expose the interface to obtain compatible signature schemes for a given private key
diff --git a/include/picotls/openssl.h b/include/picotls/openssl.h
index 3a7c3b5..508ba8a 100644
--- a/include/picotls/openssl.h
+++ b/include/picotls/openssl.h
@@ -132,15 +132,20 @@
OSSL_ASYNC_FD ptls_openssl_get_async_fd(ptls_t *ptls);
#endif
-struct st_ptls_openssl_signature_scheme_t {
+typedef struct st_ptls_openssl_signature_scheme_t {
uint16_t scheme_id;
const EVP_MD *(*scheme_md)(void);
-};
+} ptls_openssl_signature_scheme_t;
+
+/**
+ * Given a private key, returns a list of compatible signature schemes. This list is terminated by scheme_id of UINT16_MAX.
+ */
+const ptls_openssl_signature_scheme_t *ptls_openssl_lookup_signature_schemes(EVP_PKEY *key);
typedef struct st_ptls_openssl_sign_certificate_t {
ptls_sign_certificate_t super;
EVP_PKEY *key;
- const struct st_ptls_openssl_signature_scheme_t *schemes; /* terminated by .scheme_id == UINT16_MAX */
+ const ptls_openssl_signature_scheme_t *schemes; /* terminated by .scheme_id == UINT16_MAX */
/**
* When set to true, indicates to the backend that the signature can be generated asynchronously. When the backend decides to
* generate the signature asynchronously, `ptls_handshake` will return PTLS_ERROR_ASYNC_OPERATION. When receiving that error
diff --git a/lib/openssl.c b/lib/openssl.c
index 511315e..8b7171e 100644
--- a/lib/openssl.c
+++ b/lib/openssl.c
@@ -89,22 +89,22 @@
#endif
-static const struct st_ptls_openssl_signature_scheme_t rsa_signature_schemes[] = {{PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, EVP_sha256},
+static const ptls_openssl_signature_scheme_t rsa_signature_schemes[] = {{PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, EVP_sha256},
{PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384, EVP_sha384},
{PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512, EVP_sha512},
{UINT16_MAX, NULL}};
-static const struct st_ptls_openssl_signature_scheme_t secp256r1_signature_schemes[] = {
+static const ptls_openssl_signature_scheme_t secp256r1_signature_schemes[] = {
{PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256, EVP_sha256}, {UINT16_MAX, NULL}};
#if PTLS_OPENSSL_HAVE_SECP384R1
-static const struct st_ptls_openssl_signature_scheme_t secp384r1_signature_schemes[] = {
+static const ptls_openssl_signature_scheme_t secp384r1_signature_schemes[] = {
{PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384, EVP_sha384}, {UINT16_MAX, NULL}};
#endif
#if PTLS_OPENSSL_HAVE_SECP521R1
-static const struct st_ptls_openssl_signature_scheme_t secp521r1_signature_schemes[] = {
+static const ptls_openssl_signature_scheme_t secp521r1_signature_schemes[] = {
{PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512, EVP_sha512}, {UINT16_MAX, NULL}};
#endif
#if PTLS_OPENSSL_HAVE_ED25519
-static const struct st_ptls_openssl_signature_scheme_t ed25519_signature_schemes[] = {{PTLS_SIGNATURE_ED25519, NULL},
+static const ptls_openssl_signature_scheme_t ed25519_signature_schemes[] = {{PTLS_SIGNATURE_ED25519, NULL},
{UINT16_MAX, NULL}};
#endif
@@ -127,9 +127,9 @@
PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256,
UINT16_MAX};
-static const struct st_ptls_openssl_signature_scheme_t *lookup_signature_schemes(EVP_PKEY *key)
