[thirdparty/openssl.git] / doc / man3 / EVP_DigestSignInit.pod

=pod

=head1 NAME

EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal,
EVP_DigestSign - EVP signing functions

=head1 SYNOPSIS

 #include <openssl/evp.h>

 int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                        const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
 int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
 int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen);

 int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret,
                    size_t *siglen, const unsigned char *tbs,
                    size_t tbslen);

=head1 DESCRIPTION

The EVP signature routines are a high level interface to digital signatures.

EVP_DigestSignInit() sets up signing context B<ctx> to use digest B<type> from
ENGINE B<e> and private key B<pkey>. B<ctx> must be created with
EVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL, the
EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can
be used to set alternative signing options. Note that any existing value in
B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be freed
directly by the application if B<ctx> is not assigned an EVP_PKEY_CTX value before
being passed to EVP_DigestSignInit() (which means the EVP_PKEY_CTX is created
inside EVP_DigestSignInit() and it will be freed automatically when the
EVP_MD_CTX is freed).

The digest B<type> may be NULL if the signing algorithm supports it.

No B<EVP_PKEY_CTX> will be created by EVP_DigestSignInit() if the passed B<ctx>
has already been assigned one via L<EVP_MD_CTX_set_ctx(3)>. See also L<SM2(7)>.

Only EVP_PKEY types that support signing can be used with these functions. This
includes MAC algorithms where the MAC generation is considered as a form of
"signing". Built-in EVP_PKEY types supported by these functions are CMAC,
Poly1305, DSA, ECDSA, HMAC, RSA, SipHash, Ed25519 and Ed448.

Not all digests can be used for all key types. The following combinations apply.

=over 4

=item DSA

Supports SHA1, SHA224, SHA256, SHA384 and SHA512

=item ECDSA

Supports SHA1, SHA224, SHA256, SHA384, SHA512 and SM3

=item RSA with no padding

Supports no digests (the digest B<type> must be NULL)

=item RSA with X931 padding

Supports SHA1, SHA256, SHA384 and SHA512

=item All other RSA padding types

Support SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2,
SHA3-224, SHA3-256, SHA3-384, SHA3-512

=item Ed25519 and Ed448

Support no digests (the digest B<type> must be NULL)

=item HMAC

Supports any digest

=item CMAC, Poly1305 and SipHash

Will ignore any digest provided.

=back

If RSA-PSS is used and restrictions apply then the digest must match.

EVP_DigestSignUpdate() hashes B<cnt> bytes of data at B<d> into the
signature context B<ctx>. This function can be called several times on the
same B<ctx> to include additional data. This function is currently implemented
using a macro.

EVP_DigestSignFinal() signs the data in B<ctx> and places the signature in B<sig>.
If B<sig> is B<NULL> then the maximum size of the output buffer is written to
the B<siglen> parameter. If B<sig> is not B<NULL> then before the call the
B<siglen> parameter should contain the length of the B<sig> buffer. If the
call is successful the signature is written to B<sig> and the amount of data
written to B<siglen>.

EVP_DigestSign() signs B<tbslen> bytes of data at B<tbs> and places the
signature in B<sig> and its length in B<siglen> in a similar way to
EVP_DigestSignFinal().

=head1 RETURN VALUES

EVP_DigestSignInit(), EVP_DigestSignUpdate(), EVP_DigestSignaFinal() and
EVP_DigestSign() return 1 for success and 0 or a negative value for failure. In
particular, a return value of -2 indicates the operation is not supported by the
public key algorithm.

The error codes can be obtained from L<ERR_get_error(3)>.

=head1 NOTES

The B<EVP> interface to digital signatures should almost always be used in
preference to the low level interfaces. This is because the code then becomes
transparent to the algorithm used and much more flexible.

EVP_DigestSign() is a one shot operation which signs a single block of data
in one function. For algorithms that support streaming it is equivalent to
calling EVP_DigestSignUpdate() and EVP_DigestSignFinal(). For algorithms which
do not support streaming (e.g. PureEdDSA) it is the only way to sign data.

In previous versions of OpenSSL there was a link between message digest types
and public key algorithms. This meant that "clone" digests such as EVP_dss1()
needed to be used to sign using SHA1 and DSA. This is no longer necessary and
the use of clone digest is now discouraged.

For some key types and parameters the random number generator must be seeded.
If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
external circumstances (see L<RAND(7)>), the operation will fail.

The call to EVP_DigestSignFinal() internally finalizes a copy of the digest
context. This means that calls to EVP_DigestSignUpdate() and
EVP_DigestSignFinal() can be called later to digest and sign additional data.

