Asymmetric signature
Asymmetric signature algorithms
PSA_ALG_RSA_PKCS1V15_SIGN (macro)
RSA PKCS#1 v1.5 signature with hashing.
#define PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg) /* specification-defined value */
Parameters
-
hash_alg - A hash algorithm (
PSA_ALG_XXXvalue such thatPSA_ALG_IS_HASH(hash_alg)is true). This includesPSA_ALG_ANY_HASHwhen specifying the algorithm in a usage policy.
Returns
The corresponding RSA PKCS#1 v1.5 signature algorithm.
Unspecified if hash_alg is not a supported hash algorithm.
Description
This is the signature scheme defined by RFC 8017 (PKCS#1: RSA Cryptography Specifications) under the name RSASSA-PKCS1-v1_5.
PSA_ALG_RSA_PKCS1V15_SIGN_RAW (macro)
Raw PKCS#1 v1.5 signature.
#define PSA_ALG_RSA_PKCS1V15_SIGN_RAW ((psa_algorithm_t) 0x06000200))
The input to this algorithm is the DigestInfo structure used by RFC 8017 §9.2 (PKCS#1: RSA Cryptography Specifications), in steps 3–6.
PSA_ALG_RSA_PSS (macro)
RSA PSS signature with hashing.
#define PSA_ALG_RSA_PSS(hash_alg) /* specification-defined value */
Parameters
-
hash_alg - A hash algorithm (
PSA_ALG_XXXvalue such thatPSA_ALG_IS_HASH(hash_alg)is true). This includesPSA_ALG_ANY_HASHwhen specifying the algorithm in a usage policy.
Returns
The corresponding RSA PSS signature algorithm.
Unspecified if hash_alg is not a supported hash algorithm.
Description
This is the signature scheme defined by RFC 8017 (PKCS#1: RSA Cryptography Specifications) under the name RSASSA-PSS, with the message generation function MGF1, and with a salt length equal to the length of the hash. The specified hash algorithm is used to hash the input message, to create the salted hash, and for the mask generation.
PSA_ALG_ECDSA (macro)
ECDSA signature with hashing.
#define PSA_ALG_ECDSA(hash_alg) /* specification-defined value */
Parameters
-
hash_alg - A hash algorithm (
PSA_ALG_XXXvalue such thatPSA_ALG_IS_HASH(hash_alg)is true). This includesPSA_ALG_ANY_HASHwhen specifying the algorithm in a usage policy.
Returns
The corresponding ECDSA signature algorithm.
Unspecified if hash_alg is not a supported hash algorithm.
Description
This is the Elliptic Curve Digital Signature Algorithm (ECDSA) defined by ANSI X9.62-2005, with a random per-message secret number (k).
The representation of the signature as a byte string consists of the concatenation of the signature values r and s. Each of r and s is encoded as an N-octet string, where N is the length of the base point of the curve in octets. Each value is represented in big-endian order, with the most significant octet first.
PSA_ALG_ECDSA_ANY (macro)
ECDSA signature without hashing.
#define PSA_ALG_ECDSA_ANY ((psa_algorithm_t) 0x06000600))
This is the same signature scheme as PSA_ALG_ECDSA(), but without specifying a hash algorithm. This algorithm is only recommended to sign or verify a sequence of bytes that are an already-calculated hash. Note that the input is padded with zeros on the left or truncated on the left as required to fit the curve size.
PSA_ALG_DETERMINISTIC_ECDSA (macro)
Deterministic ECDSA signature with hashing.
#define PSA_ALG_DETERMINISTIC_ECDSA(hash_alg) /* specification-defined value */
Parameters
-
hash_alg - A hash algorithm (
PSA_ALG_XXXvalue such thatPSA_ALG_IS_HASH(hash_alg)is true). This includesPSA_ALG_ANY_HASHwhen specifying the algorithm in a usage policy.
Returns
The corresponding deterministic ECDSA signature algorithm.
Unspecified if hash_alg is not a supported hash algorithm.
Description
This is the deterministic ECDSA signature scheme defined by RFC 6979.
The representation of a signature is the same as with PSA_ALG_ECDSA().
Note that when this algorithm is used for verification, signatures made with randomized ECDSA (PSA_ALG_ECDSA(hash_alg)) with the same private key are accepted. In other words, PSA_ALG_DETERMINISTIC_ECDSA(hash_alg) differs from PSA_ALG_ECDSA(hash_alg) only for signature, not for verification.
