X509_GET0_SIGNATURE(3) | Library Functions Manual | X509_GET0_SIGNATURE(3) |
NAME¶
X509_get0_signature
,
X509_REQ_get0_signature
,
X509_CRL_get0_signature
,
X509_get0_tbs_sigalg
,
X509_CRL_get0_tbs_sigalg
,
X509_get_signature_type
,
X509_get_signature_nid
,
X509_REQ_get_signature_nid
,
X509_CRL_get_signature_nid
,
X509_get_signature_info
—
signature information
SYNOPSIS¶
#include
<openssl/x509.h>
void
X509_get0_signature
(const
ASN1_BIT_STRING **psig, const X509_ALGOR **palg,
const X509 *x);
void
X509_REQ_get0_signature
(const X509_REQ
*req, const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg);
void
X509_CRL_get0_signature
(const X509_CRL
*crl, const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg);
const X509_ALGOR *
X509_get0_tbs_sigalg
(const X509
*x);
const X509_ALGOR *
X509_CRL_get0_tbs_sigalg
(const
X509_CRL *crl);
int
X509_get_signature_type
(const X509
*x);
int
X509_get_signature_nid
(const X509
*x);
int
X509_REQ_get_signature_nid
(const
X509_REQ *req);
int
X509_CRL_get_signature_nid
(const
X509_CRL *crl);
int
X509_get_signature_info
(X509 *x,
int *md_nid, int *pkey_nid,
int *security_bits, uint32_t
*flags);
DESCRIPTION¶
X509_get0_signature
(),
X509_REQ_get0_signature
(),
and
X509_CRL_get0_signature
()
set *psig to the signature and
*palg to the signature algorithm of
x, req, or
crl, respectively.
X509_get0_tbs_sigalg
()
and
X509_CRL_get0_tbs_sigalg
()
return the signature algorithm in the signed portion of
x or crl, respectively. The
values returned are internal pointers that must not be freed by the
caller.
X509_get_signature_type
()
returns the base NID corresponding to the signature algorithm of
x just like EVP_PKEY_base_id(3)
does.
X509_get_signature_nid
(),
X509_REQ_get_signature_nid
(),
and
X509_CRL_get_signature_nid
()
return the NID corresponding to the signature algorithm of
x, req, or
crl, respectively, just like
EVP_PKEY_id(3) does.
X509_get_signature_info
()
retrieves information about the signature of certificate
x. The NID of the digest algorithm is written to
*md_nid, the public key algorithm to
*pkey_nid, the effective security bits to
*security_bits, and flag details to
*flags. Any of the output parameters can be set to
NULL
if the information is not required. If
flags is not a NULL
pointer,
*flags is set to the bitwise OR of:
X509_SIG_INFO_VALID
- No error occurred. This flag is set if
X509_get_signature_info
() returns 1. X509_SIG_INFO_TLS
- The signature algorithm is appropriate for use in TLS. For a supported EdDSA algorithm (in LibreSSL this is Ed25519) this flag is always set. For an RSASSA-PSS PSS algorithm this flag is set if the parameters are DER encoded, the digest algorithm is one of SHA256, SHA384, or SHA512, the same digest algorithm is used in the mask generation function, and the salt length is equal to the digest algorithm's output length. For all other signature algorithms this flag is set if the digest algorithm is one of SHA1, SHA256, SHA384, or SHA512.
X509_get_signature_info
()
returns 1 on success and 0 on failure. Failure conditions include
unsupported signature algorithms, certificate parsing errors and memory
allocation failure.
These functions provide lower level access to the signature for cases where an application wishes to analyse or generate a signature in a form where X509_sign(3) is not appropriate, for example in a non-standard or unsupported format.
SEE ALSO¶
EVP_PKEY_base_id(3), OBJ_obj2nid(3), X509_ALGOR_new(3), X509_CRL_get0_by_serial(3), X509_CRL_new(3), X509_get_pubkey(3), X509_get_subject_name(3), X509_get_version(3), X509_new(3), X509_REQ_new(3), X509_sign(3), X509_signature_dump(3), X509_verify_cert(3)
HISTORY¶
X509_get_signature_type
() first appeared
in SSLeay 0.8.0 and has been available since OpenBSD
2.4.
X509_get0_signature
() and
X509_get_signature_nid
() first appeared in OpenSSL
1.0.2. X509_REQ_get0_signature
(),
X509_CRL_get0_signature
(),
X509_get0_tbs_sigalg
(),
X509_REQ_get_signature_nid
(), and
X509_CRL_get_signature_nid
() first appeared in
OpenSSL 1.1.0. All these functions have been available since
OpenBSD 6.3.
X509_CRL_get0_tbs_sigalg
() first appeared
in LibreSSL 3.7.1 and has been available since OpenBSD
7.3.
X509_get_signature_info
() first appeared
in OpenSSL 1.1.1 and has been available since OpenBSD
7.6.
CAVEATS¶
The security bits returned by
X509_get_signature_info
() refer to the information
available from the certificate signature (such as the signing digest). In
some cases the actual security of the signature is smaller because the
signing key is less secure. For example in a certificate signed using SHA512
and a 1024-bit RSA key.
August 28, 2024 | Linux 6.4.0-150600.23.25-default |