Introduce EVP_PKEY_is_opaque to replace RSA_METHOD_FLAG_NO_CHECK. Custom RSA and ECDSA keys may not expose the key material. Plumb and "opaque" bit out of the *_METHOD up to EVP_PKEY. Query that in ssl_rsa.c to skip the sanity checks for certificate and key matching. Change-Id: I362a2d5116bfd1803560dfca1d69a91153e895fc Reviewed-on: https://boringssl-review.googlesource.com/1255 Reviewed-by: Adam Langley <agl@google.com>

commit: ecc0ce7e67b7dcfdfc57ffa99d70c9a04996e15b [log] [tgz]
author: David Benjamin <davidben@chromium.org> Fri Jul 18 18:39:42 2014 -0400
committer: Adam Langley <agl@google.com> Fri Jul 18 23:35:04 2014 +0000
tree: 22a6abd430d4e93e85367512dcba67be45785d5e
parent: e14dcc45e879807422c0497c7b6a4dcb92ad2a54 [diff] [blame]
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 2d82fd9..b522e8f 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h

@@ -89,6 +89,11 @@
  * itself. */
 void EVP_PKEY_free(EVP_PKEY *pkey);
 
+/* EVP_PKEY_is_opaque returns one if |pkey| is opaque. Opaque keys are backed by
+ * custom implementations which do not expose key material and parameters. It is
+ * an error to attempt to duplicate, export, or compare an opaque key. */
+int EVP_PKEY_is_opaque(const EVP_PKEY *pkey);
+
 /* EVP_PKEY_cmp compares |a| and |b| and returns one if they are equal, zero if
  * not and a negative number on error.
  *
commit	ecc0ce7e67b7dcfdfc57ffa99d70c9a04996e15b	[log] [tgz]
author	David Benjamin <davidben@chromium.org>	Fri Jul 18 18:39:42 2014 -0400
committer	Adam Langley <agl@google.com>	Fri Jul 18 23:35:04 2014 +0000
tree	22a6abd430d4e93e85367512dcba67be45785d5e
parent	e14dcc45e879807422c0497c7b6a4dcb92ad2a54 [diff] [blame]