1X509_SIGN(3) OpenSSL X509_SIGN(3)
2
3
4
6 X509_sign, X509_sign_ctx, X509_verify, X509_REQ_sign,
7 X509_REQ_sign_ctx, X509_REQ_verify, X509_CRL_sign, X509_CRL_sign_ctx,
8 X509_CRL_verify - sign or verify certificate, certificate request or
9 CRL signature
10
12 #include <openssl/x509.h>
13
14 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
15 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
16 int X509_verify(X509 *a, EVP_PKEY *r);
17
18 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
19 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
20 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
21
22 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
23 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
24 int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
25
27 X509_sign() signs certificate x using private key pkey and message
28 digest md and sets the signature in x. X509_sign_ctx() also signs
29 certificate x but uses the parameters contained in digest context ctx.
30
31 X509_verify() verifies the signature of certificate x using public key
32 pkey. Only the signature is checked: no other checks (such as
33 certificate chain validity) are performed.
34
35 X509_REQ_sign(), X509_REQ_sign_ctx(), X509_REQ_verify(),
36 X509_CRL_sign(), X509_CRL_sign_ctx() and X509_CRL_verify() sign and
37 verify certificate requests and CRLs respectively.
38
40 X509_sign_ctx() is used where the default parameters for the
41 corresponding public key and digest are not suitable. It can be used to
42 sign keys using RSA-PSS for example.
43
44 For efficiency reasons and to work around ASN.1 encoding issues the
45 encoding of the signed portion of a certificate, certificate request
46 and CRL is cached internally. If the signed portion of the structure is
47 modified the encoding is not always updated meaning a stale version is
48 sometimes used. This is not normally a problem because modifying the
49 signed portion will invalidate the signature and signing will always
50 update the encoding.
51
53 X509_sign(), X509_sign_ctx(), X509_REQ_sign(), X509_REQ_sign_ctx(),
54 X509_CRL_sign() and X509_CRL_sign_ctx() return the size of the
55 signature in bytes for success and zero for failure.
56
57 X509_verify(), X509_REQ_verify() and X509_CRL_verify() return 1 if the
58 signature is valid and 0 if the signature check fails. If the signature
59 could not be checked at all because it was invalid or some other error
60 occurred then -1 is returned.
61
63 d2i_X509(3), ERR_get_error(3), X509_CRL_get0_by_serial(3),
64 X509_get0_signature(3), X509_get_ext_d2i(3),
65 X509_get_extension_flags(3), X509_get_pubkey(3),
66 X509_get_subject_name(3), X509_get_version(3),
67 X509_NAME_add_entry_by_txt(3), X509_NAME_ENTRY_get_object(3),
68 X509_NAME_get_index_by_NID(3), X509_NAME_print_ex(3), X509_new(3),
69 X509V3_get_d2i(3), X509_verify_cert(3)
70
72 The X509_sign(), X509_REQ_sign() and X509_CRL_sign() functions are
73 available in all versions of OpenSSL.
74
75 The X509_sign_ctx(), X509_REQ_sign_ctx() and X509_CRL_sign_ctx()
76 functions were added OpenSSL 1.0.1.
77
79 Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
80
81 Licensed under the OpenSSL license (the "License"). You may not use
82 this file except in compliance with the License. You can obtain a copy
83 in the file LICENSE in the source distribution or at
84 <https://www.openssl.org/source/license.html>.
85
86
87
881.1.1q 2023-02-06 X509_SIGN(3)