Checking if a key can sign / verify in 3.0

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Checking if a key can sign / verify in 3.0

Norm Green
In 3.0 I see this new function in evp.h :

int EVP_PKEY_can_sign(const EVP_PKEY *pkey);

Is there an equivalent way to check if a key can verify? I'm not seeing
an obvious way to do that.  Previously I used
EVP_PKEY_meth_get_verifyctx() but that call is now deprecated in 3.0.

thanks,

Norm Green

Reply | Threaded
Open this post in threaded view
|

Re: Checking if a key can sign / verify in 3.0

Norm Green
No comments on my question? Should there not be a way to know if an
EVP_PKEY is valid for verification besides attempting the verify
operation and getting a weird error code?  Doesn't seem like too much to
expect since we already have EVP_PKEY_can_sign().
I'm happy to implement EVP_PKEY_can_verify() with some assurance such a
PR would be accepted.

Norm Green

On 8/18/2020 6:01 PM, Norm Green wrote:

> In 3.0 I see this new function in evp.h :
>
> int EVP_PKEY_can_sign(const EVP_PKEY *pkey);
>
> Is there an equivalent way to check if a key can verify? I'm not
> seeing an obvious way to do that.  Previously I used
> EVP_PKEY_meth_get_verifyctx() but that call is now deprecated in 3.0.
>
> thanks,
>
> Norm Green
>

Reply | Threaded
Open this post in threaded view
|

Re: Checking if a key can sign / verify in 3.0

Matt Caswell-2
In reply to this post by Norm Green


On 19/08/2020 02:01, Norm Green wrote:
> In 3.0 I see this new function in evp.h :
>
> int EVP_PKEY_can_sign(const EVP_PKEY *pkey);
>
> Is there an equivalent way to check if a key can verify? I'm not seeing
> an obvious way to do that.  Previously I used
> EVP_PKEY_meth_get_verifyctx() but that call is now deprecated in 3.0.

That function checks whether the algorithm used by the key is capable of
doing signature operations. It does *not* check whether the key itself
has all the required components in order to perform the signature (nor
whether there are any available provider implementations that implement it).

From the docs:

"EVP_PKEY_can_sign() checks if the functionality for the key type of
I<pkey> supports signing.  No other check is done, such as whether
I<pkey> contains a private key."

Since there's not much point in having an algorithm that can create
signatures, which can't also verify them, then the two operations are
equivalent, i.e. if we had a function called `EVP_PKEY_can_verify()` it
would be synonymous with `EVP_PKEY_can_sign()`.

Matt