]> git.ipfire.org Git - thirdparty/openssl.git/blame - doc/man7/provider-signature.pod
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Copyright year updates
[thirdparty/openssl.git] / doc / man7 / provider-signature.pod
CommitLineData
4f62f5d9
MC		 1=pod
2
3=head1 NAME
4
5provider-signature - The signature library E<lt>-E<gt> provider functions
6
7=head1 SYNOPSIS
8
bb82531f 9=for openssl multiple includes
4f62f5d9 10
23c48d94 11 #include <openssl/core_dispatch.h>
4f62f5d9
MC		 12 #include <openssl/core_names.h>
13
14 /*
15 * None of these are actual functions, but are displayed like this for
16 * the function signatures for functions that are offered as function
17 * pointers in OSSL_DISPATCH arrays.
18 */
19
20 /* Context management */
5fdc95e4 21 void *OSSL_FUNC_signature_newctx(void *provctx, const char *propq);
363b1e5d
DMSP		 22 void OSSL_FUNC_signature_freectx(void *ctx);
23 void *OSSL_FUNC_signature_dupctx(void *ctx);
4f62f5d9
MC		 24
25 /* Signing */
f187d4f9
P		 26 int OSSL_FUNC_signature_sign_init(void *ctx, void *provkey,
27 const OSSL_PARAM params[]);
363b1e5d
DMSP		 28 int OSSL_FUNC_signature_sign(void *ctx, unsigned char *sig, size_t *siglen,
29 size_t sigsize, const unsigned char *tbs, size_t tbslen);
4f62f5d9
MC		 30
31 /* Verifying */
f187d4f9
P		 32 int OSSL_FUNC_signature_verify_init(void *ctx, void *provkey,
33 const OSSL_PARAM params[]);
363b1e5d
DMSP		 34 int OSSL_FUNC_signature_verify(void *ctx, const unsigned char *sig, size_t siglen,
35 const unsigned char *tbs, size_t tbslen);
4f62f5d9
MC		 36
37 /* Verify Recover */
f187d4f9
P		 38 int OSSL_FUNC_signature_verify_recover_init(void *ctx, void *provkey,
39 const OSSL_PARAM params[]);
363b1e5d
DMSP		 40 int OSSL_FUNC_signature_verify_recover(void *ctx, unsigned char *rout,
41 size_t *routlen, size_t routsize,
42 const unsigned char *sig, size_t siglen);
4f62f5d9 43
d62be158 44 /* Digest Sign */
363b1e5d 45 int OSSL_FUNC_signature_digest_sign_init(void *ctx, const char *mdname,
a07a70c7 46 void *provkey,
f187d4f9 47 const OSSL_PARAM params[]);
363b1e5d 48 int OSSL_FUNC_signature_digest_sign_update(void *ctx, const unsigned char *data,
d62be158 49 size_t datalen);
363b1e5d
DMSP		 50 int OSSL_FUNC_signature_digest_sign_final(void *ctx, unsigned char *sig,
51 size_t *siglen, size_t sigsize);
52 int OSSL_FUNC_signature_digest_sign(void *ctx,
2bd8190a 53 unsigned char *sig, size_t *siglen,
d62be158
MC		 54 size_t sigsize, const unsigned char *tbs,
55 size_t tbslen);
56
57 /* Digest Verify */
363b1e5d 58 int OSSL_FUNC_signature_digest_verify_init(void *ctx, const char *mdname,
a07a70c7 59 void *provkey,
f187d4f9 60 const OSSL_PARAM params[]);
363b1e5d
DMSP		 61 int OSSL_FUNC_signature_digest_verify_update(void *ctx,
62 const unsigned char *data,
63 size_t datalen);
64 int OSSL_FUNC_signature_digest_verify_final(void *ctx, const unsigned char *sig,
d62be158 65 size_t siglen);
363b1e5d 66 int OSSL_FUNC_signature_digest_verify(void *ctx, const unsigned char *sig,
d62be158
MC		 67 size_t siglen, const unsigned char *tbs,
68 size_t tbslen);
69
4f62f5d9 70 /* Signature parameters */
363b1e5d 71 int OSSL_FUNC_signature_get_ctx_params(void *ctx, OSSL_PARAM params[]);
fb67126e
TM		 72 const OSSL_PARAM *OSSL_FUNC_signature_gettable_ctx_params(void *ctx,
