ec(2), rsa(2): document X509toECpub(), X509ecdsaverify(), X509ecdsaverifydigest(), X509rsaverifydigest()

2 files changed, 51 insertions, 5 deletions

diff --git a/sys/man/2/ec b/sys/man/2/ec
index 50f61ea9e..9dcff1d8e 100644
--- a/sys/man/2/ec
+++ b/sys/man/2/ec
@@ -16,7 +16,10 @@ ecdsasign,
 ecdsaverify,
 ecencodepub,
 ecdecodepub,
-ecpubfree \- elliptic curve cryptography
+ecpubfree,
+X509toECpub,
+X509ecdsaverify,
+X509ecdsaverifydigest \- elliptic curve cryptography
 .SH SYNOPSIS
 .B #include <u.h>
 .br
@@ -76,6 +79,15 @@ ECpub*	ecdecodepub(ECdomain *dom, uchar *data, int len)
 .PP
 .B
 void	ecpubfree(ECpub *p);
+.PP
+.B
+ECpub*	X509toECpub(uchar *cert, int ncert, char *name, int nname, ECdomain *dom)
+.PP
+.B
+char*	X509ecdsaverify(uchar *cert, int ncert, ECdomain *dom, ECpub *pub)
+.PP
+.B
+char*	X509ecdsaverifydigest(uchar *sig, int siglen, uchar *edigest, int edigestlen, ECdomain *dom, ECpub *pub)
 .DT
 .SH DESCRIPTION
 These functions implement elliptic curve cryptography.
@@ -154,6 +166,19 @@ also verifies that the public key is valid in the specified domain.
 frees a
 .B ECpub
 structure and its associated members.
+.PP
+Given a binary X.509 cert, the function
+.B X509toECpub
+initializes domain parameters and returns the ECDSA public key. if
+.I name
+is not
+.BR nil ,
+the CN part of the Distinguished Name of the certificate's Subject is returned.
+.B X509ecdsaverify
+and
+.B X509ecdsaverifydigest
+are analogs to the routines described by
+.IR rsa (2).
 .SH RETURN VALUE
 .B *verify
 functions return
@@ -168,6 +193,8 @@ failing
 .SH SOURCE
 .B /sys/src/libsec/port/ecc.c
 .SH SEE ALSO
+.IR rsa (2)
+.br
 .I
 Standards for Efficient Cryptography (SEC) 1: Elliptic Curve Cryptography
 - Certicom Research, 2009
diff --git a/sys/man/2/rsa b/sys/man/2/rsa
index 8d09bd36d..59606e923 100644
--- a/sys/man/2/rsa
+++ b/sys/man/2/rsa
@@ -15,7 +15,8 @@ rsapubfree,
 X509toRSApub,
 X509rsagen,
 X509rsareq,
-X509rsaverify \- RSA encryption algorithm
+X509rsaverify,
+X509rsaverifydigest \- RSA encryption algorithm
 .SH SYNOPSIS
 .B #include <u.h>
 .br
@@ -74,6 +75,9 @@ uchar*	X509rsareq(RSApriv *priv, char *subj, int *certlen);
 .PP
 .B
 char*	X509rsaverify(uchar *cert, int ncert, RSApub *pk)
+.PP
+.B
+char*	X509rsaverifydigest(uchar *sig, int siglen, uchar *edigest, int edigestlen, RSApub *pk)
 .DT
 .SH DESCRIPTION
 RSA is a public key encryption algorithm.  The owner of a key publishes
@@ -145,7 +149,9 @@ the routine
 .I X509toRSApub
 returns the public key and, if
 .I name
-is not nil, the CN part of the Distinguished Name of the
+is not
+.BR nil ,
+the CN part of the Distinguished Name of the
 certificate's Subject.
 (This is conventionally a userid or a host DNS name.)
 No verification is done of the certificate signature;  the
@@ -162,7 +168,19 @@ certificates signed by a known trusted key
 .I X509rsaverify
 checks the signature on
 .IR cert .
-It returns nil if successful, else an error string.
+It returns
+.B nil
+if successful, else an error string.
+.PP
+.I X509rsaverifydigest
+takes a encoded PKCS #1 signature as used in X.509 as
+.IR sig [ siglen ]
+and verifies it against the expected cryptographic hash 
+.IR edigest [ edigestlen ]
+of the signed data;
+returning
+.B nil
+on success or an error string.
 .PP
 .I X509rsagen
 creates a self-signed X.509 certificate, given an RSA keypair
@@ -210,7 +228,8 @@ Otherwise
 is returned and
 .BI * len
 is undefined.
-If not nil,
+If not
+.BR nil ,
 .I new_s
 is set to the first character beyond the
 .I type