[thirdparty/openssl.git] / doc / man3 / ECDSA_SIG_new.pod

=pod

=head1 NAME

ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0,
ECDSA_SIG_new, ECDSA_SIG_free, i2d_ECDSA_SIG, d2i_ECDSA_SIG, ECDSA_size,
ECDSA_sign, ECDSA_do_sign, ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup,
ECDSA_sign_ex, ECDSA_do_sign_ex - low level elliptic curve digital signature
algorithm (ECDSA) functions

=head1 SYNOPSIS

 #include <openssl/ecdsa.h>

 ECDSA_SIG *ECDSA_SIG_new(void);
 void ECDSA_SIG_free(ECDSA_SIG *sig);
 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
 const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig);
 const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig);
 int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
 int i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp);
 ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, long len);
 int ECDSA_size(const EC_KEY *eckey);

 int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen,
                unsigned char *sig, unsigned int *siglen, EC_KEY *eckey);
 ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len,
                          EC_KEY *eckey);

 int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen,
                  const unsigned char *sig, int siglen, EC_KEY *eckey);
 int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
                     const ECDSA_SIG *sig, EC_KEY* eckey);

 ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen,
                             const BIGNUM *kinv, const BIGNUM *rp,
                             EC_KEY *eckey);
 int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **rp);
 int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen,
                   unsigned char *sig, unsigned int *siglen,
                   const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey);

=head1 DESCRIPTION

Note: these functions provide a low level interface to ECDSA. Most
applications should use the higher level B<EVP> interface such as
L<EVP_DigestSignInit(3)> or L<EVP_DigestVerifyInit(3)> instead.

B<ECDSA_SIG> is an opaque structure consisting of two BIGNUMs for the
B<r> and B<s> value of an ECDSA signature (see X9.62 or FIPS 186-2).

ECDSA_SIG_new() allocates an empty B<ECDSA_SIG> structure. Note: before
OpenSSL 1.1.0 the: the B<r> and B<s> components were initialised.

ECDSA_SIG_free() frees the B<ECDSA_SIG> structure B<sig>.

ECDSA_SIG_get0() returns internal pointers the B<r> and B<s> values contained
in B<sig> and stores them in B<*pr> and B<*ps>, respectively.
The pointer B<pr> or B<ps> can be NULL, in which case the corresponding value
is not returned.

The values B<r>, B<s> can also be retrieved separately by the corresponding
function ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s(), respectively.

The B<r> and B<s> values can be set by calling ECDSA_SIG_set0() and passing the
new values for B<r> and B<s> as parameters to the function. Calling this
function transfers the memory management of the values to the ECDSA_SIG object,
and therefore the values that have been passed in should not be freed directly
after this function has been called.

i2d_ECDSA_SIG() creates the DER encoding of the ECDSA signature B<sig> and
writes the encoded signature to B<*pp> (note: if B<pp> is NULL i2d_ECDSA_SIG()
returns the expected length in bytes of the DER encoded signature).
i2d_ECDSA_SIG() returns the length of the DER encoded signature (or 0 on
error).

d2i_ECDSA_SIG() decodes a DER encoded ECDSA signature and returns the decoded
signature in a newly allocated B<ECDSA_SIG> structure. B<*sig> points to the
buffer containing the DER encoded signature of size B<len>.

ECDSA_size() returns the maximum length of a DER encoded ECDSA signature
created with the private EC key B<eckey>.

ECDSA_sign() computes a digital signature of the B<dgstlen> bytes hash value
B<dgst> using the private EC key B<eckey>. The DER encoded signatures is
stored in B<sig> and its length is returned in B<sig_len>. Note: B<sig> must
point to ECDSA_size(eckey) bytes of memory. The parameter B<type> is currently
ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with B<kinv>
and B<rp> set to NULL.