73 void *provctx);
363b1e5d 74 int OSSL_FUNC_signature_set_ctx_params(void *ctx, const OSSL_PARAM params[]);
fb67126e
TM		 75 const OSSL_PARAM *OSSL_FUNC_signature_settable_ctx_params(void *ctx,
76 void *provctx);
d62be158 77 /* MD parameters */
363b1e5d
DMSP		 78 int OSSL_FUNC_signature_get_ctx_md_params(void *ctx, OSSL_PARAM params[]);
79 const OSSL_PARAM * OSSL_FUNC_signature_gettable_ctx_md_params(void *ctx);
80 int OSSL_FUNC_signature_set_ctx_md_params(void *ctx, const OSSL_PARAM params[]);
81 const OSSL_PARAM * OSSL_FUNC_signature_settable_ctx_md_params(void *ctx);
d62be158 82
4f62f5d9
MC		 83=head1 DESCRIPTION
84
85This documentation is primarily aimed at provider authors. See L<provider(7)>
86for further information.
87
88The signature (OSSL_OP_SIGNATURE) operation enables providers to implement
89signature algorithms and make them available to applications via the API
fadb57e5
RS		 90functions L<EVP_PKEY_sign(3)>,
91L<EVP_PKEY_verify(3)>,
92and L<EVP_PKEY_verify_recover(3)> (as well
4f62f5d9
MC		 93as other related functions).
94
95All "functions" mentioned here are passed as function pointers between
318a9dfa
RL		 96F<libcrypto> and the provider in L<OSSL_DISPATCH(3)> arrays via
97L<OSSL_ALGORITHM(3)> arrays that are returned by the provider's
4f62f5d9
MC		 98provider_query_operation() function
99(see L<provider-base(7)/Provider Functions>).
100
101All these "functions" have a corresponding function type definition
bd6e7fb7 102named B<OSSL_FUNC_{name}_fn>, and a helper function to retrieve the
318a9dfa 103function pointer from an L<OSSL_DISPATCH(3)> element named
363b1e5d
DMSP		 104B<OSSL_FUNC_{name}>.
105For example, the "function" OSSL_FUNC_signature_newctx() has these:
4f62f5d9 106
5fdc95e4 107 typedef void *(OSSL_FUNC_signature_newctx_fn)(void *provctx, const char *propq);
363b1e5d
DMSP		 108 static ossl_inline OSSL_FUNC_signature_newctx_fn
109 OSSL_FUNC_signature_newctx(const OSSL_DISPATCH *opf);
4f62f5d9 110
318a9dfa 111L<OSSL_DISPATCH(3)> arrays are indexed by numbers that are provided as
23c48d94 112macros in L<openssl-core_dispatch.h(7)>, as follows:
4f62f5d9 113
363b1e5d
DMSP		 114 OSSL_FUNC_signature_newctx OSSL_FUNC_SIGNATURE_NEWCTX
115 OSSL_FUNC_signature_freectx OSSL_FUNC_SIGNATURE_FREECTX
116 OSSL_FUNC_signature_dupctx OSSL_FUNC_SIGNATURE_DUPCTX
4f62f5d9 117
363b1e5d
DMSP		 118 OSSL_FUNC_signature_sign_init OSSL_FUNC_SIGNATURE_SIGN_INIT
119 OSSL_FUNC_signature_sign OSSL_FUNC_SIGNATURE_SIGN
4f62f5d9 120
363b1e5d
DMSP		 121 OSSL_FUNC_signature_verify_init OSSL_FUNC_SIGNATURE_VERIFY_INIT
122 OSSL_FUNC_signature_verify OSSL_FUNC_SIGNATURE_VERIFY
4f62f5d9 123
363b1e5d
DMSP		 124 OSSL_FUNC_signature_verify_recover_init OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT
125 OSSL_FUNC_signature_verify_recover OSSL_FUNC_SIGNATURE_VERIFY_RECOVER
4f62f5d9 126
363b1e5d
DMSP		 127 OSSL_FUNC_signature_digest_sign_init OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT
128 OSSL_FUNC_signature_digest_sign_update OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE
129 OSSL_FUNC_signature_digest_sign_final OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL
130 OSSL_FUNC_signature_digest_sign OSSL_FUNC_SIGNATURE_DIGEST_SIGN
d62be158 131
363b1e5d
