xref: /onnv-gate/usr/src/common/openssl/doc/crypto/ecdsa.pod (revision 2175:b0b2f052a486) 
1*2175Sjp161948=pod
2*2175Sjp161948
3*2175Sjp161948=head1 NAME
4*2175Sjp161948
5*2175Sjp161948ecdsa - Elliptic Curve Digital Signature Algorithm
6*2175Sjp161948
7*2175Sjp161948=head1 SYNOPSIS
8*2175Sjp161948
9*2175Sjp161948 #include <openssl/ecdsa.h>
10*2175Sjp161948
11*2175Sjp161948 ECDSA_SIG*	ECDSA_SIG_new(void);
12*2175Sjp161948 void		ECDSA_SIG_free(ECDSA_SIG *sig);
13*2175Sjp161948 int		i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp);
14*2175Sjp161948 ECDSA_SIG*	d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp,
15*2175Sjp161948		long len);
16*2175Sjp161948
17*2175Sjp161948 ECDSA_SIG*	ECDSA_do_sign(const unsigned char *dgst, int dgst_len,
18*2175Sjp161948			EC_KEY *eckey);
19*2175Sjp161948 ECDSA_SIG*	ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen,
20*2175Sjp161948			const BIGNUM *kinv, const BIGNUM *rp,
21*2175Sjp161948			EC_KEY *eckey);
22*2175Sjp161948 int		ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
23*2175Sjp161948			const ECDSA_SIG *sig, EC_KEY* eckey);
24*2175Sjp161948 int		ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx,
25*2175Sjp161948			BIGNUM **kinv, BIGNUM **rp);
26*2175Sjp161948 int		ECDSA_sign(int type, const unsigned char *dgst,
27*2175Sjp161948			int dgstlen, unsigned char *sig,
28*2175Sjp161948			unsigned int *siglen, EC_KEY *eckey);
29*2175Sjp161948 int		ECDSA_sign_ex(int type, const unsigned char *dgst,
30*2175Sjp161948			int dgstlen, unsigned char *sig,
31*2175Sjp161948			unsigned int *siglen, const BIGNUM *kinv,
32*2175Sjp161948			const BIGNUM *rp, EC_KEY *eckey);
33*2175Sjp161948 int		ECDSA_verify(int type, const unsigned char *dgst,
34*2175Sjp161948			int dgstlen, const unsigned char *sig,
35*2175Sjp161948			int siglen, EC_KEY *eckey);
36*2175Sjp161948 int		ECDSA_size(const EC_KEY *eckey);
37*2175Sjp161948
38*2175Sjp161948 const ECDSA_METHOD*	ECDSA_OpenSSL(void);
39*2175Sjp161948 void		ECDSA_set_default_method(const ECDSA_METHOD *meth);
40*2175Sjp161948 const ECDSA_METHOD*	ECDSA_get_default_method(void);
41*2175Sjp161948 int		ECDSA_set_method(EC_KEY *eckey,const ECDSA_METHOD *meth);
42*2175Sjp161948
43*2175Sjp161948 int		ECDSA_get_ex_new_index(long argl, void *argp,
44*2175Sjp161948			CRYPTO_EX_new *new_func,
45*2175Sjp161948			CRYPTO_EX_dup *dup_func,
46*2175Sjp161948			CRYPTO_EX_free *free_func);
47*2175Sjp161948 int		ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg);
48*2175Sjp161948 void*		ECDSA_get_ex_data(EC_KEY *d, int idx);
49*2175Sjp161948
50*2175Sjp161948=head1 DESCRIPTION
51*2175Sjp161948
52*2175Sjp161948The B<ECDSA_SIG> structure consists of two BIGNUMs for the
53*2175Sjp161948r and s value of a ECDSA signature (see X9.62 or FIPS 186-2).
54*2175Sjp161948
55*2175Sjp161948 struct
56*2175Sjp161948	{
57*2175Sjp161948	BIGNUM *r;
58*2175Sjp161948	BIGNUM *s;
59*2175Sjp161948 } ECDSA_SIG;
60*2175Sjp161948
61*2175Sjp161948ECDSA_SIG_new() allocates a new B<ECDSA_SIG> structure (note: this
62*2175Sjp161948function also allocates the BIGNUMs) and initialize it.
