Add EVP_PKEY_supports_digest.
This is intended for TLS client auth with Windows CAPI- and CNG-backed keys
which implement sign over sign_raw and do not support all hash functions. Only
plumbed through RSA for now.
Change-Id: Ica42e7fb026840f817a169da9372dda226f7d6fd
Reviewed-on: https://boringssl-review.googlesource.com/2250
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 16683ce..a545734 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -259,9 +259,13 @@
OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa);
/* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key
- * material. Otherwise it return zero. */
+ * material. Otherwise it returns zero. */
OPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa);
+/* RSA_supports_digest returns one if |rsa| supports signing digests
+ * of type |md|. Otherwise it returns zero. */
+OPENSSL_EXPORT int RSA_supports_digest(const RSA *rsa, const EVP_MD *md);
+
/* RSAPublicKey_dup allocates a fresh |RSA| and copies the private key from
* |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
OPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa);
@@ -410,6 +414,10 @@
int flags;
int (*keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
+
+ /* supports_digest returns one if |rsa| supports digests of type
+ * |md|. If null, it is assumed that all digests are supported. */
+ int (*supports_digest)(const RSA *rsa, const EVP_MD *md);
};