Asymmetric signature functions
psa_sign_message (function)
Sign a message with a private key. For hash-and-sign algorithms, this includes the hashing step.
psa_status_t psa_sign_message(psa_key_id_t key, psa_algorithm_t alg, const uint8_t * input, size_t input_length, uint8_t * signature, size_t signature_size, size_t * signature_length);
Parameters
-
key - Identifier of the key to use for the operation. It must be an asymmetric key pair. The key must allow the usage
PSA_KEY_USAGE_SIGN_MESSAGE. -
alg - An asymmetric signature algorithm (
PSA_ALG_XXXvalue such thatPSA_ALG_IS_SIGN_MESSAGE(alg)is true), that is compatible with the type ofkey. -
input - The input message to sign.
-
input_length - Size of the
inputbuffer in bytes. -
signature - Buffer where the signature is to be written.
-
signature_size Size of the
signaturebuffer in bytes. This must be appropriate for the selected algorithm and key:- The required signature size is
PSA_SIGN_OUTPUT_SIZE(key_type,key_bits,alg)wherekey_typeandkey_bitsare the type and bit-size respectively ofkey. PSA_SIGNATURE_MAX_SIZEevaluates to the maximum signature size of any supported signature algorithm.
- The required signature size is
-
signature_length - On success, the number of bytes that make up the returned signature value.
Returns: psa_status_t
-
PSA_SUCCESS -
PSA_ERROR_INVALID_HANDLE -
PSA_ERROR_NOT_PERMITTED - The key does not have the
PSA_KEY_USAGE_SIGN_MESSAGEflag, or it does not permit the requested algorithm. -
PSA_ERROR_BUFFER_TOO_SMALL - The size of the
signaturebuffer is too small.PSA_SIGN_OUTPUT_SIZE()orPSA_SIGNATURE_MAX_SIZEcan be used to determine the required buffer size. -
PSA_ERROR_NOT_SUPPORTED -
PSA_ERROR_INVALID_ARGUMENT -
PSA_ERROR_INSUFFICIENT_MEMORY -
PSA_ERROR_COMMUNICATION_FAILURE -
PSA_ERROR_HARDWARE_FAILURE -
PSA_ERROR_CORRUPTION_DETECTED -
PSA_ERROR_STORAGE_FAILURE -
PSA_ERROR_DATA_CORRUPT -
PSA_ERROR_DATA_INVALID -
PSA_ERROR_INSUFFICIENT_ENTROPY -
PSA_ERROR_BAD_STATE - The library has not been previously initialized by
psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
Description
Note
To perform a multi-part hash-and-sign signature algorithm, first use a multi-part hash operation and then pass the resulting hash to psa_sign_hash(). PSA_ALG_GET_HASH(alg) can be used to determine the hash algorithm to use.
psa_verify_message (function)
Verify the signature of a message with a public key, using a hash-and-sign verification algorithm.
psa_status_t psa_verify_message(psa_key_id_t key, psa_algorithm_t alg, const uint8_t * input, size_t input_length, const uint8_t * signature, size_t signature_length);
Parameters
-
key - Identifier of the key to use for the operation. It must be a public key or an asymmetric key pair. The key must allow the usage
PSA_KEY_USAGE_VERIFY_MESSAGE. -
alg - An asymmetric signature algorithm (
PSA_ALG_XXXvalue such thatPSA_ALG_IS_SIGN_MESSAGE(alg)is true), that is compatible with the type ofkey. -
input - The message whose signature is to be verified.
-
input_length - Size of the
inputbuffer in bytes. -
signature - Buffer containing the signature to verify.
-
signature_length - Size of the
signaturebuffer in bytes.
Returns: psa_status_t
-
PSA_SUCCESS - The signature is valid.
-
PSA_ERROR_INVALID_HANDLE -
PSA_ERROR_NOT_PERMITTED - The key does not have the
PSA_KEY_USAGE_VERIFY_MESSAGEflag, or it does not permit the requested algorithm. -
PSA_ERROR_INVALID_SIGNATURE - The calculation was performed successfully, but the passed signature is not a valid signature.