Since only a copy of the digest context is ever finalized, the context must
be cleaned up after use by calling EVP_MD_CTX_free() or a memory leak
will occur.

The use of EVP_PKEY_size() with these functions is discouraged because some
signature operations may have a signature length which depends on the
parameters set. As a result EVP_PKEY_size() would have to return a value
which indicates the maximum possible signature for any set of parameters.

=head1 SEE ALSO

L<EVP_DigestVerifyInit(3)>,
L<EVP_DigestInit(3)>,
L<evp(7)>, L<HMAC(3)>, L<MD2(3)>,
L<MD5(3)>, L<MDC2(3)>, L<RIPEMD160(3)>,
L<SHA1(3)>, L<dgst(1)>,
L<RAND(7)>

=head1 HISTORY

EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal()
were added in OpenSSL 1.0.0.

=head1 COPYRIGHT

Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
29cf84c6 DSH	1	=pod
	2
	3	=head1 NAME
	4
75394189 DSH	5	EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal,
75394189 DSH	6	EVP_DigestSign - EVP signing functions
29cf84c6 DSH	7
	8	=head1 SYNOPSIS
	9
	10	#include <openssl/evp.h>
	11
	12	int EVP_DigestSignInit(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,
1bc74519	13	const EVP_MD type, ENGINE e, EVP_PKEY *pkey);
8bdce8d1	14	int EVP_DigestSignUpdate(EVP_MD_CTX ctx, const void d, size_t cnt);
29cf84c6 DSH	15	int EVP_DigestSignFinal(EVP_MD_CTX ctx, unsigned char sig, size_t *siglen);
29cf84c6 DSH	16
75394189 DSH	17	int EVP_DigestSign(EVP_MD_CTX ctx, unsigned char sigret,
	18	size_t siglen, const unsigned char tbs,
	19	size_t tbslen);
	20
29cf84c6 DSH	21	=head1 DESCRIPTION
	22
	23	The EVP signature routines are a high level interface to digital signatures.
	24
	25	EVP_DigestSignInit() sets up signing context B<ctx> to use digest B<type> from
0c714ba2	26	ENGINE B<e> and private key B<pkey>. B<ctx> must be created with
f097e875	27	EVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL, the
29cf84c6	28	EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can
f097e875 MC	29	be used to set alternative signing options. Note that any existing value in
f097e875 MC	30	B<*pctx> is overwritten. The EVP_PKEY_CTX value returned must not be freed
675f4cee PY	31	directly by the application if B<ctx> is not assigned an EVP_PKEY_CTX value before
	32	being passed to EVP_DigestSignInit() (which means the EVP_PKEY_CTX is created
	33	inside EVP_DigestSignInit() and it will be freed automatically when the
	34	EVP_MD_CTX is freed).
	35
	36	The digest B<type> may be NULL if the signing algorithm supports it.
	37
c2969ff6	38	No B<EVP_PKEY_CTX> will be created by EVP_DigestSignInit() if the passed B<ctx>
675f4cee	39	has already been assigned one via L<EVP_MD_CTX_set_ctx(3)>. See also L<SM2(7)>.
be93b0e8 MC	40
	41	Only EVP_PKEY types that support signing can be used with these functions. This
	42	includes MAC algorithms where the MAC generation is considered as a form of
fa332bba	43	"signing". Built-in EVP_PKEY types supported by these functions are CMAC,
c6378913	44	Poly1305, DSA, ECDSA, HMAC, RSA, SipHash, Ed25519 and Ed448.
be93b0e8 MC	45
	46	Not all digests can be used for all key types. The following combinations apply.
	47
	48	=over 4
	49
	50	=item DSA
	51
	52	Supports SHA1, SHA224, SHA256, SHA384 and SHA512
	53
	54	=item ECDSA
	55
	56	Supports SHA1, SHA224, SHA256, SHA384, SHA512 and SM3
	57
	58	=item RSA with no padding
	59
	60	Supports no digests (the digest B<type> must be NULL)
	61
	62	=item RSA with X931 padding
	63
	64	Supports SHA1, SHA256, SHA384 and SHA512
	65
	66	=item All other RSA padding types
	67
	68	Support SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2,
	69	SHA3-224, SHA3-256, SHA3-384, SHA3-512
	70
	71	=item Ed25519 and Ed448
	72
	73	Support no digests (the digest B<type> must be NULL)
	74
	75	=item HMAC
	76
	77	Supports any digest
	78
	79	=item CMAC, Poly1305 and SipHash
	80
	81	Will ignore any digest provided.
	82
	83	=back
	84
	85	If RSA-PSS is used and restrictions apply then the digest must match.
29cf84c6 DSH	86
	87	EVP_DigestSignUpdate() hashes B<cnt> bytes of data at B<d> into the
	88	signature context B<ctx>. This function can be called several times on the