ECDSA_do_sign() is similar to ECDSA_sign() except the signature is returned
as a newly allocated B<ECDSA_SIG> structure (or NULL on error). ECDSA_do_sign()
is a wrapper function for ECDSA_do_sign_ex() with B<kinv> and B<rp> set to
NULL.

ECDSA_verify() verifies that the signature in B<sig> of size B<siglen> is a
valid ECDSA signature of the hash value B<dgst> of size B<dgstlen> using the
public key B<eckey>.  The parameter B<type> is ignored.

ECDSA_do_verify() is similar to ECDSA_verify() except the signature is
presented in the form of a pointer to an B<ECDSA_SIG> structure.

The remaining functions utilise the internal B<kinv> and B<r> values used
during signature computation. Most applications will never need to call these
and some external ECDSA ENGINE implementations may not support them at all if
either B<kinv> or B<r> is not B<NULL>.

ECDSA_sign_setup() may be used to precompute parts of the signing operation.
B<eckey> is the private EC key and B<ctx> is a pointer to B<BN_CTX> structure
(or NULL). The precomputed values or returned in B<kinv> and B<rp> and can be
used in a later call to ECDSA_sign_ex() or ECDSA_do_sign_ex().

ECDSA_sign_ex() computes a digital signature of the B<dgstlen> bytes hash value
B<dgst> using the private EC key B<eckey> and the optional pre-computed values
B<kinv> and B<rp>. The DER encoded signature is stored in B<sig> and its
length is returned in B<sig_len>. Note: B<sig> must point to ECDSA_size(eckey)
bytes of memory. The parameter B<type> is ignored.

ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is
returned as a newly allocated B<ECDSA_SIG> structure (or NULL on error).

=head1 RETURN VALUES

ECDSA_SIG_new() returns NULL if the allocation fails.

ECDSA_SIG_set0() returns 1 on success or 0 on failure.

ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s() return the corresponding value,
or NULL if it is unset.

ECDSA_size() returns the maximum length signature or 0 on error.

ECDSA_sign(), ECDSA_sign_ex() and ECDSA_sign_setup() return 1 if successful
or 0 on error.

ECDSA_do_sign() and ECDSA_do_sign_ex() return a pointer to an allocated
B<ECDSA_SIG> structure or NULL on error.

ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
signature, 0 for an invalid signature and -1 on error.
The error codes can be obtained by L<ERR_get_error(3)>.

=head1 EXAMPLES

Creating an ECDSA signature of a given SHA-256 hash value using the
named curve prime256v1 (aka P-256).

First step: create an EC_KEY object (note: this part is B<not> ECDSA
specific)

 int ret;
 ECDSA_SIG *sig;
 EC_KEY *eckey;

 eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
 if (eckey == NULL)
     /* error */
 if (EC_KEY_generate_key(eckey) == 0)
     /* error */

Second step: compute the ECDSA signature of a SHA-256 hash value
using ECDSA_do_sign():

 sig = ECDSA_do_sign(digest, 32, eckey);
 if (sig == NULL)
     /* error */

or using ECDSA_sign():

 unsigned char *buffer, *pp;
 int buf_len;

 buf_len = ECDSA_size(eckey);
 buffer = OPENSSL_malloc(buf_len);
 pp = buffer;
 if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0)
     /* error */

Third step: verify the created ECDSA signature using ECDSA_do_verify():

 ret = ECDSA_do_verify(digest, 32, sig, eckey);

or using ECDSA_verify():

 ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey);

and finally evaluate the return value:

 if (ret == 1)
     /* signature ok */
 else if (ret == 0)
     /* incorrect signature */
 else
     /* error */

=head1 CONFORMING TO

ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
(Digital Signature Standard, DSS)