63*2175Sjp161948
64*2175Sjp161948ECDSA_SIG_free() frees the B<ECDSA_SIG> structure B<sig>.
65*2175Sjp161948
66*2175Sjp161948i2d_ECDSA_SIG() creates the DER encoding of the ECDSA signature
67*2175Sjp161948B<sig> and writes the encoded signature to B<*pp> (note: if B<pp>
68*2175Sjp161948is NULL B<i2d_ECDSA_SIG> returns the expected length in bytes of
69*2175Sjp161948the DER encoded signature). B<i2d_ECDSA_SIG> returns the length
70*2175Sjp161948of the DER encoded signature (or 0 on error).
71*2175Sjp161948
72*2175Sjp161948d2i_ECDSA_SIG() decodes a DER encoded ECDSA signature and returns
73*2175Sjp161948the decoded signature in a newly allocated B<ECDSA_SIG> structure.
74*2175Sjp161948B<*sig> points to the buffer containing the DER encoded signature
75*2175Sjp161948of size B<len>.
76*2175Sjp161948
77*2175Sjp161948ECDSA_size() returns the maximum length of a DER encoded
78*2175Sjp161948ECDSA signature created with the private EC key B<eckey>.
79*2175Sjp161948
80*2175Sjp161948ECDSA_sign_setup() may be used to precompute parts of the
81*2175Sjp161948signing operation. B<eckey> is the private EC key and B<ctx>
82*2175Sjp161948is a pointer to B<BN_CTX> structure (or NULL). The precomputed
83*2175Sjp161948values or returned in B<kinv> and B<rp> and can be used in a
84*2175Sjp161948later call to B<ECDSA_sign_ex> or B<ECDSA_do_sign_ex>.
85*2175Sjp161948
86*2175Sjp161948ECDSA_sign() is wrapper function for ECDSA_sign_ex with B<kinv>
87*2175Sjp161948and B<rp> set to NULL.
88*2175Sjp161948
89*2175Sjp161948ECDSA_sign_ex() computes a digital signature of the B<dgstlen> bytes
90*2175Sjp161948hash value B<dgst> using the private EC key B<eckey> and the optional
91*2175Sjp161948pre-computed values B<kinv> and B<rp>. The DER encoded signatures is
92*2175Sjp161948stored in B<sig> and it's length is returned in B<sig_len>. Note: B<sig>
93*2175Sjp161948must point to B<ECDSA_size> bytes of memory. The parameter B<type>
94*2175Sjp161948is ignored.
95*2175Sjp161948
96*2175Sjp161948ECDSA_verify() verifies that the signature in B<sig> of size
97*2175Sjp161948B<siglen> is a valid ECDSA signature of the hash value
98*2175Sjp161948value B<dgst> of size B<dgstlen> using the public key B<eckey>.
99*2175Sjp161948The parameter B<type> is ignored.
100*2175Sjp161948
101*2175Sjp161948ECDSA_do_sign() is wrapper function for ECDSA_do_sign_ex with B<kinv>
102*2175Sjp161948and B<rp> set to NULL.
103*2175Sjp161948
104*2175Sjp161948ECDSA_do_sign_ex() computes a digital signature of the B<dgst_len>
105*2175Sjp161948bytes hash value B<dgst> using the private key B<eckey> and the
106*2175Sjp161948optional pre-computed values B<kinv> and B<rp>. The signature is
107*2175Sjp161948returned in a newly allocated B<ECDSA_SIG> structure (or NULL on error).
108*2175Sjp161948
109*2175Sjp161948ECDSA_do_verify() verifies that the signature B<sig> is a valid
110*2175Sjp161948ECDSA signature of the hash value B<dgst> of size B<dgst_len>
111*2175Sjp161948using the public key B<eckey>.
112*2175Sjp161948
113*2175Sjp161948=head1 RETURN VALUES
114*2175Sjp161948
115*2175Sjp161948ECDSA_size() returns the maximum length signature or 0 on error.
116*2175Sjp161948
117*2175Sjp161948ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or -1
118*2175Sjp161948on error.
119*2175Sjp161948
120*2175Sjp161948ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
121*2175Sjp161948signature, 0 for an invalid signature and -1 on error.
