EVP Signing and Verifying
There are two APIs available for performing sign and verify operations. The older EVP_Sign* functions, and the newer and more flexible EVP_DigestSign* functions. They are very similar, but for new applications the EVP_DigestSign* versions should be preferred.
Signing a Message
Signing a message is a three stage process:
- Initialise the operation.
- Add message data (this step can be repeated as many times as necessary to add more message data)
- Create the signature
In order to initialise the operation, you need to have first set up a EVP_PKEY object containing a public key for an algorithm that supports signing. Refer to EVP:Working with EVP_PKEYs for further information. You also need to provide a message digest algorithm (refer to EVP:Working with Algorithms and Modes).
See the following for an example of signing a message:
/* Create the Message Digest Context */ if(!(mdctx = EVP_MD_CTX_create())) goto err; /* Initialise the DigestSign operation */ if(!EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, key)) goto err; /* Call update with the message */ if(!EVP_DigestSignUpdate(mdctx, msg, strlen(msg))) goto err; /* Finalise the DigestSign operation */ *sig = NULL; if(!EVP_DigestSignFinal(mdctx, *sig, slen)) goto err; if(!(*sig = malloc(sizeof(unsigned char) * (*slen)))) goto err; if(!EVP_DigestSignFinal(mdctx, *sig, slen)) goto err;