[openssl-users] Checking if an EVP_PKEY* contains a private key

Victor Wagner vitus at wagner.pp.ru
Tue Dec 22 07:35:36 UTC 2015

On Mon, 21 Dec 2015 21:29:03 -0800
Stephen Kou <s.kou at outlook.com> wrote:

> OpenSSL has the higher-level EVP_PKEY_* functions which work
> abstracts the public key cryptography algorithms.  However, sometimes
> a EVP_PKEY* only has a public key.  How could I check if a given
> EVP_PKEY* contains a private key?  I could use EVP_PKEY_decrypt_init
> and see if it returns an error, but that seems to be quite
> heavy-handed for what seems to be a simple check.  The other option
> is to go through the EVP_PKEY_get0_* functions and investigate the
> underlying mechanism directly (e.g. EVP_PKEY_get0_RSA and checking
> the RSA*'s private exponent is NULL), but that is also clumsy as I'll
> have to write code for every possible algorithm.

You cannot use EVP_PKEY_decrypt_init if you want code, which works for
for every possible algorithm, because every possible public key
algorithm doesn't required to support encrypt/decrypt operation. For
instance, DSA supports only sign/verify, DH - derive, EC_KEY - both of
them, but not encrypt/decrypt.

More information about the openssl-users mailing list