122*2175Sjp161948The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
123*2175Sjp161948
124*2175Sjp161948=head1 EXAMPLES
125*2175Sjp161948
126*2175Sjp161948Creating a ECDSA signature of given SHA-1 hash value using the
127*2175Sjp161948named curve secp192k1.
128*2175Sjp161948
129*2175Sjp161948First step: create a EC_KEY object (note: this part is B<not> ECDSA
130*2175Sjp161948specific)
131*2175Sjp161948
132*2175Sjp161948 int        ret;
133*2175Sjp161948 ECDSA_SIG *sig;
134*2175Sjp161948 EC_KEY    *eckey = EC_KEY_new();
135*2175Sjp161948 if (eckey == NULL)
136*2175Sjp161948	{
137*2175Sjp161948	/* error */
138*2175Sjp161948	}
139*2175Sjp161948 key->group = EC_GROUP_new_by_nid(NID_secp192k1);
140*2175Sjp161948 if (key->group == NULL)
141*2175Sjp161948	{
142*2175Sjp161948	/* error */
143*2175Sjp161948	}
144*2175Sjp161948 if (!EC_KEY_generate_key(eckey))
145*2175Sjp161948	{
146*2175Sjp161948	/* error */
147*2175Sjp161948	}
148*2175Sjp161948
149*2175Sjp161948Second step: compute the ECDSA signature of a SHA-1 hash value
150*2175Sjp161948using B<ECDSA_do_sign>
151*2175Sjp161948
152*2175Sjp161948 sig = ECDSA_do_sign(digest, 20, eckey);
153*2175Sjp161948 if (sig == NULL)
154*2175Sjp161948	{
155*2175Sjp161948	/* error */
156*2175Sjp161948	}
157*2175Sjp161948
158*2175Sjp161948or using B<ECDSA_sign>
159*2175Sjp161948
160*2175Sjp161948 unsigned char *buffer, *pp;
161*2175Sjp161948 int            buf_len;
162*2175Sjp161948 buf_len = ECDSA_size(eckey);
163*2175Sjp161948 buffer  = OPENSSL_malloc(buf_len);
164*2175Sjp161948 pp = buffer;
165*2175Sjp161948 if (!ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey);
166*2175Sjp161948	{
167*2175Sjp161948	/* error */
168*2175Sjp161948	}
169*2175Sjp161948
170*2175Sjp161948Third step: verify the created ECDSA signature using B<ECDSA_do_verify>
171*2175Sjp161948
172*2175Sjp161948 ret = ECDSA_do_verify(digest, 20, sig, eckey);
173*2175Sjp161948
174*2175Sjp161948or using B<ECDSA_verify>
175*2175Sjp161948
176*2175Sjp161948 ret = ECDSA_verify(0, digest, 20, buffer, buf_len, eckey);
177*2175Sjp161948
178*2175Sjp161948and finally evaluate the return value:
179*2175Sjp161948
180*2175Sjp161948 if (ret == -1)
181*2175Sjp161948	{
182*2175Sjp161948	/* error */
183*2175Sjp161948	}
184*2175Sjp161948 else if (ret == 0)
185*2175Sjp161948	{
186*2175Sjp161948	/* incorrect signature */
187*2175Sjp161948	}
188*2175Sjp161948 else	/* ret == 1 */
189*2175Sjp161948	{
190*2175Sjp161948	/* signature ok */
191*2175Sjp161948	}
192*2175Sjp161948
193*2175Sjp161948=head1 CONFORMING TO
194*2175Sjp161948
195*2175Sjp161948ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
196*2175Sjp161948(Digital Signature Standard, DSS)
197*2175Sjp161948
198*2175Sjp161948=head1 SEE ALSO
199*2175Sjp161948
200*2175Sjp161948L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>
201*2175Sjp161948
202*2175Sjp161948=head1 HISTORY
203*2175Sjp161948
204*2175Sjp161948The ecdsa implementation was first introduced in OpenSSL 0.9.8
205*2175Sjp161948
206*2175Sjp161948=head1 AUTHOR
207*2175Sjp161948
208*2175Sjp161948Nils Larsch for the OpenSSL project (http://www.openssl.org).
209*2175Sjp161948
210*2175Sjp161948=cut
211