EVP signing functions
, EVP_PKEY_CTX **pctx
const EVP_MD *type
, const void *d
, unsigned char *sig
The EVP signature routines are a high level interface to digital signatures.
() sets up the signing context
to use the digest
private key pkey
must be initialized with
before calling this function. If pctx
of the signing operation will be
written to *pctx
: this can be used to set
alternative signing options.
bytes of data at
into the signature context
. This function can be called several
times on the same ctx
to include additional
data. This function is currently implemented using a macro.
() signs the data in
and places the signature in
. If sig
, then the maximum size of the
output buffer is written to *siglen
, then before the call
should contain the length of the
buffer. If the call is successful, the
signature is written to sig
and the amount of
data written to siglen
The EVP interface to digital signatures should almost always be used in
preference to the low level interfaces. This is because the code then becomes
transparent to the algorithm used and much more flexible.
In previous versions of OpenSSL, there was a link between message digest types
and public key algorithms. This meant that "clone" digests such as
needed to be used
to sign using SHA1 and DSA. This is no longer necessary and the use of clone
digest is now discouraged.
The call to EVP_DigestSignFinal
finalizes a copy of the digest context. This means that
() can be called later to
digest and sign additional data.
Since only a copy of the digest context is ever finalized, the context must be
cleaned up after use by calling
or a memory leak will occur.
The use of EVP_PKEY_size(3)
with these functions is discouraged because some signature operations may have
a signature length which depends on the parameters set. As a result,
have to return a value which indicates the maximum possible signature for any
set of parameters.
() return 1 for success and 0
or a negative value for failure. In particular, a return value of -2 indicates
the operation is not supported by the public key algorithm.
The error codes can be obtained from
() were first added to OpenSSL