xref: /openbsd-src/lib/libcrypto/man/X509_sign.3 (revision 9732eb29ce21ed24935eade70fc6b23716f462a8) 
1*9732eb29Stb.\" $OpenBSD: X509_sign.3,v 1.11 2024/03/06 02:34:14 tb Exp $
23da77284Sschwarze.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
3561ae957Sschwarze.\"
4561ae957Sschwarze.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
5561ae957Sschwarze.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
6561ae957Sschwarze.\"
7561ae957Sschwarze.\" Redistribution and use in source and binary forms, with or without
8561ae957Sschwarze.\" modification, are permitted provided that the following conditions
9561ae957Sschwarze.\" are met:
10561ae957Sschwarze.\"
11561ae957Sschwarze.\" 1. Redistributions of source code must retain the above copyright
12561ae957Sschwarze.\"    notice, this list of conditions and the following disclaimer.
13561ae957Sschwarze.\"
14561ae957Sschwarze.\" 2. Redistributions in binary form must reproduce the above copyright
15561ae957Sschwarze.\"    notice, this list of conditions and the following disclaimer in
16561ae957Sschwarze.\"    the documentation and/or other materials provided with the
17561ae957Sschwarze.\"    distribution.
18561ae957Sschwarze.\"
19561ae957Sschwarze.\" 3. All advertising materials mentioning features or use of this
20561ae957Sschwarze.\"    software must display the following acknowledgment:
21561ae957Sschwarze.\"    "This product includes software developed by the OpenSSL Project
22561ae957Sschwarze.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
23561ae957Sschwarze.\"
24561ae957Sschwarze.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25561ae957Sschwarze.\"    endorse or promote products derived from this software without
26561ae957Sschwarze.\"    prior written permission. For written permission, please contact
27561ae957Sschwarze.\"    openssl-core@openssl.org.
28561ae957Sschwarze.\"
29561ae957Sschwarze.\" 5. Products derived from this software may not be called "OpenSSL"
30561ae957Sschwarze.\"    nor may "OpenSSL" appear in their names without prior written
31561ae957Sschwarze.\"    permission of the OpenSSL Project.
32561ae957Sschwarze.\"
33561ae957Sschwarze.\" 6. Redistributions of any form whatsoever must retain the following
34561ae957Sschwarze.\"    acknowledgment:
35561ae957Sschwarze.\"    "This product includes software developed by the OpenSSL Project
36561ae957Sschwarze.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
37561ae957Sschwarze.\"
38561ae957Sschwarze.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39561ae957Sschwarze.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40561ae957Sschwarze.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41561ae957Sschwarze.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42561ae957Sschwarze.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43561ae957Sschwarze.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44561ae957Sschwarze.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45561ae957Sschwarze.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46561ae957Sschwarze.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47561ae957Sschwarze.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48561ae957Sschwarze.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49561ae957Sschwarze.\" OF THE POSSIBILITY OF SUCH DAMAGE.
50561ae957Sschwarze.\"
51*9732eb29Stb.Dd $Mdocdate: March 6 2024 $
52561ae957Sschwarze.Dt X509_SIGN 3
53561ae957Sschwarze.Os