DMSP		 132 OSSL_FUNC_signature_digest_verify_init OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT
133 OSSL_FUNC_signature_digest_verify_update OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE
134 OSSL_FUNC_signature_digest_verify_final OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL
135 OSSL_FUNC_signature_digest_verify OSSL_FUNC_SIGNATURE_DIGEST_VERIFY
d62be158 136
363b1e5d
DMSP		 137 OSSL_FUNC_signature_get_ctx_params OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS
138 OSSL_FUNC_signature_gettable_ctx_params OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS
139 OSSL_FUNC_signature_set_ctx_params OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS
140 OSSL_FUNC_signature_settable_ctx_params OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS
4f62f5d9 141
363b1e5d
DMSP		 142 OSSL_FUNC_signature_get_ctx_md_params OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS
143 OSSL_FUNC_signature_gettable_ctx_md_params OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS
144 OSSL_FUNC_signature_set_ctx_md_params OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS
145 OSSL_FUNC_signature_settable_ctx_md_params OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS
d62be158 146
4f62f5d9 147A signature algorithm implementation may not implement all of these functions.
d62be158 148In order to be a consistent set of functions we must have at least a set of
363b1e5d 149context functions (OSSL_FUNC_signature_newctx and OSSL_FUNC_signature_freectx) as well as a
d62be158
MC		 150set of "signature" functions, i.e. at least one of:
151
152=over 4
153
363b1e5d 154=item OSSL_FUNC_signature_sign_init and OSSL_FUNC_signature_sign
d62be158 155
363b1e5d 156=item OSSL_FUNC_signature_verify_init and OSSL_FUNC_signature_verify
d62be158 157
51b941ac 158=item OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_recover
d62be158 159
363b1e5d 160=item OSSL_FUNC_signature_digest_sign_init, OSSL_FUNC_signature_digest_sign_update and OSSL_FUNC_signature_digest_sign_final
d62be158 161
363b1e5d 162=item OSSL_FUNC_signature_digest_verify_init, OSSL_FUNC_signature_digest_verify_update and OSSL_FUNC_signature_digest_verify_final
d62be158 163
363b1e5d 164=item OSSL_FUNC_signature_digest_sign_init and OSSL_FUNC_signature_digest_sign
d62be158 165
363b1e5d 166=item OSSL_FUNC_signature_digest_verify_init and OSSL_FUNC_signature_digest_verify
d62be158
MC		 167
168=back
169
363b1e5d 170OSSL_FUNC_signature_set_ctx_params and OSSL_FUNC_signature_settable_ctx_params are optional,
d62be158 171but if one of them is present then the other one must also be present. The same
363b1e5d
DMSP		 172applies to OSSL_FUNC_signature_get_ctx_params and OSSL_FUNC_signature_gettable_ctx_params, as
173well as the "md_params" functions. The OSSL_FUNC_signature_dupctx function is optional.
4f62f5d9
MC		 174
175A signature algorithm must also implement some mechanism for generating,
176loading or importing keys via the key management (OSSL_OP_KEYMGMT) operation.
177See L<provider-keymgmt(7)> for further details.
178
179=head2 Context Management Functions
180
363b1e5d 181OSSL_FUNC_signature_newctx() should create and return a pointer to a provider side
4f62f5d9
MC		 182structure for holding context information during a signature operation.