-
PSA_ERROR_NOT_SUPPORTED -
PSA_ERROR_INVALID_ARGUMENT -
PSA_ERROR_INSUFFICIENT_MEMORY -
PSA_ERROR_COMMUNICATION_FAILURE -
PSA_ERROR_HARDWARE_FAILURE -
PSA_ERROR_CORRUPTION_DETECTED -
PSA_ERROR_STORAGE_FAILURE -
PSA_ERROR_DATA_CORRUPT -
PSA_ERROR_DATA_INVALID -
PSA_ERROR_BAD_STATE - The library has not been previously initialized by
psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
Description
Note
To perform a multi-part hash-and-sign signature verification algorithm, first use a multi-part hash operation to hash the message and then pass the resulting hash to psa_verify_hash(). PSA_ALG_GET_HASH(alg) can be used to determine the hash algorithm to use.
psa_sign_hash (function)
Sign an already-calculated hash with a private key.
psa_status_t psa_sign_hash(psa_key_id_t key, psa_algorithm_t alg, const uint8_t * hash, size_t hash_length, uint8_t * signature, size_t signature_size, size_t * signature_length);
Parameters
-
key - Identifier of the key to use for the operation. It must be an asymmetric key pair. The key must allow the usage
PSA_KEY_USAGE_SIGN_HASH. -
alg - An asymmetric signature algorithm that separates the hash and sign operations (
PSA_ALG_XXXvalue such thatPSA_ALG_IS_SIGN_HASH(alg)is true), that is compatible with the type ofkey. -
hash - The input to sign. This is usually the hash of a message. See the detailed description of this function and the description of individual signature algorithms for a detailed description of acceptable inputs.
-
hash_length - Size of the
hashbuffer in bytes. -
signature - Buffer where the signature is to be written.
-
signature_size Size of the
signaturebuffer in bytes. This must be appropriate for the selected algorithm and key:- The required signature size is
PSA_SIGN_OUTPUT_SIZE(key_type,key_bits,alg)wherekey_typeandkey_bitsare the type and bit-size respectively ofkey. PSA_SIGNATURE_MAX_SIZEevaluates to the maximum signature size of any supported signature algorithm.
- The required signature size is
-
signature_length - On success, the number of bytes that make up the returned signature value.
Returns: psa_status_t
-
PSA_SUCCESS -
PSA_ERROR_INVALID_HANDLE -
PSA_ERROR_NOT_PERMITTED - The key does not have the
PSA_KEY_USAGE_SIGN_HASHflag, or it does not permit the requested algorithm. -
PSA_ERROR_BUFFER_TOO_SMALL - The size of the
signaturebuffer is too small.PSA_SIGN_OUTPUT_SIZE()orPSA_SIGNATURE_MAX_SIZEcan be used to determine the required buffer size. -
PSA_ERROR_NOT_SUPPORTED -
PSA_ERROR_INVALID_ARGUMENT -
PSA_ERROR_INSUFFICIENT_MEMORY -
PSA_ERROR_COMMUNICATION_FAILURE -
PSA_ERROR_HARDWARE_FAILURE -
PSA_ERROR_CORRUPTION_DETECTED -
PSA_ERROR_STORAGE_FAILURE -
PSA_ERROR_DATA_CORRUPT -
PSA_ERROR_DATA_INVALID -
PSA_ERROR_INSUFFICIENT_ENTROPY -
PSA_ERROR_BAD_STATE - The library has not been previously initialized by
psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
Description
With most signature mechanisms that follow the hash-and-sign paradigm, the hash input to this function is the hash of the message to sign. The hash algorithm is encoded in the signature algorithm.
Some hash-and-sign mechanisms apply a padding or encoding to the hash. In such cases, the encoded hash must be passed to this function. The current version of this specification defines one such signature algorithm: PSA_ALG_RSA_PKCS1V15_SIGN_RAW.
Note
To perform a hash-and-sign algorithm, the hash must be calculated before passing it to this function. This can be done by calling psa_hash_compute() or with a multi-part hash operation. Alternatively, to hash and sign a message in a single call, use psa_sign_message().
psa_verify_hash (function)
Verify the signature of a hash or short message using a public key.
psa_status_t psa_verify_hash(psa_key_id_t key, psa_algorithm_t alg, const uint8_t * hash, size_t hash_length, const uint8_t * signature, size_t signature_length);
Parameters
-
key - Identifier of the key to use for the operation. It must be a public key or an asymmetric key pair. The key must allow the usage
PSA_KEY_USAGE_VERIFY_HASH. -
alg - An asymmetric signature algorithm that separates the hash and sign operations (
PSA_ALG_XXXvalue such thatPSA_ALG_IS_SIGN_HASH(alg)is true), that is compatible with the type ofkey. -
hash - The input whose signature is to be verified. This is usually the hash of a message. See the detailed description of this function and the description of individual signature algorithms for a detailed description of acceptable inputs.
-
hash_length - Size of the
hashbuffer in bytes. -
signature - Buffer containing the signature to verify.
-
signature_length - Size of the
signaturebuffer in bytes.
Returns: psa_status_t
-
PSA_SUCCESS - The signature is valid.