=head1 SEE ALSO

L<EC_KEY_new(3)>,
L<EVP_DigestSignInit(3)>,
L<EVP_DigestVerifyInit(3)>

=head1 COPYRIGHT

Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
5075521e GT	1	=pod
	2
	3	=head1 NAME
	4
0396401d	5	ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0,
580b557b DSH	6	ECDSA_SIG_new, ECDSA_SIG_free, i2d_ECDSA_SIG, d2i_ECDSA_SIG, ECDSA_size,
	7	ECDSA_sign, ECDSA_do_sign, ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup,
	8	ECDSA_sign_ex, ECDSA_do_sign_ex - low level elliptic curve digital signature
bb9ad09e	9	algorithm (ECDSA) functions
5075521e GT	10
	11	=head1 SYNOPSIS
	12
	13	#include <openssl/ecdsa.h>
	14
580b557b DSH	15	ECDSA_SIG *ECDSA_SIG_new(void);
580b557b DSH	16	void ECDSA_SIG_free(ECDSA_SIG *sig);
9267c11b	17	void ECDSA_SIG_get0(const ECDSA_SIG sig, const BIGNUM pr, const BIGNUM *ps);
0396401d DMSP	18	const BIGNUM ECDSA_SIG_get0_r(const ECDSA_SIG sig);
0396401d DMSP	19	const BIGNUM ECDSA_SIG_get0_s(const ECDSA_SIG sig);
7ca3ea22	20	int ECDSA_SIG_set0(ECDSA_SIG sig, BIGNUM r, BIGNUM *s);
580b557b DSH	21	int i2d_ECDSA_SIG(const ECDSA_SIG sig, unsigned char *pp);
	22	ECDSA_SIG d2i_ECDSA_SIG(ECDSA_SIG sig, const unsigned char *pp, long len);
	23	int ECDSA_size(const EC_KEY *eckey);
	24
	25	int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen,
	26	unsigned char sig, unsigned int siglen, EC_KEY *eckey);
	27	ECDSA_SIG ECDSA_do_sign(const unsigned char dgst, int dgst_len,
	28	EC_KEY *eckey);
	29
	30	int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen,
	31	const unsigned char sig, int siglen, EC_KEY eckey);
	32	int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
	33	const ECDSA_SIG sig, EC_KEY eckey);
	34
	35	ECDSA_SIG ECDSA_do_sign_ex(const unsigned char dgst, int dgstlen,
	36	const BIGNUM kinv, const BIGNUM rp,
	37	EC_KEY *eckey);
	38	int ECDSA_sign_setup(EC_KEY eckey, BN_CTX ctx, BIGNUM kinv, BIGNUM rp);
	39	int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen,
	40	unsigned char sig, unsigned int siglen,
	41	const BIGNUM kinv, const BIGNUM rp, EC_KEY *eckey);
5075521e	42
5075521e GT	43	=head1 DESCRIPTION
5075521e GT	44
580b557b DSH	45	Note: these functions provide a low level interface to ECDSA. Most
	46	applications should use the higher level B<EVP> interface such as
	47	L<EVP_DigestSignInit(3)> or L<EVP_DigestVerifyInit(3)> instead.
5075521e	48
580b557b DSH	49	B<ECDSA_SIG> is an opaque structure consisting of two BIGNUMs for the
580b557b DSH	50	B<r> and B<s> value of an ECDSA signature (see X9.62 or FIPS 186-2).
5075521e	51
721f3980 DSH	52	ECDSA_SIG_new() allocates an empty B<ECDSA_SIG> structure. Note: before
721f3980 DSH	53	OpenSSL 1.1.0 the: the B<r> and B<s> components were initialised.
5075521e GT	54
	55	ECDSA_SIG_free() frees the B<ECDSA_SIG> structure B<sig>.
	56
580b557b	57	ECDSA_SIG_get0() returns internal pointers the B<r> and B<s> values contained
0396401d DMSP	58	in B<sig> and stores them in B<pr> and B<ps>, respectively.
	59	The pointer B<pr> or B<ps> can be NULL, in which case the corresponding value
	60	is not returned.
	61
	62	The values B<r>, B<s> can also be retrieved separately by the corresponding
	63	function ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s(), respectively.
5075521e	64
6a571a18 TS	65	The B<r> and B<s> values can be set by calling ECDSA_SIG_set0() and passing the