183A pointer to this context will be passed back in a number of the other signature
184operation function calls.
dfabee82 185The parameter I<provctx> is the provider context generated during provider
5fdc95e4
MC		 186initialisation (see L<provider(7)>). The I<propq> parameter is a property query
187string that may be (optionally) used by the provider during any "fetches" that
188it may perform (if it performs any).
4f62f5d9 189
363b1e5d 190OSSL_FUNC_signature_freectx() is passed a pointer to the provider side signature
dfabee82 191context in the I<ctx> parameter.
4f62f5d9
MC		 192This function should free any resources associated with that context.
193
363b1e5d 194OSSL_FUNC_signature_dupctx() should duplicate the provider side signature context in
dfabee82 195the I<ctx> parameter and return the duplicate copy.
4f62f5d9
MC		 196
197=head2 Signing Functions
198
363b1e5d 199OSSL_FUNC_signature_sign_init() initialises a context for signing given a provider side
dfabee82
RL		 200signature context in the I<ctx> parameter, and a pointer to a provider key object
201in the I<provkey> parameter.
f187d4f9
P		 202The I<params>, if not NULL, should be set on the context in a manner similar to
203using OSSL_FUNC_signature_set_ctx_params().
4f62f5d9
MC		 204The key object should have been previously generated, loaded or imported into
205the provider using the key management (OSSL_OP_KEYMGMT) operation (see
206provider-keymgmt(7)>.
207
363b1e5d 208OSSL_FUNC_signature_sign() performs the actual signing itself.
dfabee82 209A previously initialised signature context is passed in the I<ctx>
4f62f5d9 210parameter.
dfabee82 211The data to be signed is pointed to be the I<tbs> parameter which is I<tbslen>
4f62f5d9 212bytes long.
dfabee82
RL		 213Unless I<sig> is NULL, the signature should be written to the location pointed
214to by the I<sig> parameter and it should not exceed I<sigsize> bytes in length.
215The length of the signature should be written to I<*siglen>.
216If I<sig> is NULL then the maximum length of the signature should be written to
217I<*siglen>.
4f62f5d9
MC		 218
219=head2 Verify Functions
220
363b1e5d 221OSSL_FUNC_signature_verify_init() initialises a context for verifying a signature given
dfabee82
RL		 222a provider side signature context in the I<ctx> parameter, and a pointer to a
223provider key object in the I<provkey> parameter.
f187d4f9
P		 224The I<params>, if not NULL, should be set on the context in a manner similar to
225using OSSL_FUNC_signature_set_ctx_params().
4f62f5d9
MC		 226The key object should have been previously generated, loaded or imported into
227the provider using the key management (OSSL_OP_KEYMGMT) operation (see
228provider-keymgmt(7)>.
229
363b1e5d 230OSSL_FUNC_signature_verify() performs the actual verification itself.
dfabee82
RL		 231A previously initialised signature context is passed in the I<ctx> parameter.
232The data that the signature covers is pointed to be the I<tbs> parameter which
233is I<tbslen> bytes long.
234The signature is pointed to by the I<sig> parameter which is I<siglen> bytes
4f62f5d9
MC		 235long.
236
237=head2 Verify Recover Functions
238
363b1e5d 239OSSL_FUNC_signature_verify_recover_init() initialises a context for recovering the
dfabee82
RL		 240signed data given a provider side signature context in the I<ctx> parameter, and
241a pointer to a provider key object in the I<provkey> parameter.
f187d4f9
P		 242The I<params>, if not NULL, should be set on the context in a manner similar to
243using OSSL_FUNC_signature_set_ctx_params().
4f62f5d9
MC		 244The key object should have been previously generated, loaded or imported into
245the provider using the key management (OSSL_OP_KEYMGMT) operation (see
246provider-keymgmt(7)>.
247
363b1e5d 248OSSL_FUNC_signature_verify_recover() performs the actual verify recover itself.
dfabee82
RL		 249A previously initialised signature context is passed in the I<ctx> parameter.