+const ptls_openssl_signature_scheme_t *ptls_openssl_lookup_signature_schemes(EVP_PKEY *key)
{
- const struct st_ptls_openssl_signature_scheme_t *schemes = NULL;
+ const ptls_openssl_signature_scheme_t *schemes = NULL;
switch (EVP_PKEY_id(key)) {
case EVP_PKEY_RSA:
@@ -698,7 +698,7 @@
struct async_sign_ctx {
ptls_async_job_t super;
- const struct st_ptls_openssl_signature_scheme_t *scheme;
+ const ptls_openssl_signature_scheme_t *scheme;
EVP_MD_CTX *ctx;
ASYNC_WAIT_CTX *waitctx;
ASYNC_JOB *job;
@@ -724,7 +724,7 @@
free(self);
}
-static ptls_async_job_t *async_sign_ctx_new(const struct st_ptls_openssl_signature_scheme_t *scheme, EVP_MD_CTX *ctx, size_t siglen)
+static ptls_async_job_t *async_sign_ctx_new(const ptls_openssl_signature_scheme_t *scheme, EVP_MD_CTX *ctx, size_t siglen)
{
struct async_sign_ctx *self;
@@ -792,7 +792,7 @@
#endif
-static int do_sign(EVP_PKEY *key, const struct st_ptls_openssl_signature_scheme_t *scheme, ptls_buffer_t *outbuf,
+static int do_sign(EVP_PKEY *key, const ptls_openssl_signature_scheme_t *scheme, ptls_buffer_t *outbuf,
ptls_iovec_t input, ptls_async_job_t **async)
{
EVP_MD_CTX *ctx = NULL;
@@ -1161,7 +1161,7 @@
ptls_buffer_t *outbuf, ptls_iovec_t input, const uint16_t *algorithms, size_t num_algorithms)
{
ptls_openssl_sign_certificate_t *self = (ptls_openssl_sign_certificate_t *)_self;
- const struct st_ptls_openssl_signature_scheme_t *scheme;
+ const ptls_openssl_signature_scheme_t *scheme;
/* Just resume the asynchronous operation, if one is in flight. */
#if PTLS_OPENSSL_HAVE_ASYNC
@@ -1202,7 +1202,7 @@
static int verify_sign(void *verify_ctx, uint16_t algo, ptls_iovec_t data, ptls_iovec_t signature)
{
EVP_PKEY *key = verify_ctx;
- const struct st_ptls_openssl_signature_scheme_t *scheme;
+ const ptls_openssl_signature_scheme_t *scheme;
EVP_MD_CTX *ctx = NULL;
EVP_PKEY_CTX *pkey_ctx = NULL;
int ret = 0;
@@ -1210,7 +1210,7 @@
if (data.base == NULL)
goto Exit;
- if ((scheme = lookup_signature_schemes(key)) == NULL) {
+ if ((scheme = ptls_openssl_lookup_signature_schemes(key)) == NULL) {
ret = PTLS_ERROR_LIBRARY;
goto Exit;
}
@@ -1282,7 +1282,7 @@
{
*self = (ptls_openssl_sign_certificate_t){.super = {sign_certificate}, .async = 0 /* libssl has it off by default too */};
- if ((self->schemes = lookup_signature_schemes(key)) == NULL)
+ if ((self->schemes = ptls_openssl_lookup_signature_schemes(key)) == NULL)
return PTLS_ERROR_INCOMPATIBLE_KEY;
EVP_PKEY_up_ref(key);
self->key = key;
diff --git a/t/openssl.c b/t/openssl.c
index b4c73b0..c99ea04 100644
--- a/t/openssl.c
+++ b/t/openssl.c
@@ -143,7 +143,7 @@
#endif
}
-static void test_sign_verify(EVP_PKEY *key, const struct st_ptls_openssl_signature_scheme_t *schemes)
+static void test_sign_verify(EVP_PKEY *key, const ptls_openssl_signature_scheme_t *schemes)
{
for (size_t i = 0; schemes[i].scheme_id != UINT16_MAX; ++i) {
note("scheme 0x%04x", schemes[i].scheme_id);
@@ -198,7 +198,7 @@
test_sign_verify(sc->key, sc->schemes);
}
-static void do_test_ecdsa_sign(int nid, const struct st_ptls_openssl_signature_scheme_t *schemes)
+static void do_test_ecdsa_sign(int nid, const ptls_openssl_signature_scheme_t *schemes)
{
EVP_PKEY *pkey;