X509_GET0_SIGNATURE(3)     Library Functions Manual     X509_GET0_SIGNATURE(3)

NAME
     X509_get0_signature, X509_REQ_get0_signature, X509_CRL_get0_signature,
     X509_get0_tbs_sigalg, X509_CRL_get0_tbs_sigalg, X509_get_signature_type,
     X509_get_signature_nid, X509_REQ_get_signature_nid,
     X509_CRL_get_signature_nid, X509_get_signature_info - signature
     information

SYNOPSIS
     #include <openssl/x509.h>

     void
     X509_get0_signature(const ASN1_BIT_STRING **psig,
         const X509_ALGOR **palg, const X509 *x);

     void
     X509_REQ_get0_signature(const X509_REQ *req,
         const ASN1_BIT_STRING **psig, const X509_ALGOR **palg);

     void
     X509_CRL_get0_signature(const X509_CRL *crl,
         const ASN1_BIT_STRING **psig, const X509_ALGOR **palg);

     const X509_ALGOR *
     X509_get0_tbs_sigalg(const X509 *x);

     const X509_ALGOR *
     X509_CRL_get0_tbs_sigalg(const X509_CRL *crl);

     int
     X509_get_signature_type(const X509 *x);

     int
     X509_get_signature_nid(const X509 *x);

     int
     X509_REQ_get_signature_nid(const X509_REQ *req);

     int
     X509_CRL_get_signature_nid(const X509_CRL *crl);

     int
     X509_get_signature_info(X509 *x, int *md_nid, int *pkey_nid,
         int *security_bits, uint32_t *flags);

DESCRIPTION
     X509_get0_signature(), X509_REQ_get0_signature(), and
     X509_CRL_get0_signature() set *psig to the signature and *palg to the
     signature algorithm of x, req, or crl, respectively.
     X509_get0_tbs_sigalg() and X509_CRL_get0_tbs_sigalg() return the
     signature algorithm in the signed portion of x or crl, respectively.  The
     values returned are internal pointers that must not be freed by the
     caller.

     X509_get_signature_type() returns the base NID corresponding to the
     signature algorithm of x just like EVP_PKEY_base_id(3) does.

     X509_get_signature_nid(), X509_REQ_get_signature_nid(), and
     X509_CRL_get_signature_nid() return the NID corresponding to the
     signature algorithm of x, req, or crl, respectively, just like
     EVP_PKEY_id(3) does.

     X509_get_signature_info() retrieves information about the signature of
     certificate x.  The NID of the digest algorithm is written to *md_nid,
     the public key algorithm to *pkey_nid, the effective security bits to
     *security_bits, and flag details to *flags.  Any of the output parameters
     can be set to NULL if the information is not required.  If flags is not a
     NULL pointer, *flags is set to the bitwise OR of:

        X509_SIG_INFO_VALID
           No error occurred.  This flag is set if X509_get_signature_info()
           returns 1.

        X509_SIG_INFO_TLS
           The signature algorithm is appropriate for use in TLS.  For a
           supported EdDSA algorithm (in LibreSSL this is Ed25519) this flag
           is always set.  For an RSASSA-PSS PSS algorithm this flag is set if
           the parameters are DER encoded, the digest algorithm is one of
           SHA256, SHA384, or SHA512, the same digest algorithm is used in the
           mask generation function, and the salt length is equal to the
           digest algorithm's output length.  For all other signature
           algorithms this flag is set if the digest algorithm is one of SHA1,
           SHA256, SHA384, or SHA512.

     X509_get_signature_info() returns 1 on success and 0 on failure.  Failure
     conditions include unsupported signature algorithms, certificate parsing
     errors and memory allocation failure.

     These functions provide lower level access to the signature for cases
     where an application wishes to analyse or generate a signature in a form
     where X509_sign(3) is not appropriate, for example in a non-standard or
     unsupported format.

SEE ALSO
     EVP_PKEY_base_id(3), OBJ_obj2nid(3), X509_ALGOR_new(3),
     X509_CRL_get0_by_serial(3), X509_CRL_new(3), X509_get_pubkey(3),
     X509_get_subject_name(3), X509_get_version(3), X509_new(3),
     X509_REQ_new(3), X509_sign(3), X509_signature_dump(3),
     X509_verify_cert(3)

HISTORY
     X509_get_signature_type() first appeared in SSLeay 0.8.0 and has been
     available since OpenBSD 2.4.

     X509_get0_signature() and X509_get_signature_nid() first appeared in
     OpenSSL 1.0.2.  X509_REQ_get0_signature(), X509_CRL_get0_signature(),
     X509_get0_tbs_sigalg(), X509_REQ_get_signature_nid(), and
     X509_CRL_get_signature_nid() first appeared in OpenSSL 1.1.0.  All these
     functions have been available since OpenBSD 6.3.

     X509_CRL_get0_tbs_sigalg() first appeared in LibreSSL 3.7.1 and has been
     available since OpenBSD 7.3.

     X509_get_signature_info() first appeared in OpenSSL 1.1.1 and has been
     available since OpenBSD 7.6.

CAVEATS
     The security bits returned by X509_get_signature_info() refer to the
     information available from the certificate signature (such as the signing
     digest).  In some cases the actual security of the signature is smaller
     because the signing key is less secure.  For example in a certificate
     signed using SHA512 and a 1024-bit RSA key.

Linux 6.13.7-arch1-1            August 28, 2024           Linux 6.13.7-arch1-1