250The signature is pointed to by the I<sig> parameter which is I<siglen> bytes
4f62f5d9 251long.
dfabee82
RL		 252Unless I<rout> is NULL, the recovered data should be written to the location
253pointed to by I<rout> which should not exceed I<routsize> bytes in length.
254The length of the recovered data should be written to I<*routlen>.
255If I<rout> is NULL then the maximum size of the output buffer is written to
256the I<routlen> parameter.
4f62f5d9 257
d62be158
MC		 258=head2 Digest Sign Functions
259
363b1e5d 260OSSL_FUNC_signature_digeset_sign_init() initialises a context for signing given a
d62be158 261provider side signature context in the I<ctx> parameter, and a pointer to a
f187d4f9
P		 262provider key object in the I<provkey> parameter.
263The I<params>, if not NULL, should be set on the context in a manner similar to
264using OSSL_FUNC_signature_set_ctx_params() and
265OSSL_FUNC_signature_set_ctx_md_params().
266The key object should have been
d62be158
MC		 267previously generated, loaded or imported into the provider using the
268key management (OSSL_OP_KEYMGMT) operation (see provider-keymgmt(7)>.
a07a70c7 269The name of the digest to be used will be in the I<mdname> parameter.
d62be158 270
363b1e5d 271OSSL_FUNC_signature_digest_sign_update() provides data to be signed in the I<data>
d62be158
MC		 272parameter which should be of length I<datalen>. A previously initialised
273signature context is passed in the I<ctx> parameter. This function may be called
af0d4136 274multiple times to cumulatively add data to be signed.
d62be158 275
363b1e5d
DMSP		 276OSSL_FUNC_signature_digest_sign_final() finalises a signature operation previously
277started through OSSL_FUNC_signature_digest_sign_init() and
278OSSL_FUNC_signature_digest_sign_update() calls. Once finalised no more data will be
279added through OSSL_FUNC_signature_digest_sign_update(). A previously initialised
d62be158
MC		 280signature context is passed in the I<ctx> parameter. Unless I<sig> is NULL, the
281signature should be written to the location pointed to by the I<sig> parameter
282and it should not exceed I<sigsize> bytes in length. The length of the signature
283should be written to I<*siglen>. If I<sig> is NULL then the maximum length of
284the signature should be written to I<*siglen>.
285
363b1e5d
DMSP		 286OSSL_FUNC_signature_digest_sign() implements a "one shot" digest sign operation
287previously started through OSSL_FUNC_signature_digeset_sign_init(). A previously
d62be158
MC		 288initialised signature context is passed in the I<ctx> parameter. The data to be
289signed is in I<tbs> which should be I<tbslen> bytes long. Unless I<sig> is NULL,
290the signature should be written to the location pointed to by the I<sig>
291parameter and it should not exceed I<sigsize> bytes in length. The length of the
292signature should be written to I<*siglen>. If I<sig> is NULL then the maximum
293length of the signature should be written to I<*siglen>.
294
295=head2 Digest Verify Functions
296
363b1e5d 297OSSL_FUNC_signature_digeset_verify_init() initialises a context for verifying given a
d62be158 298provider side verification context in the I<ctx> parameter, and a pointer to a
f187d4f9
P		 299provider key object in the I<provkey> parameter.
300The I<params>, if not NULL, should be set on the context in a manner similar to
301OSSL_FUNC_signature_set_ctx_params() and
302OSSL_FUNC_signature_set_ctx_md_params().
303The key object should have been
d62be158
MC		 304previously generated, loaded or imported into the provider using the
305key management (OSSL_OP_KEYMGMT) operation (see provider-keymgmt(7)>.
a07a70c7 306The name of the digest to be used will be in the I<mdname> parameter.
d62be158 307
363b1e5d 308OSSL_FUNC_signature_digest_verify_update() provides data to be verified in the I<data>
d62be158
MC		 309parameter which should be of length I<datalen>. A previously initialised
310verification context is passed in the I<ctx> parameter. This function may be
af0d4136 311called multiple times to cumulatively add data to be verified.
d62be158 312
363b1e5d
DMSP		 313OSSL_FUNC_signature_digest_verify_final() finalises a verification operation previously
314started through OSSL_FUNC_signature_digest_verify_init() and
315OSSL_FUNC_signature_digest_verify_update() calls. Once finalised no more data will be
316added through OSSL_FUNC_signature_digest_verify_update(). A previously initialised
d62be158
MC		 317verification context is passed in the I<ctx> parameter. The signature to be
318verified is in I<sig> which is I<siglen> bytes long.