	66	new values for B<r> and B<s> as parameters to the function. Calling this
	67	function transfers the memory management of the values to the ECDSA_SIG object,
	68	and therefore the values that have been passed in should not be freed directly
	69	after this function has been called.
	70
580b557b DSH	71	i2d_ECDSA_SIG() creates the DER encoding of the ECDSA signature B<sig> and
	72	writes the encoded signature to B<*pp> (note: if B<pp> is NULL i2d_ECDSA_SIG()
	73	returns the expected length in bytes of the DER encoded signature).
	74	i2d_ECDSA_SIG() returns the length of the DER encoded signature (or 0 on
	75	error).
5075521e	76
580b557b DSH	77	d2i_ECDSA_SIG() decodes a DER encoded ECDSA signature and returns the decoded
	78	signature in a newly allocated B<ECDSA_SIG> structure. B<*sig> points to the
	79	buffer containing the DER encoded signature of size B<len>.
5075521e	80
580b557b DSH	81	ECDSA_size() returns the maximum length of a DER encoded ECDSA signature
580b557b DSH	82	created with the private EC key B<eckey>.
5075521e	83
580b557b DSH	84	ECDSA_sign() computes a digital signature of the B<dgstlen> bytes hash value
580b557b DSH	85	B<dgst> using the private EC key B<eckey>. The DER encoded signatures is
424baabd	86	stored in B<sig> and its length is returned in B<sig_len>. Note: B<sig> must
580b557b DSH	87	point to ECDSA_size(eckey) bytes of memory. The parameter B<type> is currently
580b557b DSH	88	ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with B<kinv>
b67d9889 NL	89	and B<rp> set to NULL.
b67d9889 NL	90
580b557b DSH	91	ECDSA_do_sign() is similar to ECDSA_sign() except the signature is returned
	92	as a newly allocated B<ECDSA_SIG> structure (or NULL on error). ECDSA_do_sign()
	93	is a wrapper function for ECDSA_do_sign_ex() with B<kinv> and B<rp> set to
	94	NULL.
5075521e	95
580b557b DSH	96	ECDSA_verify() verifies that the signature in B<sig> of size B<siglen> is a
	97	valid ECDSA signature of the hash value B<dgst> of size B<dgstlen> using the
	98	public key B<eckey>. The parameter B<type> is ignored.
5075521e	99
580b557b DSH	100	ECDSA_do_verify() is similar to ECDSA_verify() except the signature is
	101	presented in the form of a pointer to an B<ECDSA_SIG> structure.
	102
	103	The remaining functions utilise the internal B<kinv> and B<r> values used
	104	during signature computation. Most applications will never need to call these
	105	and some external ECDSA ENGINE implementations may not support them at all if
	106	either B<kinv> or B<r> is not B<NULL>.
b67d9889	107
580b557b DSH	108	ECDSA_sign_setup() may be used to precompute parts of the signing operation.
	109	B<eckey> is the private EC key and B<ctx> is a pointer to B<BN_CTX> structure
	110	(or NULL). The precomputed values or returned in B<kinv> and B<rp> and can be
	111	used in a later call to ECDSA_sign_ex() or ECDSA_do_sign_ex().
5075521e	112
580b557b DSH	113	ECDSA_sign_ex() computes a digital signature of the B<dgstlen> bytes hash value
580b557b DSH	114	B<dgst> using the private EC key B<eckey> and the optional pre-computed values
424baabd	115	B<kinv> and B<rp>. The DER encoded signature is stored in B<sig> and its
580b557b DSH	116	length is returned in B<sig_len>. Note: B<sig> must point to ECDSA_size(eckey)
	117	bytes of memory. The parameter B<type> is ignored.
	118
	119	ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is
