Checking if a key can sign / verify in 3.0

Matt Caswell matt at
Wed Aug 26 09:46:53 UTC 2020

On 19/08/2020 02:01, Norm Green wrote:
> In 3.0 I see this new function in evp.h :
> int EVP_PKEY_can_sign(const EVP_PKEY *pkey);
> Is there an equivalent way to check if a key can verify? I'm not seeing
> an obvious way to do that.  Previously I used
> EVP_PKEY_meth_get_verifyctx() but that call is now deprecated in 3.0.

That function checks whether the algorithm used by the key is capable of
doing signature operations. It does *not* check whether the key itself
has all the required components in order to perform the signature (nor
whether there are any available provider implementations that implement it).

>From the docs:

"EVP_PKEY_can_sign() checks if the functionality for the key type of
I<pkey> supports signing.  No other check is done, such as whether
I<pkey> contains a private key."

Since there's not much point in having an algorithm that can create
signatures, which can't also verify them, then the two operations are
equivalent, i.e. if we had a function called `EVP_PKEY_can_verify()` it
would be synonymous with `EVP_PKEY_can_sign()`.


More information about the openssl-users mailing list