HMAC verification with EVP Interface
Tomas Mraz
tomas at openssl.org
Fri Aug 27 07:06:00 UTC 2021
On Thu, 2021-08-26 at 16:27 -0500, William Roberts wrote:
> On Thu, Aug 26, 2021 at 3:01 AM Tomas Mraz <tomas at openssl.org> wrote:
> >
> > On Wed, 2021-08-25 at 13:20 -0500, William Roberts wrote:
> > > Hello,
> > >
> > > I am trying to verify an HMAC signature with the code below and
> > > the
> > > EVP_DigestVerifyInit()
> > > routine is failing with "error:0608F096:digital envelope
> > > routines:EVP_PKEY_verify_init:operation not supported for this
> > > keytype". Eventually it gets to EVP_PKEY_verify_init() and since
> > > the
> > > ctx->pmeth->verify pointer is null, it sets this error. It's
> > > unclear
> > > to me why this function pointer is NULL, can someone elaborate
> > > the
> > > right way to do this via EVP interfaces?
> >
> > As HMAC is not a true signature algorithm there is no support for
> > the EVP_DigestVerifyInit() operation with HMAC 'signatures'. You
> > just
> > have to use EVP_DigestSign*() operation to create a new HMAC and
> > compare with the original value.
> >
>
> Ahh okay thanks. This was in the wiki I just scrolled too far and
> ended up under asymmetric.
> For anyone looking it was on the on the wiki here:
> - https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying
>
> But considering that Verifying could do this, since it has both the
> message and hmac
> "signature", wouldn't it be nice to add this support since it's
> generated through the
> sign interface? In my mind a Sign operation always has a verify
> operation.
There is EVP_MAC API in the 3.0 release and the HMAC support in EVP
Signing API is legacy although it is not explicitly deprecated. So it
is unlikely to be enhanced in the suggested way.
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
More information about the openssl-users
mailing list