Checking if a key can sign / verify in 3.0
matt at openssl.org
Wed Aug 26 09:46:53 UTC 2020
On 19/08/2020 02:01, Norm Green wrote:
> In 3.0 I see this new function in evp.h :
> int EVP_PKEY_can_sign(const EVP_PKEY *pkey);
> Is there an equivalent way to check if a key can verify? I'm not seeing
> an obvious way to do that. Previously I used
> EVP_PKEY_meth_get_verifyctx() but that call is now deprecated in 3.0.
That function checks whether the algorithm used by the key is capable of
doing signature operations. It does *not* check whether the key itself
has all the required components in order to perform the signature (nor
whether there are any available provider implementations that implement it).
>From the docs:
"EVP_PKEY_can_sign() checks if the functionality for the key type of
I<pkey> supports signing. No other check is done, such as whether
I<pkey> contains a private key."
Since there's not much point in having an algorithm that can create
signatures, which can't also verify them, then the two operations are
equivalent, i.e. if we had a function called `EVP_PKEY_can_verify()` it
would be synonymous with `EVP_PKEY_can_sign()`.
More information about the openssl-users