54561ae957Sschwarze.Sh NAME
55561ae957Sschwarze.Nm X509_sign ,
56561ae957Sschwarze.Nm X509_sign_ctx ,
57561ae957Sschwarze.Nm X509_verify ,
58561ae957Sschwarze.Nm X509_REQ_sign ,
59561ae957Sschwarze.Nm X509_REQ_sign_ctx ,
60561ae957Sschwarze.Nm X509_REQ_verify ,
61561ae957Sschwarze.Nm X509_CRL_sign ,
62561ae957Sschwarze.Nm X509_CRL_sign_ctx ,
63561ae957Sschwarze.Nm X509_CRL_verify
64561ae957Sschwarze.Nd sign or verify certificate, certificate request, or CRL signature
65561ae957Sschwarze.Sh SYNOPSIS
66561ae957Sschwarze.In openssl/x509.h
67561ae957Sschwarze.Ft int
68561ae957Sschwarze.Fo X509_sign
69561ae957Sschwarze.Fa "X509 *x"
70561ae957Sschwarze.Fa "EVP_PKEY *pkey"
71561ae957Sschwarze.Fa "const EVP_MD *md"
72561ae957Sschwarze.Fc
73561ae957Sschwarze.Ft int
74561ae957Sschwarze.Fo X509_sign_ctx
75561ae957Sschwarze.Fa "X509 *x"
76561ae957Sschwarze.Fa "EVP_MD_CTX *ctx"
77561ae957Sschwarze.Fc
78561ae957Sschwarze.Ft int
79561ae957Sschwarze.Fo X509_verify
80561ae957Sschwarze.Fa "X509 *a"
81561ae957Sschwarze.Fa "EVP_PKEY *r"
82561ae957Sschwarze.Fc
83561ae957Sschwarze.Ft int
84561ae957Sschwarze.Fo X509_REQ_sign
85561ae957Sschwarze.Fa "X509_REQ *x"
86561ae957Sschwarze.Fa "EVP_PKEY *pkey"
87561ae957Sschwarze.Fa "const EVP_MD *md"
88561ae957Sschwarze.Fc
89561ae957Sschwarze.Ft int
90561ae957Sschwarze.Fo X509_REQ_sign_ctx
91561ae957Sschwarze.Fa "X509_REQ *x"
92561ae957Sschwarze.Fa "EVP_MD_CTX *ctx"
93561ae957Sschwarze.Fc
94561ae957Sschwarze.Ft int
95561ae957Sschwarze.Fo X509_REQ_verify
96561ae957Sschwarze.Fa "X509_REQ *a"
97561ae957Sschwarze.Fa "EVP_PKEY *r"
98561ae957Sschwarze.Fc
99561ae957Sschwarze.Ft int
100561ae957Sschwarze.Fo X509_CRL_sign
101561ae957Sschwarze.Fa "X509_CRL *x"
102561ae957Sschwarze.Fa "EVP_PKEY *pkey"
103561ae957Sschwarze.Fa "const EVP_MD *md"
104561ae957Sschwarze.Fc
105561ae957Sschwarze.Ft int
106561ae957Sschwarze.Fo X509_CRL_sign_ctx
107561ae957Sschwarze.Fa "X509_CRL *x"
108561ae957Sschwarze.Fa "EVP_MD_CTX *ctx"
109561ae957Sschwarze.Fc
110561ae957Sschwarze.Ft int
111561ae957Sschwarze.Fo X509_CRL_verify
112561ae957Sschwarze.Fa "X509_CRL *a"
113561ae957Sschwarze.Fa "EVP_PKEY *r"
114561ae957Sschwarze.Fc
115561ae957Sschwarze.Sh DESCRIPTION
116561ae957Sschwarze.Fn X509_sign
117561ae957Sschwarzesigns the certificate
118561ae957Sschwarze.Fa x
119561ae957Sschwarzeusing the private key
120561ae957Sschwarze.Fa pkey
121561ae957Sschwarzeand the message digest
122561ae957Sschwarze.Fa md
123561ae957Sschwarzeand sets the signature in
124561ae957Sschwarze.Fa x .
125561ae957Sschwarze.Fn X509_sign_ctx
126561ae957Sschwarzealso signs the certificate
127561ae957Sschwarze.Fa x
128561ae957Sschwarzebut uses the parameters contained in digest context
129561ae957Sschwarze.Fa ctx .
130561ae957Sschwarze.Pp
131561ae957Sschwarze.Fn X509_verify
132561ae957Sschwarzeverifies the signature of certificate
133561ae957Sschwarze.Fa x
134561ae957Sschwarzeusing the public key
135561ae957Sschwarze.Fa pkey .
136561ae957SschwarzeOnly the signature is checked: no other checks (such as certificate
137561ae957Sschwarzechain validity) are performed.
138561ae957Sschwarze.Pp
139561ae957Sschwarze.Fn X509_REQ_sign ,
140561ae957Sschwarze.Fn X509_REQ_sign_ctx ,
141561ae957Sschwarze.Fn X509_REQ_verify ,
142561ae957Sschwarze.Fn X509_CRL_sign ,
143561ae957Sschwarze.Fn X509_CRL_sign_ctx ,
144561ae957Sschwarzeand
145561ae957Sschwarze.Fn X509_CRL_verify
146561ae957Sschwarzesign and verify certificate requests and CRLs, respectively.
