85
85
return ossl_pkey_new(pkey);
90
* OpenSSL::PKey.read(string [, pwd ] ) -> PKey
91
* OpenSSL::PKey.read(file [, pwd ]) -> PKey
94
* * +string+ is a DER- or PEM-encoded string containing an arbitrary private
96
* * +file+ is an instance of +File+ containing a DER- or PEM-encoded
97
* arbitrary private or public key.
98
* * +pwd+ is an optional password in case +string+ or +file+ is an encrypted
102
ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)
109
rb_scan_args(argc, argv, "11", &data, &pass);
111
bio = ossl_obj2bio(data);
112
if (!(pkey = d2i_PrivateKey_bio(bio, NULL))) {
115
passwd = StringValuePtr(pass);
117
if (!(pkey = PEM_read_bio_PrivateKey(bio, NULL, ossl_pem_passwd_cb, passwd))) {
119
if (!(pkey = d2i_PUBKEY_bio(bio, NULL))) {
122
passwd = StringValuePtr(pass);
124
pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, passwd);
131
ossl_raise(rb_eArgError, "Could not parse PKey");
132
return ossl_pkey_new(pkey);
89
136
GetPKeyPtr(VALUE obj)
218
* pkey.sign(digest, data) -> String
220
* To sign the +String+ +data+, +digest+, an instance of OpenSSL::Digest, must
221
* be provided. The return value is again a +String+ containing the signature.
222
* A PKeyError is raised should errors occur.
223
* Any previous state of the +Digest+ instance is irrelevant to the signature
224
* outcome, the digest instance is reset to its initial state during the
229
* digest = OpenSSL::Digest::SHA256.new
230
* pkey = OpenSSL::PKey::RSA.new(2048)
231
* signature = pkey.sign(digest, data)
163
234
ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)
259
* pkey.verify(digest, signature, data) -> String
261
* To verify the +String+ +signature+, +digest+, an instance of
262
* OpenSSL::Digest, must be provided to re-compute the message digest of the
263
* original +data+, also a +String+. The return value is +true+ if the
264
* signature is valid, +false+ otherwise. A PKeyError is raised should errors
266
* Any previous state of the +Digest+ instance is irrelevant to the validation
267
* outcome, the digest instance is reset to its initial state during the
272
* digest = OpenSSL::Digest::SHA256.new
273
* pkey = OpenSSL::PKey::RSA.new(2048)
274
* signature = pkey.sign(digest, data)
275
* pub_key = pkey.public_key
276
* puts pub_key.verify(digest, signature, data) # => true
187
279
ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)
214
#if 0 /* let rdoc know about mOSSL */
215
mOSSL = rb_define_module("OpenSSL");
307
mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
310
/* Document-module: OpenSSL::PKey
312
* == Asymmetric Public Key Algorithms
314
* Asymmetric public key algorithms solve the problem of establishing and
315
* sharing secret keys to en-/decrypt messages. The key in such an
316
* algorithm consists of two parts: a public key that may be distributed
317
* to others and a private key that needs to remain secret.
319
* Messages encrypted with a public key can only be encrypted by
320
* recipients that are in possession of the associated private key.
321
* Since public key algorithms are considerably slower than symmetric
322
* key algorithms (cf. OpenSSL::Cipher) they are often used to establish
323
* a symmetric key shared between two parties that are in possession of
324
* each other's public key.
326
* Asymmetric algorithms offer a lot of nice features that are used in a
327
* lot of different areas. A very common application is the creation and
328
* validation of digital signatures. To sign a document, the signatory
329
* generally uses a message digest algorithm (cf. OpenSSL::Digest) to
330
* compute a digest of the document that is then encrypted (i.e. signed)
331
* using the private key. Anyone in possession of the public key may then
332
* verify the signature by computing the message digest of the original
333
* document on their own, decrypting the signature using the signatory's
334
* public key and comparing the result to the message digest they
335
* previously computed. The signature is valid if and only if the
336
* decrypted signature is equal to this message digest.
338
* The PKey module offers support for three popular public/private key
340
* * RSA (OpenSSL::PKey::RSA)
341
* * DSA (OpenSSL::PKey::DSA)
342
* * Elliptic Curve Cryptography (OpenSSL::PKey::EC)
343
* Each of these implementations is in fact a sub-class of the abstract
344
* PKey class which offers the interface for supporting digital signatures
345
* in the form of PKey#sign and PKey#verify.
347
* == Diffie-Hellman Key Exchange
349
* Finally PKey also features OpenSSL::PKey::DH, an implementation of
350
* the Diffie-Hellman key exchange protocol based on discrete logarithms
351
* in finite fields, the same basis that DSA is built on.
352
* The Diffie-Hellman protocol can be used to exchange (symmetric) keys
353
* over insecure channels without needing any prior joint knowledge
354
* between the participating parties. As the security of DH demands
355
* relatively long "public keys" (i.e. the part that is overtly
356
* transmitted between participants) DH tends to be quite slow. If
357
* security or speed is your primary concern, OpenSSL::PKey::EC offers
358
* another implementation of the Diffie-Hellman protocol.
218
361
mPKey = rb_define_module_under(mOSSL, "PKey");
363
/* Document-class: OpenSSL::PKey::PKeyError
365
*Raised when errors occur during PKey#sign or PKey#verify.
220
367
ePKeyError = rb_define_class_under(mPKey, "PKeyError", eOSSLError);
369
/* Document-class: OpenSSL::PKey::PKey
371
* An abstract class that bundles signature creation (PKey#sign) and
372
* validation (PKey#verify) that is common to all implementations except
374
* * OpenSSL::PKey::RSA
375
* * OpenSSL::PKey::DSA
376
* * OpenSSL::PKey::EC
222
378
cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);
380
rb_define_module_function(mPKey, "read", ossl_pkey_new_from_data, -1);
224
382
rb_define_alloc_func(cPKey, ossl_pkey_alloc);
225
383
rb_define_method(cPKey, "initialize", ossl_pkey_initialize, 0);