1X509_SIGN(3)                        OpenSSL                       X509_SIGN(3)
2
3
4

NAME

6       X509_sign, X509_sign_ctx, X509_verify, X509_REQ_sign,
7       X509_REQ_sign_ctx, X509_REQ_verify, X509_CRL_sign, X509_CRL_sign_ctx,
8       X509_CRL_verify - sign or verify certificate, certificate request or
9       CRL signature
10

SYNOPSIS

12        #include <openssl/x509.h>
13
14        int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
15        int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
16        int X509_verify(X509 *a, EVP_PKEY *r);
17
18        int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
19        int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
20        int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
21
22        int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
23        int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
24        int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
25

DESCRIPTION

27       X509_sign() signs certificate x using private key pkey and message
28       digest md and sets the signature in x. X509_sign_ctx() also signs
29       certificate x but uses the parameters contained in digest context ctx.
30
31       X509_verify() verifies the signature of certificate x using public key
32       pkey. Only the signature is checked: no other checks (such as
33       certificate chain validity) are performed.
34
35       X509_REQ_sign(), X509_REQ_sign_ctx(), X509_REQ_verify(),
36       X509_CRL_sign(), X509_CRL_sign_ctx() and X509_CRL_verify() sign and
37       verify certificate requests and CRLs respectively.
38

NOTES

40       X509_sign_ctx() is used where the default parameters for the
41       corresponding public key and digest are not suitable. It can be used to
42       sign keys using RSA-PSS for example.
43
44       For efficiency reasons and to work around ASN.1 encoding issues the
45       encoding of the signed portion of a certificate, certificate request
46       and CRL is cached internally. If the signed portion of the structure is
47       modified the encoding is not always updated meaning a stale version is
48       sometimes used. This is not normally a problem because modifying the
49       signed portion will invalidate the signature and signing will always
50       update the encoding.
51

RETURN VALUES

53       X509_sign(), X509_sign_ctx(), X509_REQ_sign(), X509_REQ_sign_ctx(),
54       X509_CRL_sign() and X509_CRL_sign_ctx() return the size of the
55       signature in bytes for success and zero for failure.
56
57       X509_verify(), X509_REQ_verify() and X509_CRL_verify() return 1 if the
58       signature is valid and 0 if the signature check fails. If the signature
59       could not be checked at all because it was invalid or some other error
60       occurred then -1 is returned.
61

SEE ALSO

63       d2i_X509(3), ERR_get_error(3), X509_CRL_get0_by_serial(3),
64       X509_get0_signature(3), X509_get_ext_d2i(3),
65       X509_get_extension_flags(3), X509_get_pubkey(3),
66       X509_get_subject_name(3), X509_get_version(3),
67       X509_NAME_add_entry_by_txt(3), X509_NAME_ENTRY_get_object(3),
68       X509_NAME_get_index_by_NID(3), X509_NAME_print_ex(3), X509_new(3),
69       X509V3_get_d2i(3), X509_verify_cert(3)
70

HISTORY

72       The X509_sign(), X509_REQ_sign() and X509_CRL_sign() functions are
73       available in all versions of OpenSSL.
74
75       The X509_sign_ctx(), X509_REQ_sign_ctx() and X509_CRL_sign_ctx()
76       functions were added OpenSSL 1.0.1.
77

79       Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
80
81       Licensed under the OpenSSL license (the "License").  You may not use
82       this file except in compliance with the License.  You can obtain a copy
83       in the file LICENSE in the source distribution or at
84       <https://www.openssl.org/source/license.html>.
85
86
87
881.1.1q                            2023-07-20                      X509_SIGN(3)
Impressum