man/keyctl_pkey_sign.3 - linux/kernel/git/dhowells/keyutils - Git at Google

 .\"
 .\" Copyright (C) 2018 Red Hat, Inc. All Rights Reserved.
 .\" Written by David Howells (dhowells@redhat.com)
 .\"
 .\" This program is free software; you can redistribute it and/or
 .\" modify it under the terms of the GNU General Public Licence
 .\" as published by the Free Software Foundation; either version
 .\" 2 of the Licence, or (at your option) any later version.
 .\"
 .TH KEYCTL_PKEY_SIGN 3 "8 Nov 2018" Linux "Linux Public-Key Signatures"
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .SH NAME
 keyctl_pkey_sign, keyctl_pkey_verify \- Generate and verify signatures
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .SH SYNOPSIS
 .nf
 .B #include <keyutils.h>
 .sp
 .BI "long keyctl_pkey_sign(key_serial_t " key ", const char *" info ,
 .BI "                      const void *" data ", size_t " data_len ,
 .BI "                      void *" sig ", size_t " sig_len ");"
 .sp
 .BI "long keyctl_pkey_verify(key_serial_t " key ", const char *" info ,
 .BI "                        const void *" data ", size_t " data_len ,
 .BI "                        const void *" sig ", size_t " sig_len ");"
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .SH DESCRIPTION
 .BR keyctl_pkey_sign ()
 asks the kernel to use the crypto data attached to a key to generate a
 detached signature for a blob of data.  Note that this may involve calling out
 to cryptographic hardware.
 .PP
 .BR keyctl_pkey_verify ()
 asks the kernel to use the key to generate a verify the signature against the
 same blob of data.  This may also involve calling out to cryptographic
 hardware.
 .PP
 The caller must have
 .B search
 permission on a key to be able to perform either operation.
 .PP
 .PP
 When invoking the function,
 .I key
 indicates the key that will provide the cryptographic material and
 .I info
 points to a comma-separated string of "key[=value]" parameters that indicate
 things like encoding forms and passwords to unlock the key; see
 asymmetric-key(7) for more information.
 .PP
 .IR data " and " datalen
 indicate the address and size of the buffer of data to be signed and
 .IR sig " and " siglen
 indicate the address and size of the signature buffer.  The sign function
 draws data from the data buffer, generates a signature from it and places the
 output into the signature buffer.  The verify function also draws data from
 the data buffer, then decrypts the signature and compares the result.
 .PP
 Note that the data buffer is strictly limited in capacity, typically unable to
 hold more bits than the size of the key.  The caller is expected to have
 pre-digested the actual data and will thus pass the digest output to this
 function.  The name of the digest used should be passed as part of the info
 string as \fPhash=<name>\fR for use in constructing the signature metadata.
 .PP
 .BR keyctl_pkey_query (2)
 can be called to find out how large the buffers need to be and what the
 maximum size of the data can be for a specific signature encoding.
 .PP
 Note that not all asymmetric-type keys will support these operations; further,
 the operations available may depend on which components of the key material are
 available: typically encryption only requires the public key, but decryption
 requires the private key as well.  Which operations are supported on a
 particular key can also be determined using the query function.
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .SH RETURN VALUE
 On success
 .BR keyctl_pkey_sign ()
 returns the amount of data written into the signature buffer.
 .BR keyctl_pkey_verify ()
 will return 0 in this case as it doesn't write to userspace.
 .PP
 On error the value
 .B -1
 will be returned and
 .I errno
 will have been set to an appropriate error.
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .SH ERRORS
 .TP
 .B ENOKEY
 The key specified is invalid.
 .TP
 .B EKEYEXPIRED
 The key specified has expired.
 .TP
 .B EKEYREVOKED
 The key specified has been revoked.
 .TP
 .B EACCES
 The key exists, but is not
 .B searchable
 by the calling process.
 .TP
 .BR EINVAL ", " EBADMSG ", " EOVERFLOW
 Some part of the key material or signature data is bad.
 .TP
 .BR EKEYREJECTED
 Signature verification failed.
 .TP
 .B ENOPKG
 Some facility needed to complete the requested operation is not available.
 This is most probably a requested or required digest or encryption algorithm.
 .TP
 .B EFAULT
 Bad address.
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .SH LINKING
 This is a library function that can be found in
 .IR libkeyutils .
 When linking,
 .B \-lkeyutils
 should be specified to the linker.
 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 .SH SEE ALSO
 .ad l
 .nh
 .BR keyctl (1),
 .BR add_key (2),
 .BR keyctl (2),
 .BR keyctl (3),
 .BR keyctl_pkey_query (3),
 .BR keyrings (7),
 .BR keyutils (7)
	.\"
	.\" Copyright (C) 2018 Red Hat, Inc. All Rights Reserved.
