	157	Second step: compute the ECDSA signature of a SHA-256 hash value
	158	using ECDSA_do_sign():
	159
	160	sig = ECDSA_do_sign(digest, 32, eckey);
2947af32 BB	161	if (sig == NULL)
2947af32 BB	162	/* error */
580b557b DSH	163
580b557b DSH	164	or using ECDSA_sign():
5075521e GT	165
5075521e GT	166	unsigned char buffer, pp;
2947af32	167	int buf_len;
e9b77246	168
5075521e	169	buf_len = ECDSA_size(eckey);
2947af32	170	buffer = OPENSSL_malloc(buf_len);
5075521e	171	pp = buffer;
2947af32 BB	172	if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0)
2947af32 BB	173	/* error */
5075521e	174
580b557b	175	Third step: verify the created ECDSA signature using ECDSA_do_verify():
5075521e	176
580b557b	177	ret = ECDSA_do_verify(digest, 32, sig, eckey);
5075521e	178
580b557b	179	or using ECDSA_verify():
5075521e	180
580b557b	181	ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey);
5075521e GT	182
	183	and finally evaluate the return value:
	184
2947af32 BB	185	if (ret == 1)
	186	/* signature ok */
	187	else if (ret == 0)
	188	/* incorrect signature */
	189	else
	190	/* error */
5075521e GT	191
	192	=head1 CONFORMING TO
	193
	194	ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
	195	(Digital Signature Standard, DSS)
	196
	197	=head1 SEE ALSO
	198
87930507	199	L<EC_KEY_new(3)>,
580b557b	200	L<EVP_DigestSignInit(3)>,
bbda7997	201	L<EVP_DigestVerifyInit(3)>,
579422c8	202	L<EVP_PKEY_sign(3)>
bbda7997 MC	203	L<i2d_ECDSA_SIG(3)>,
bbda7997 MC	204	L<d2i_ECDSA_SIG(3)>
5075521e	205
579422c8 P	206	=head1 HISTORY
	207
	208	The ECDSA_size(), ECDSA_sign(), ECDSA_do_sign(), ECDSA_verify(),
	209	ECDSA_do_verify(), ECDSA_sign_setup(), ECDSA_sign_ex() and ECDSA_do_sign_ex()
	210	functions were deprecated in OpenSSL 3.0.
	211
e2f92610 RS	212	=head1 COPYRIGHT
e2f92610 RS	213
54b40531	214	Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	215
4746f25a	216	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	217	this file except in compliance with the License. You can obtain a copy
	218	in the file LICENSE in the source distribution or at
	219	L<https://www.openssl.org/source/license.html>.
	220
	221	=cut