319
363b1e5d
DMSP		 320OSSL_FUNC_signature_digest_verify() implements a "one shot" digest verify operation
321previously started through OSSL_FUNC_signature_digeset_verify_init(). A previously
d62be158
MC		 322initialised verification context is passed in the I<ctx> parameter. The data to be
323verified is in I<tbs> which should be I<tbslen> bytes long. The signature to be
324verified is in I<sig> which is I<siglen> bytes long.
325
b8086652 326=head2 Signature parameters
4f62f5d9
MC		 327
328See L<OSSL_PARAM(3)> for further details on the parameters structure used by
363b1e5d 329the OSSL_FUNC_signature_get_ctx_params() and OSSL_FUNC_signature_set_ctx_params() functions.
4f62f5d9 330
363b1e5d 331OSSL_FUNC_signature_get_ctx_params() gets signature parameters associated with the
dfabee82 332given provider side signature context I<ctx> and stored them in I<params>.
f59612fe
P		 333Passing NULL for I<params> should return true.
334
363b1e5d 335OSSL_FUNC_signature_set_ctx_params() sets the signature parameters associated with the
dfabee82 336given provider side signature context I<ctx> to I<params>.
4f62f5d9 337Any parameter settings are additional to any that were previously set.
f59612fe 338Passing NULL for I<params> should return true.
4f62f5d9 339
b8086652 340Common parameters currently recognised by built-in signature algorithms are as
4f62f5d9 341follows.
4f62f5d9
MC		 342
343=over 4
344
0c452a51 345=item "digest" (B<OSSL_SIGNATURE_PARAM_DIGEST>) <UTF8 string>
4f62f5d9 346
26372a4d
TM		 347Get or sets the name of the digest algorithm used for the input to the
348signature functions. It is required in order to calculate the "algorithm-id".
b8086652 349
26372a4d 350=item "properties" (B<OSSL_SIGNATURE_PARAM_PROPERTIES>) <UTF8 string>
b8086652
SL		 351
352Sets the name of the property query associated with the "digest" algorithm.
353NULL is used if this optional value is not set.
4f62f5d9 354
0c452a51 355=item "digest-size" (B<OSSL_SIGNATURE_PARAM_DIGEST_SIZE>) <unsigned integer>
4f62f5d9 356
9c45222d
MC		 357Gets or sets the output size of the digest algorithm used for the input to the
358signature functions.
72c162ab
P		 359The length of the "digest-size" parameter should not exceed that of a B<size_t>.
360
26372a4d 361=item "algorithm-id" (B<OSSL_SIGNATURE_PARAM_ALGORITHM_ID>) <octet string>
edd3b7a3
SL		 362
363Gets the DER encoded AlgorithmIdentifier that corresponds to the combination of
364signature algorithm and digest algorithm for the signature operation.
365
f3090fc7 366=item "nonce-type" (B<OSSL_SIGNATURE_PARAM_NONCE_TYPE>) <unsigned integer>
367
ff7b32e1
JM		 368Set this to 1 to use deterministic digital signature generation with
369ECDSA or DSA, as defined in RFC 6979 (see Section 3.2 "Generation of
370k"). In this case, the "digest" parameter must be explicitly set
371(otherwise, deterministic nonce generation will fail). Before using
372deterministic digital signature generation, please read RFC 6979
373Section 4 "Security Considerations". The default value for
374"nonce-type" is 0 and results in a random value being used for the
375nonce B<k> as defined in FIPS 186-4 Section 6.3 "Secret Number
376Generation".
f3090fc7 377
edd3b7a3
SL		 378=item "kat" (B<OSSL_SIGNATURE_PARAM_KAT>) <unsigned integer>
379
380Sets a flag to modify the sign operation to return an error if the initial
381calculated signature is invalid.
