pub struct MessageSigner { /* private fields */ }Expand description
Stateful signing context using EVP_PKEY_sign_message_* (OpenSSL 3.2+).
Used for algorithms that do not use a separate internal digest (ML-DSA,
SLH-DSA, Ed25519 with context strings). Unlike Signer, the
algorithm is specified as a SigAlg rather than a digest name.
Call update zero or more times (if the algorithm supports
streaming — check with supports_streaming),
then finish to produce the signature. For algorithms
that only support one-shot operation, use sign_oneshot.
Implementations§
Source§impl MessageSigner
impl MessageSigner
Sourcepub fn new(
key: &Pkey<Private>,
alg: &mut SigAlg,
params: Option<&Params<'_>>,
) -> Result<Self, ErrorStack>
pub fn new( key: &Pkey<Private>, alg: &mut SigAlg, params: Option<&Params<'_>>, ) -> Result<Self, ErrorStack>
Create and initialise a message-sign context.
alg is consumed by the init call; pass a clone if you need to reuse it.
params sets algorithm-specific options (e.g. context string for Ed25519).
§Errors
Sourcepub fn supports_streaming(&mut self) -> bool
pub fn supports_streaming(&mut self) -> bool
Probe whether this algorithm backend supports incremental update calls.
Calls EVP_PKEY_sign_message_update with an empty input, bracketed by
ERR_set_mark / ERR_pop_to_mark so that a failure does not leave
entries on the error queue. Returns true if streaming is supported.
If this returns false, use sign_oneshot instead.
Sourcepub fn update(&mut self, data: &[u8]) -> Result<(), ErrorStack>
pub fn update(&mut self, data: &[u8]) -> Result<(), ErrorStack>
Feed data into the signing operation.
Returns Err if the algorithm does not support streaming — use
sign_oneshot in that case.
§Errors
Sourcepub fn sig_len(&mut self) -> Result<usize, ErrorStack>
pub fn sig_len(&mut self) -> Result<usize, ErrorStack>
Query the signature output length.
Calls EVP_PKEY_sign_message_final with a null buffer — does not
consume the signing state.
§Errors
Sourcepub fn sign_oneshot(
self,
data: &[u8],
sig: &mut [u8],
) -> Result<usize, ErrorStack>
pub fn sign_oneshot( self, data: &[u8], sig: &mut [u8], ) -> Result<usize, ErrorStack>
One-shot sign: feed data then finalise into sig.
Consumes self. Use this for algorithms that do not support
streaming (supports_streaming returns false).
§Errors
Sourcepub fn sign(
&mut self,
data: &[u8],
sig: Option<&mut [u8]>,
) -> Result<usize, ErrorStack>
pub fn sign( &mut self, data: &[u8], sig: Option<&mut [u8]>, ) -> Result<usize, ErrorStack>
One-shot sign over data using EVP_PKEY_sign.
The context must have been initialised with EVP_PKEY_sign_message_init
(this type’s constructor); EVP_PKEY_sign accepts both
EVP_PKEY_OP_SIGN and EVP_PKEY_OP_SIGNMSG operation modes.
When sig is None the call is a cheap length query: for ML-DSA
and other algorithms with a fixed output size, no cryptographic
computation is performed. When sig is Some(buf) the signature is
written and the number of bytes actually written is returned.
The context is not consumed so the same MessageSigner may be reused
across a size-query + actual-sign pair without re-initialisation.
Contrast with sign_oneshot: sign_oneshot
consumes self and always writes a signature; sign borrows self,
can query the required length cheaply (pass sig = None), and can be
called multiple times on the same context.
§Errors
Trait Implementations§
Source§impl Drop for MessageSigner
Available on ossl320 only.
impl Drop for MessageSigner
ossl320 only.impl Send for MessageSigner
ossl320 only.