-
PSA_ERROR_INVALID_HANDLE -
PSA_ERROR_NOT_PERMITTED - The key does not have the
PSA_KEY_USAGE_VERIFY_HASHflag, or it does not permit the requested algorithm. -
PSA_ERROR_INVALID_SIGNATURE - The calculation was performed successfully, but the passed signature is not a valid signature.
-
PSA_ERROR_NOT_SUPPORTED -
PSA_ERROR_INVALID_ARGUMENT -
PSA_ERROR_INSUFFICIENT_MEMORY -
PSA_ERROR_COMMUNICATION_FAILURE -
PSA_ERROR_HARDWARE_FAILURE -
PSA_ERROR_CORRUPTION_DETECTED -
PSA_ERROR_STORAGE_FAILURE -
PSA_ERROR_DATA_CORRUPT -
PSA_ERROR_DATA_INVALID -
PSA_ERROR_BAD_STATE - The library has not been previously initialized by
psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.
Description
With most signature mechanisms that follow the hash-and-sign paradigm, the hash input to this function is the hash of the message to sign. The hash algorithm is encoded in the signature algorithm.
Some hash-and-sign mechanisms apply a padding or encoding to the hash. In such cases, the encoded hash must be passed to this function. The current version of this specification defines one such signature algorithm: PSA_ALG_RSA_PKCS1V15_SIGN_RAW.
Note
To perform a hash-and-sign verification algorithm, the hash must be calculated before passing it to this function. This can be done by calling psa_hash_compute() or with a multi-part hash operation. Alternatively, to hash and verify a message signature in a single call, use psa_verify_message().
Support macros
PSA_ALG_IS_SIGN_MESSAGE (macro)
Whether the specified algorithm is a signature algorithm that can be used with psa_sign_message() and psa_verify_message().
#define PSA_ALG_IS_SIGN_MESSAGE(alg) /* specification-defined value */
Parameters
-
alg - An algorithm identifier (value of type
psa_algorithm_t).
Returns
1 if alg is a signature algorithm that can be used to sign a message. 0 if alg is a signature algorithm that can only be used to sign an already-calculated hash. 0 if alg is not a signature algorithm. This macro can return either 0 or 1 if alg is not a supported algorithm identifier.
PSA_ALG_IS_SIGN_HASH (macro)
Whether the specified algorithm is a signature algorithm that can be used with psa_sign_hash() and psa_verify_hash().
#define PSA_ALG_IS_SIGN_HASH(alg) /* specification-defined value */
Parameters
-
alg - An algorithm identifier (value of type
psa_algorithm_t).
Returns
1 if alg is a signature algorithm that can be used to sign a hash. 0 if alg is a signature algorithm that can only be used to sign a message. 0 if alg is not a signature algorithm. This macro can return either 0 or 1 if alg is not a supported algorithm identifier.
PSA_ALG_IS_RSA_PKCS1V15_SIGN (macro)
Whether the specified algorithm is an RSA PKCS#1 v1.5 signature algorithm.
#define PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) /* specification-defined value */
Parameters
-
alg - An algorithm identifier (value of type
psa_algorithm_t).
Returns
1 if alg is an RSA PKCS#1 v1.5 signature algorithm, 0 otherwise.
This macro can return either 0 or 1 if alg is not a supported algorithm identifier.
PSA_ALG_IS_RSA_PSS (macro)
Whether the specified algorithm is an RSA PSS signature algorithm.
#define PSA_ALG_IS_RSA_PSS(alg) /* specification-defined value */
Parameters
-
alg - An algorithm identifier (value of type
psa_algorithm_t).
Returns
1 if alg is an RSA PSS signature algorithm, 0 otherwise.
This macro can return either 0 or 1 if alg is not a supported algorithm identifier.
PSA_ALG_IS_ECDSA (macro)
Whether the specified algorithm is ECDSA.
#define PSA_ALG_IS_ECDSA(alg) /* specification-defined value */
Parameters
-
alg - An algorithm identifier (value of type
psa_algorithm_t).
Returns
1 if alg is an ECDSA algorithm, 0 otherwise.
This macro can return either 0 or 1 if alg is not a supported algorithm identifier.
PSA_ALG_IS_DETERMINISTIC_ECDSA (macro)
Whether the specified algorithm is deterministic ECDSA.
#define PSA_ALG_IS_DETERMINISTIC_ECDSA(alg) /* specification-defined value */
Parameters
-
alg - An algorithm identifier (value of type
psa_algorithm_t).
Returns
1 if alg is a deterministic ECDSA algorithm, 0 otherwise.