	89	same B<ctx> to include additional data. This function is currently implemented
186bb907	90	using a macro.
29cf84c6	91
fa332bba	92	EVP_DigestSignFinal() signs the data in B<ctx> and places the signature in B<sig>.
29cf84c6 DSH	93	If B<sig> is B<NULL> then the maximum size of the output buffer is written to
29cf84c6 DSH	94	the B<siglen> parameter. If B<sig> is not B<NULL> then before the call the
fa332bba	95	B<siglen> parameter should contain the length of the B<sig> buffer. If the
29cf84c6 DSH	96	call is successful the signature is written to B<sig> and the amount of data
	97	written to B<siglen>.
	98
75394189	99	EVP_DigestSign() signs B<tbslen> bytes of data at B<tbs> and places the
27b138e9	100	signature in B<sig> and its length in B<siglen> in a similar way to
75394189 DSH	101	EVP_DigestSignFinal().
75394189 DSH	102
29cf84c6 DSH	103	=head1 RETURN VALUES
29cf84c6 DSH	104
75394189 DSH	105	EVP_DigestSignInit(), EVP_DigestSignUpdate(), EVP_DigestSignaFinal() and
75394189 DSH	106	EVP_DigestSign() return 1 for success and 0 or a negative value for failure. In
fa332bba	107	particular, a return value of -2 indicates the operation is not supported by the
75394189	108	public key algorithm.
29cf84c6	109
9b86974e	110	The error codes can be obtained from L<ERR_get_error(3)>.
29cf84c6 DSH	111
	112	=head1 NOTES
	113
	114	The B<EVP> interface to digital signatures should almost always be used in
	115	preference to the low level interfaces. This is because the code then becomes
	116	transparent to the algorithm used and much more flexible.
	117
74e78361 DSH	118	EVP_DigestSign() is a one shot operation which signs a single block of data
	119	in one function. For algorithms that support streaming it is equivalent to
	120	calling EVP_DigestSignUpdate() and EVP_DigestSignFinal(). For algorithms which
	121	do not support streaming (e.g. PureEdDSA) it is the only way to sign data.
75394189	122
29cf84c6 DSH	123	In previous versions of OpenSSL there was a link between message digest types
	124	and public key algorithms. This meant that "clone" digests such as EVP_dss1()
	125	needed to be used to sign using SHA1 and DSA. This is no longer necessary and
	126	the use of clone digest is now discouraged.
	127
262c0088 DMSP	128	For some key types and parameters the random number generator must be seeded.
	129	If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
	130	external circumstances (see L<RAND(7)>), the operation will fail.
29cf84c6 DSH	131
	132	The call to EVP_DigestSignFinal() internally finalizes a copy of the digest
	133	context. This means that calls to EVP_DigestSignUpdate() and
	134	EVP_DigestSignFinal() can be called later to digest and sign additional data.
	135
fa332bba	136	Since only a copy of the digest context is ever finalized, the context must
c12a2d27	137	be cleaned up after use by calling EVP_MD_CTX_free() or a memory leak
29cf84c6 DSH	138	will occur.
	139
	140	The use of EVP_PKEY_size() with these functions is discouraged because some
	141	signature operations may have a signature length which depends on the
	142	parameters set. As a result EVP_PKEY_size() would have to return a value
	143	which indicates the maximum possible signature for any set of parameters.
	144
	145	=head1 SEE ALSO
	146
9b86974e	147	L<EVP_DigestVerifyInit(3)>,
73fb82b7	148	L<EVP_DigestInit(3)>,
b97fdb57 RL	149	L<evp(7)>, L<HMAC(3)>, L<MD2(3)>,
b97fdb57 RL	150	L<MD5(3)>, L<MDC2(3)>, L<RIPEMD160(3)>,
262c0088 DMSP	151	L<SHA1(3)>, L<dgst(1)>,
262c0088 DMSP	152	L<RAND(7)>
29cf84c6 DSH	153
	154	=head1 HISTORY
	155
1bc74519	156	EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal()
fc5ecadd	157	were added in OpenSSL 1.0.0.
29cf84c6	158
e2f92610 RS	159	=head1 COPYRIGHT
e2f92610 RS	160
28428130	161	Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	162
4746f25a	163	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	164	this file except in compliance with the License. You can obtain a copy
	165	in the file LICENSE in the source distribution or at
	166	L<https://www.openssl.org/source/license.html>.
	167
	168	=cut