Support key check in EVP interface

A new method is added to EVP_PKEY_METH as: int (*check) (EVP_PKEY_CTX *ctx); and to EVP_PKEY_ASN1_METHOD as: int (*pkey_check) (EVP_PKEY_CTX *ctx); This is used to check the validity of a specific key. The order of calls is: EVP_PKEY_check -> pmeth.check -> ameth.pkey_check. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4337)
author: Paul Yang <yang.yang@baishancloud.com> 2017-09-04 22:02:59 +0800
committer: Richard Levitte <levitte@openssl.org> 2017-09-13 20:38:14 +0200
commit: 2aee35d37d5161a2efc4d57953a4a7b234b6ea4c (patch)
tree: 396369a86192ce41ecda126ad46fb0bbc8eae593 /apps
parent: c061daaaed5ef05cd8cf0b8159d717be02fd451d (diff)
download: openssl-2aee35d37d5161a2efc4d57953a4a7b234b6ea4c.tar.gz
1 files changed, 38 insertions, 2 deletions
diff --git a/apps/pkey.c b/apps/pkey.c
index e8e32bacda..06bdaa3a89 100644
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -18,7 +18,7 @@ typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE,
     OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB,
-    OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL
+    OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL, OPT_CHECK
 } OPTION_CHOICE;
 
 const OPTIONS pkey_options[] = {
@@ -41,6 +41,7 @@ const OPTIONS pkey_options[] = {
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
+    {"check", OPT_CHECK, '-', "Check key consistency"},
     {NULL}
 };
 
@@ -55,7 +56,7 @@ int pkey_main(int argc, char **argv)
     OPTION_CHOICE o;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM;
     int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1;
-    int private = 0, traditional = 0;
+    int private = 0, traditional = 0, check = 0;
 
     prog = opt_init(argc, argv, pkey_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -110,6 +111,9 @@ int pkey_main(int argc, char **argv)
         case OPT_TRADITIONAL:
             traditional = 1;
             break;
+        case OPT_CHECK:
+            check = 1;
+            break;
         case OPT_MD:
             if (!opt_cipher(opt_unknown(), &cipher))
                 goto opthelp;
@@ -139,6 +143,38 @@ int pkey_main(int argc, char **argv)
     if (pkey == NULL)
         goto end;
 
+    if (check) {
+        int r;
+        EVP_PKEY_CTX *ctx;
+
+        ctx = EVP_PKEY_CTX_new(pkey, e);
+        if (ctx == NULL) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        r = EVP_PKEY_check(ctx);
+
+        if (r == 1) {
+            BIO_printf(out, "Key is valid\n");
+        } else {
+            /*
+             * Note: at least for RSA keys if this function returns
+             * -1, there will be no error reasons.
+             */
+            unsigned long err;
+
+            BIO_printf(out, "Key is invalid\n");
+
+            while ((err = ERR_peek_error()) != 0) {
+                BIO_printf(out, "Detailed error: %s\n",
+                           ERR_reason_error_string(err));
+                ERR_get_error(); /* remove e from error stack */
+            }
+        }
+        EVP_PKEY_CTX_free(ctx);
+    }
+
     if (!noout) {
         if (outformat == FORMAT_PEM) {
             if (pubout) {
author	Paul Yang <yang.yang@baishancloud.com>	2017-09-04 22:02:59 +0800
committer	Richard Levitte <levitte@openssl.org>	2017-09-13 20:38:14 +0200
commit	2aee35d37d5161a2efc4d57953a4a7b234b6ea4c (patch)
tree	396369a86192ce41ecda126ad46fb0bbc8eae593 /apps
parent	c061daaaed5ef05cd8cf0b8159d717be02fd451d (diff)
download	openssl-2aee35d37d5161a2efc4d57953a4a7b234b6ea4c.tar.gz