Introduce EVP_PKEY_is_opaque to replace RSA_METHOD_FLAG_NO_CHECK.
Custom RSA and ECDSA keys may not expose the key material. Plumb and "opaque"
bit out of the *_METHOD up to EVP_PKEY. Query that in ssl_rsa.c to skip the
sanity checks for certificate and key matching.
Change-Id: I362a2d5116bfd1803560dfca1d69a91153e895fc
Reviewed-on: https://boringssl-review.googlesource.com/1255
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ec_key.h b/include/openssl/ec_key.h
index ac58a8f..4a48ffc 100644
--- a/include/openssl/ec_key.h
+++ b/include/openssl/ec_key.h
@@ -109,6 +109,10 @@
* success and zero otherwise. */
int EC_KEY_up_ref(EC_KEY *key);
+/* EC_KEY_is_opaque returns one if |key| is opaque and doesn't expose its key
+ * material. Otherwise it return zero. */
+int EC_KEY_is_opaque(const EC_KEY *key);
+
/* EC_KEY_get0_group returns a pointer to the |EC_GROUP| object inside |key|. */
const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
@@ -229,6 +233,11 @@
/* ECDSA method. */
+/* ECDSA_FLAG_OPAQUE specifies that this ECDSA_METHOD does not expose its key
+ * material. This may be set if, for instance, it is wrapping some other crypto
+ * API, like a platform key store. */
+#define ECDSA_FLAG_OPAQUE 1
+
/* ecdsa_method_st is a structure of function pointers for implementing ECDSA.
* See engine.h. */
struct ecdsa_method_st {
@@ -251,6 +260,8 @@
/* verify matches the arguments and behaviour of |ECDSA_verify|. */
int (*verify)(const uint8_t *digest, size_t digest_len, const uint8_t *sig,
size_t sig_len, EC_KEY *eckey);
+
+ int flags;
};
