On 21 January 2014 23:51, HelenH Zhang <helen...@yahoo.com> wrote:
> Thank you, Matt for your quick reply.
>
> I have additional questions: I looked both links below:
>
> https://www.openssl.org/docs/crypto/EVP_PKEY_encrypt.html
> https://www.openssl.org/docs/crypto/EVP_PKEY_decrypt.html
>
> One for encryption, one for decryption, however, example code in the links
> are the same,
> which can not be true.
They look ok to me? They are not *exactly* the same?
>
> I have the following code segment:
>
> ERR_load_crypto_strings();
> pkey = EVP_PKEY_new();
> rc = EVP_PKEY_assign_RSA(pkey, rsaKey);
> if (rc) {
> ctx = EVP_PKEY_CTX_new(pkey);
> if (!ctx) {
> rc = -1;
> }
> rc = EVP_PKEY_CTX_set_signature_md(ctx, md);
> if (rc == 1)
> rc = EVP_PKEY_encrypt_init(ctx);
> if (rc == 1)
> rc = EVP_PKEY_CTX_set_rsa_padding(ctx, pad);
> if (rc == 1)
> rc = EVP_PKEY_encrypt(ctx, out, &outlen, in, inlen) <= 0)
> }
>
> EVP_PKEY_CTX_free(ctx);
> EVP_PKEY_free(pkey);
>
> This code should perform similar function as EVP_Sign...
> except padding part. Is it correct?
No. EVP_PKEY_encrypt is not the same operation as EVP_Sign*. The
EVP_PKEY_encrypt/EVP_PKEY_decrypt functions are rarely used directly -
they do not hash their input first - its just directly encrypted -
which is not normally what you want.
If you want to sign then typically you use EVP_Sign* or
EVP_DigestSign* (the latter does the same thing but is newer and
slightly more flexible as it can also be used to generate MACs). If
you want to encrypt then, typically, you use EVP_Seal*.
Matt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