147561ae957Sschwarze.Pp
148561ae957Sschwarze.Fn X509_sign_ctx
149561ae957Sschwarzeis used where the default parameters for the corresponding public key
150561ae957Sschwarzeand digest are not suitable.
151561ae957SschwarzeIt can be used to sign keys using RSA-PSS for example.
152561ae957Sschwarze.Sh RETURN VALUES
153561ae957Sschwarze.Fn X509_sign ,
154561ae957Sschwarze.Fn X509_sign_ctx ,
155561ae957Sschwarze.Fn X509_REQ_sign ,
156561ae957Sschwarze.Fn X509_REQ_sign_ctx ,
157561ae957Sschwarze.Fn X509_CRL_sign ,
158561ae957Sschwarzeand
159561ae957Sschwarze.Fn X509_CRL_sign_ctx
160561ae957Sschwarzereturn the size of the signature in bytes for success or 0 for failure.
161561ae957Sschwarze.Pp
162561ae957Sschwarze.Fn X509_verify ,
163561ae957Sschwarze.Fn X509_REQ_verify ,
164561ae957Sschwarzeand
165561ae957Sschwarze.Fn X509_CRL_verify
166561ae957Sschwarzereturn 1 if the signature is valid or 0 if the signature check fails.
167561ae957SschwarzeIf the signature could not be checked at all because it was invalid or
168561ae957Sschwarzesome other error occurred, then -1 is returned.
169e94cb126Sschwarze.Pp
170e94cb126SschwarzeIn some cases of failure, the reason can be determined with
171e94cb126Sschwarze.Xr ERR_get_error 3 .
172561ae957Sschwarze.Sh SEE ALSO
173561ae957Sschwarze.Xr d2i_X509 3 ,
17455c851a1Sschwarze.Xr EVP_DigestInit 3 ,
175561ae957Sschwarze.Xr X509_CRL_get0_by_serial 3 ,
176c4c55c71Sschwarze.Xr X509_CRL_new 3 ,
177561ae957Sschwarze.Xr X509_get_pubkey 3 ,
178561ae957Sschwarze.Xr X509_get_subject_name 3 ,
179561ae957Sschwarze.Xr X509_get_version 3 ,
180561ae957Sschwarze.Xr X509_NAME_add_entry_by_txt 3 ,
181561ae957Sschwarze.Xr X509_NAME_ENTRY_get_object 3 ,
182561ae957Sschwarze.Xr X509_NAME_get_index_by_NID 3 ,
183561ae957Sschwarze.Xr X509_NAME_print_ex 3 ,
184561ae957Sschwarze.Xr X509_new 3 ,
185c4c55c71Sschwarze.Xr X509_REQ_new 3 ,
186561ae957Sschwarze.Xr X509_verify_cert 3 ,
187561ae957Sschwarze.Xr X509V3_get_d2i 3
188561ae957Sschwarze.Sh HISTORY
18910e00d17Sschwarze.Fn X509_verify
19010e00d17Sschwarzeappeared in SSLeay 0.4 or earlier.
19110e00d17Sschwarze.Fn X509_sign
19210e00d17Sschwarzeand
19310e00d17Sschwarze.Fn X509_REQ_sign
19410e00d17Sschwarzefirst appeared in SSLeay 0.4.4.
19510e00d17Sschwarze.Fn X509_REQ_verify
196561ae957Sschwarzeand
197d9d184f2Sschwarze.Fn X509_CRL_verify
19810e00d17Sschwarzefirst appeared in SSLeay 0.4.5b.
19910e00d17Sschwarze.Fn X509_CRL_sign
20010e00d17Sschwarzefirst appeared in SSLeay 0.5.1.
20110e00d17SschwarzeThese functions have been available since
202d9d184f2Sschwarze.Ox 2.4 .
203561ae957Sschwarze.Pp
204561ae957Sschwarze.Fn X509_sign_ctx ,
205561ae957Sschwarze.Fn X509_REQ_sign_ctx ,
206561ae957Sschwarzeand
207561ae957Sschwarze.Fn X509_CRL_sign_ctx
208df23f274Sschwarzefirst appeared in OpenSSL 1.0.1 and have been available since
209df23f274Sschwarze.Ox 5.3 .
210