382In the normal mode of operation - new random values are chosen until the
383signature operation succeeds.
57cd10dd 384By default it retries until a signature is calculated.
edd3b7a3
SL		 385Setting the value to 0 causes the sign operation to retry,
386otherwise the sign operation is only tried once and returns whether or not it
387was successful.
af0d4136 388Known answer tests can be performed if the random generator is overridden to
edd3b7a3 389supply known values that either pass or fail.
4f62f5d9
MC		 390
391=back
392
363b1e5d 393OSSL_FUNC_signature_gettable_ctx_params() and OSSL_FUNC_signature_settable_ctx_params() get a
318a9dfa 394constant L<OSSL_PARAM(3)> array that describes the gettable and settable parameters,
363b1e5d
DMSP		 395i.e. parameters that can be used with OSSL_FUNC_signature_get_ctx_params() and
396OSSL_FUNC_signature_set_ctx_params() respectively.
9c45222d 397
b8086652 398=head2 MD parameters
d62be158
MC		 399
400See L<OSSL_PARAM(3)> for further details on the parameters structure used by
363b1e5d 401the OSSL_FUNC_signature_get_md_ctx_params() and OSSL_FUNC_signature_set_md_ctx_params()
d62be158
MC		 402functions.
403
363b1e5d 404OSSL_FUNC_signature_get_md_ctx_params() gets digest parameters associated with the
d62be158 405given provider side digest signature context I<ctx> and stores them in I<params>.
f59612fe
P		 406Passing NULL for I<params> should return true.
407
363b1e5d 408OSSL_FUNC_signature_set_ms_ctx_params() sets the digest parameters associated with the
d62be158
MC		 409given provider side digest signature context I<ctx> to I<params>.
410Any parameter settings are additional to any that were previously set.
f59612fe 411Passing NULL for I<params> should return true.
d62be158
MC		 412
413Parameters currently recognised by built-in signature algorithms are the same
414as those for built-in digest algorithms. See
415L<provider-digest(7)/Digest Parameters> for further information.
416
363b1e5d 417OSSL_FUNC_signature_gettable_md_ctx_params() and OSSL_FUNC_signature_settable_md_ctx_params()
318a9dfa 418get a constant L<OSSL_PARAM(3)> array that describes the gettable and settable
d62be158 419digest parameters, i.e. parameters that can be used with
363b1e5d 420OSSL_FUNC_signature_get_md_ctx_params() and OSSL_FUNC_signature_set_md_ctx_params()
318a9dfa 421respectively.
d62be158 422
4f62f5d9
MC		 423=head1 RETURN VALUES
424
363b1e5d 425OSSL_FUNC_signature_newctx() and OSSL_FUNC_signature_dupctx() should return the newly created
b2023d5d 426provider side signature context, or NULL on failure.
4f62f5d9 427
363b1e5d
DMSP		 428OSSL_FUNC_signature_gettable_ctx_params(), OSSL_FUNC_signature_settable_ctx_params(),
429OSSL_FUNC_signature_gettable_md_ctx_params() and OSSL_FUNC_signature_settable_md_ctx_params(),
318a9dfa 430return the gettable or settable parameters in a constant L<OSSL_PARAM(3)> array.
d62be158 431
9c45222d 432All other functions should return 1 for success or 0 on error.
4f62f5d9
MC		 433
434=head1 SEE ALSO
435
436L<provider(7)>
437
438=head1 HISTORY
439
440The provider SIGNATURE interface was introduced in OpenSSL 3.0.
441
442=head1 COPYRIGHT
443
0ce7d1f3 444Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
4f62f5d9
MC		 445
446Licensed under the Apache License 2.0 (the "License"). You may not use
447this file except in compliance with the License. You can obtain a copy
448in the file LICENSE in the source distribution or at
449L<https://www.openssl.org/source/license.html>.
450
451=cut
A mirror of the official openssl repository