HMAC verification with EVP Interface

William Roberts bill.c.roberts at gmail.com
Thu Aug 26 21:27:18 UTC 2021


On Thu, Aug 26, 2021 at 3:01 AM Tomas Mraz <tomas at openssl.org> wrote:
>
> On Wed, 2021-08-25 at 13:20 -0500, William Roberts wrote:
> > Hello,
> >
> > I am trying to verify an HMAC signature with the code below and the
> > EVP_DigestVerifyInit()
> > routine is failing with "error:0608F096:digital envelope
> > routines:EVP_PKEY_verify_init:operation not supported for this
> > keytype". Eventually it gets to EVP_PKEY_verify_init() and since the
> > ctx->pmeth->verify pointer is null, it sets this error. It's unclear
> > to me why this function pointer is NULL, can someone elaborate the
> > right way to do this via EVP interfaces?
>
> As HMAC is not a true signature algorithm there is no support for
> the EVP_DigestVerifyInit() operation with HMAC 'signatures'. You just
> have to use EVP_DigestSign*() operation to create a new HMAC and
> compare with the original value.
>

Ahh okay thanks. This was in the wiki I just scrolled too far and
ended up under asymmetric.
For anyone looking it was on the on the wiki here:
  - https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying

But considering that Verifying could do this, since it has both the
message and hmac
"signature", wouldn't it be nice to add this support since it's
generated through the
sign interface? In my mind a Sign operation always has a verify operation.


More information about the openssl-users mailing list