This macro can return either 0 or 1 if alg is not a supported algorithm identifier.
Description
See also PSA_ALG_IS_ECDSA() and PSA_ALG_IS_RANDOMIZED_ECDSA().
PSA_ALG_IS_RANDOMIZED_ECDSA (macro)
Whether the specified algorithm is randomized ECDSA.
#define PSA_ALG_IS_RANDOMIZED_ECDSA(alg) /* specification-defined value */
Parameters
-
alg - An algorithm identifier (value of type
psa_algorithm_t).
Returns
1 if alg is a randomized ECDSA algorithm, 0 otherwise.
This macro can return either 0 or 1 if alg is not a supported algorithm identifier.
Description
See also PSA_ALG_IS_ECDSA() and PSA_ALG_IS_DETERMINISTIC_ECDSA().
PSA_ALG_IS_HASH_AND_SIGN (macro)
Whether the specified algorithm is a hash-and-sign algorithm that signs exactly the hash value.
#define PSA_ALG_IS_HASH_AND_SIGN(alg) /* specification-defined value */
Parameters
-
alg - An algorithm identifier (value of type
psa_algorithm_t).
Returns
1 if alg is a hash-and-sign algorithm that signs exactly the hash value, 0 otherwise. This macro can return either 0 or 1 if alg is not a supported algorithm identifier.
Description
This macro identifies algorithms that can be used with psa_sign_hash() that use the exact message hash value as an input the signature operation. This excludes hash-and-sign algorithms that require a encoded or modified hash for the signature step in the algorithm, such as PSA_ALG_RSA_PKCS1V15_SIGN_RAW.
PSA_ALG_ANY_HASH (macro)
In a hash-and-sign algorithm policy, allow any hash algorithm.
#define PSA_ALG_ANY_HASH ((psa_algorithm_t)0x020000ff)
This value can be used to form the algorithm usage field of a policy for a signature algorithm that is parametrized by a hash. A key with this policy can then be used to perform operations using the same signature algorithm parametrized with any supported hash.
A signature algorithm policy created using this macro is a wildcard policy, and PSA_ALG_IS_WILDCARD() will return true.
This value must not be used to build other algorithms that are parametrized over a hash. For any valid use of this macro to build an algorithm alg, PSA_ALG_IS_HASH_AND_SIGN(alg) is true.
This value must not be used to build an algorithm specification to perform an operation. It is only valid to build policies.
Usage
For example, suppose that PSA_xxx_SIGNATURE is one of the following macros:
The following sequence of operations shows how PSA_ALG_ANY_HASH can be used in a key policy:
Set the key usage field using
PSA_ALG_ANY_HASH, for example:psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); // or VERIFY_MESSAGE psa_set_key_algorithm(&attributes, PSA_xxx_SIGNATURE(PSA_ALG_ANY_HASH));
Import or generate key material.
Call
psa_sign_message()orpsa_verify_message(), passing an algorithm built fromPSA_xxx_SIGNATUREand a specific hash. Each call to sign or verify a message can use a different hash algorithm.psa_sign_message(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...); psa_sign_message(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...); psa_sign_message(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...);
PSA_SIGN_OUTPUT_SIZE (macro)
Sufficient signature buffer size for psa_sign_message() and psa_sign_hash().
#define PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg) \ /* implementation-defined value */
Parameters
-
key_type - An asymmetric key type. This can be a key pair type or a public key type.
-
key_bits - The size of the key in bits.
-
alg - The signature algorithm.
Returns
If the parameters are valid and supported, return a buffer size in bytes that guarantees that psa_sign_message() and psa_sign_hash() will not fail with PSA_ERROR_BUFFER_TOO_SMALL. If the parameters are a valid combination that is not supported by the implementation, this macro must return either a sensible size or 0. If the parameters are not valid, the return value is unspecified.
Description
This macro returns a sufficient buffer size for a signature using a key of the specified type and size, with the specified algorithm. Note that the actual size of the signature might be smaller, as some algorithms produce a variable-size signature.
Warning
This function might evaluate its arguments multiple times or zero times. Providing arguments that have side effects will result in implementation-specific behavior, and is non-portable.
See also PSA_SIGNATURE_MAX_SIZE.
PSA_SIGNATURE_MAX_SIZE (macro)
Maximum size of an asymmetric signature.
#define PSA_SIGNATURE_MAX_SIZE /* implementation-defined value */
This macro must expand to a compile-time constant integer. It is recommended that this value is the maximum size of an asymmetric signature supported by the implementation, in bytes. The value must not be smaller than this maximum.
See also PSA_SIGN_OUTPUT_SIZE().