	120	returned as a newly allocated B<ECDSA_SIG> structure (or NULL on error).
5075521e GT	121
	122	=head1 RETURN VALUES
	123
6da34cfb KG	124	ECDSA_SIG_new() returns NULL if the allocation fails.
6da34cfb KG	125
6a571a18 TS	126	ECDSA_SIG_set0() returns 1 on success or 0 on failure.
6a571a18 TS	127
0396401d DMSP	128	ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s() return the corresponding value,
	129	or NULL if it is unset.
	130
5075521e GT	131	ECDSA_size() returns the maximum length signature or 0 on error.
5075521e GT	132
580b557b DSH	133	ECDSA_sign(), ECDSA_sign_ex() and ECDSA_sign_setup() return 1 if successful
	134	or 0 on error.
	135
	136	ECDSA_do_sign() and ECDSA_do_sign_ex() return a pointer to an allocated
	137	B<ECDSA_SIG> structure or NULL on error.
5075521e GT	138
	139	ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
	140	signature, 0 for an invalid signature and -1 on error.
9b86974e	141	The error codes can be obtained by L<ERR_get_error(3)>.
5075521e GT	142
	143	=head1 EXAMPLES
	144
580b557b DSH	145	Creating an ECDSA signature of a given SHA-256 hash value using the
580b557b DSH	146	named curve prime256v1 (aka P-256).
5075521e	147
b9b6a7e5	148	First step: create an EC_KEY object (note: this part is B<not> ECDSA
5075521e GT	149	specific)
5075521e GT	150
2947af32	151	int ret;
5075521e	152	ECDSA_SIG *sig;
2947af32	153	EC_KEY *eckey;
e9b77246	154
580b557b	155	eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2947af32 BB	156	if (eckey == NULL)
	157	/* error */
	158	if (EC_KEY_generate_key(eckey) == 0)
	159	/* error */
580b557b DSH	160
	161	Second step: compute the ECDSA signature of a SHA-256 hash value
	162	using ECDSA_do_sign():
	163
	164	sig = ECDSA_do_sign(digest, 32, eckey);
2947af32 BB	165	if (sig == NULL)
2947af32 BB	166	/* error */
580b557b DSH	167
580b557b DSH	168	or using ECDSA_sign():
5075521e GT	169
5075521e GT	170	unsigned char buffer, pp;
2947af32	171	int buf_len;
e9b77246	172
5075521e	173	buf_len = ECDSA_size(eckey);
2947af32	174	buffer = OPENSSL_malloc(buf_len);
5075521e	175	pp = buffer;
2947af32 BB	176	if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0)
2947af32 BB	177	/* error */
5075521e	178
580b557b	179	Third step: verify the created ECDSA signature using ECDSA_do_verify():
5075521e	180
580b557b	181	ret = ECDSA_do_verify(digest, 32, sig, eckey);
5075521e	182
580b557b	183	or using ECDSA_verify():
5075521e	184
580b557b	185	ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey);
5075521e GT	186
	187	and finally evaluate the return value:
	188
2947af32 BB	189	if (ret == 1)
	190	/* signature ok */
	191	else if (ret == 0)
	192	/* incorrect signature */
	193	else
	194	/* error */
5075521e GT	195
	196	=head1 CONFORMING TO
	197
	198	ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
	199	(Digital Signature Standard, DSS)
	200
	201	=head1 SEE ALSO
	202
87930507	203	L<EC_KEY_new(3)>,
580b557b DSH	204	L<EVP_DigestSignInit(3)>,
580b557b DSH	205	L<EVP_DigestVerifyInit(3)>
5075521e	206
e2f92610 RS	207	=head1 COPYRIGHT
e2f92610 RS	208
83cf7abf	209	Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	210
4746f25a	211	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	212	this file except in compliance with the License. You can obtain a copy
	213	in the file LICENSE in the source distribution or at
	214	L<https://www.openssl.org/source/license.html>.
	215
	216	=cut