	.\" Written by David Howells (dhowells@redhat.com)
	.\"
	.\" This program is free software; you can redistribute it and/or
	.\" modify it under the terms of the GNU General Public Licence
	.\" as published by the Free Software Foundation; either version
	.\" 2 of the Licence, or (at your option) any later version.
	.\"
	.TH KEYCTL_PKEY_SIGN 3 "8 Nov 2018" Linux "Linux Public-Key Signatures"
	.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
	.SH NAME
	keyctl_pkey_sign, keyctl_pkey_verify \- Generate and verify signatures
	.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
	.SH SYNOPSIS
	.nf
	.B #include <keyutils.h>
	.sp
	.BI "long keyctl_pkey_sign(key_serial_t " key ", const char *" info ,
	.BI " const void *" data ", size_t " data_len ,
	.BI " void *" sig ", size_t " sig_len ");"
	.sp
	.BI "long keyctl_pkey_verify(key_serial_t " key ", const char *" info ,
	.BI " const void *" data ", size_t " data_len ,
	.BI " const void *" sig ", size_t " sig_len ");"
	.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
	.SH DESCRIPTION
	.BR keyctl_pkey_sign ()
	asks the kernel to use the crypto data attached to a key to generate a
	detached signature for a blob of data. Note that this may involve calling out
	to cryptographic hardware.
	.PP
	.BR keyctl_pkey_verify ()
	asks the kernel to use the key to generate a verify the signature against the
	same blob of data. This may also involve calling out to cryptographic
	hardware.
	.PP
	The caller must have
	.B search
	permission on a key to be able to perform either operation.
	.PP
	.PP
	When invoking the function,
	.I key
	indicates the key that will provide the cryptographic material and
	.I info
	points to a comma-separated string of "key[=value]" parameters that indicate
	things like encoding forms and passwords to unlock the key; see
	asymmetric-key(7) for more information.
	.PP
	.IR data " and " datalen
	indicate the address and size of the buffer of data to be signed and
	.IR sig " and " siglen
	indicate the address and size of the signature buffer. The sign function
	draws data from the data buffer, generates a signature from it and places the
	output into the signature buffer. The verify function also draws data from
	the data buffer, then decrypts the signature and compares the result.
	.PP
	Note that the data buffer is strictly limited in capacity, typically unable to
	hold more bits than the size of the key. The caller is expected to have
	pre-digested the actual data and will thus pass the digest output to this
	function. The name of the digest used should be passed as part of the info
	string as \fPhash=<name>\fR for use in constructing the signature metadata.
	.PP
	.BR keyctl_pkey_query (2)
	can be called to find out how large the buffers need to be and what the
	maximum size of the data can be for a specific signature encoding.
	.PP
	Note that not all asymmetric-type keys will support these operations; further,
	the operations available may depend on which components of the key material are
	available: typically encryption only requires the public key, but decryption
	requires the private key as well. Which operations are supported on a
	particular key can also be determined using the query function.
	.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
	.SH RETURN VALUE
	On success
	.BR keyctl_pkey_sign ()
	returns the amount of data written into the signature buffer.
	.BR keyctl_pkey_verify ()
	will return 0 in this case as it doesn't write to userspace.
	.PP
	On error the value
	.B -1
	will be returned and
	.I errno
	will have been set to an appropriate error.
	.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
	.SH ERRORS
	.TP
	.B ENOKEY
	The key specified is invalid.
	.TP
	.B EKEYEXPIRED
	The key specified has expired.
	.TP
	.B EKEYREVOKED
	The key specified has been revoked.
	.TP
	.B EACCES
	The key exists, but is not
	.B searchable
	by the calling process.
	.TP
	.BR EINVAL ", " EBADMSG ", " EOVERFLOW
	Some part of the key material or signature data is bad.
	.TP
	.BR EKEYREJECTED
	Signature verification failed.
	.TP
	.B ENOPKG
	Some facility needed to complete the requested operation is not available.
	This is most probably a requested or required digest or encryption algorithm.
	.TP
	.B EFAULT
	Bad address.
	.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
	.SH LINKING
	This is a library function that can be found in
	.IR libkeyutils .
	When linking,
	.B \-lkeyutils
	should be specified to the linker.
	.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
	.SH SEE ALSO
	.ad l
	.nh
	.BR keyctl (1),
	.BR add_key (2),
	.BR keyctl (2),
	.BR keyctl (3),
	.BR keyctl_pkey_query (3),
	.BR keyrings (7),
	.BR keyutils (7)