NAME
X509_sign
,
X509_sign_ctx
, X509_verify
,
X509_REQ_sign
,
X509_REQ_sign_ctx
,
X509_REQ_verify
,
X509_CRL_sign
,
X509_CRL_sign_ctx
,
X509_CRL_verify
—
sign or verify certificate, certificate
request, or CRL signature
SYNOPSIS
#include
<openssl/x509.h>
int
X509_sign
(X509 *x,
EVP_PKEY *pkey, const EVP_MD
*md);
int
X509_sign_ctx
(X509 *x,
EVP_MD_CTX *ctx);
int
X509_verify
(X509 *a,
EVP_PKEY *r);
int
X509_REQ_sign
(X509_REQ *x,
EVP_PKEY *pkey, const EVP_MD
*md);
int
X509_REQ_sign_ctx
(X509_REQ *x,
EVP_MD_CTX *ctx);
int
X509_REQ_verify
(X509_REQ *a,
EVP_PKEY *r);
int
X509_CRL_sign
(X509_CRL *x,
EVP_PKEY *pkey, const EVP_MD
*md);
int
X509_CRL_sign_ctx
(X509_CRL *x,
EVP_MD_CTX *ctx);
int
X509_CRL_verify
(X509_CRL *a,
EVP_PKEY *r);
DESCRIPTION
X509_sign
()
signs the certificate x using the private key
pkey and the message digest md
and sets the signature in x.
X509_sign_ctx
() also signs the certificate
x but uses the parameters contained in digest context
ctx.
X509_verify
()
verifies the signature of certificate x using the
public key pkey. Only the signature is checked: no
other checks (such as certificate chain validity) are performed.
X509_REQ_sign
(),
X509_REQ_sign_ctx
(),
X509_REQ_verify
(),
X509_CRL_sign
(),
X509_CRL_sign_ctx
(),
and X509_CRL_verify
() sign and verify certificate
requests and CRLs, respectively.
If
X509_CRL_set_default_method(3) was in effect at the time the
X509_CRL object was created,
X509_CRL_verify
()
calls the
crl_verify
()
callback function instead of performing the default action.
X509_sign_ctx
()
is used where the default parameters for the corresponding public key and
digest are not suitable. It can be used to sign keys using RSA-PSS for
example.
For efficiency reasons and to work around ASN.1 encoding issues, the encoding of the signed portion of a certificate, certificate request, and CRL is cached internally. If the signed portion of the structure is modified, the encoding is not always updated, meaning a stale version is sometimes used. This is not normally a problem because modifying the signed portion will invalidate the signature and signing will always update the encoding.
RETURN VALUES
X509_sign
(),
X509_sign_ctx
(),
X509_REQ_sign
(),
X509_REQ_sign_ctx
(),
X509_CRL_sign
(), and
X509_CRL_sign_ctx
() return the size of the signature
in bytes for success or 0 for failure.
X509_verify
(),
X509_REQ_verify
(), and
X509_CRL_verify
() return 1 if the signature is valid
or 0 if the signature check fails. If the signature could not be checked at
all because it was invalid or some other error occurred, then -1 is
returned.
In some cases of failure, the reason can be determined with ERR_get_error(3).
SEE ALSO
d2i_X509(3), EVP_DigestInit(3), X509_CRL_get0_by_serial(3), X509_CRL_METHOD_new(3), X509_CRL_new(3), X509_get_pubkey(3), X509_get_subject_name(3), X509_get_version(3), X509_NAME_add_entry_by_txt(3), X509_NAME_ENTRY_get_object(3), X509_NAME_get_index_by_NID(3), X509_NAME_print_ex(3), X509_new(3), X509_REQ_new(3), X509_verify_cert(3), X509V3_get_d2i(3)
HISTORY
X509_verify
() appeared in SSLeay 0.4 or
earlier. X509_sign
() and
X509_REQ_sign
() first appeared in SSLeay 0.4.4.
X509_REQ_verify
() and
X509_CRL_verify
() first appeared in SSLeay 0.4.5b.
X509_CRL_sign
() first appeared in SSLeay 0.5.1.
These functions have been available since OpenBSD
2.4.
X509_sign_ctx
(),
X509_REQ_sign_ctx
(), and
X509_CRL_sign_ctx
() first appeared in OpenSSL 1.0.1
and have been available since OpenBSD 5.3.