ASN1_ITEM_SIGN(3) Library Functions Manual ASN1_ITEM_SIGN(3)

ASN1_item_sign, ASN1_item_sign_ctxDER-encode and sign an ASN.1 value

/* -lcrypto */
#include <openssl/x509.h>

int
ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, ASN1_BIT_STRING *sig_out, void *val_in, EVP_PKEY *pkey, const EVP_MD *type);

int
ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, ASN1_BIT_STRING *sig_out, void *val_in, EVP_MD_CTX *ctx);

() assumes that val_in is an ASN1_VALUE of the type specified by it, encodes it into DER format by calling ASN1_item_i2d(3), and signs the resulting byte array in a way similar to EVP_DigestSign(3), using a signing context created with EVP_DigestSignInit(3) for the given digest type and private key pkey. The created signature is placed into the sig_out object provided by the caller, freeing and replacing any data already contained in that object.

() is similar except that the provided ctx is used rather than creating a new one. No matter whether ASN1_item_sign_ctx() succeeds or fails, EVP_MD_CTX_cleanup(3) is called on ctx before returning.

For both functions, unless algor1 is NULL, its algorithm OID and parameter type are set according to the digest type used, and its parameter value is cleared. In RSA-PSS mode, the parameter value is also copied into algor1. Unless algor2 is NULL, the same data is copied into it.

These functions return the length of the signature in bytes or 0 if memory allocation, encoding, or signing fails.

ASN1_item_sign_ctx() also fails and returns 0 if ctx is not fully initialized.

ASN1_BIT_STRING_new(3), ASN1_item_digest(3), ASN1_item_i2d(3), ASN1_item_verify(3), EVP_Digest(3), EVP_DigestSign(3), EVP_MD_CTX_new(3), EVP_PKEY_new(3), OBJ_find_sigid_by_algs(3), X509_ALGOR_new(3)

ASN1_item_sign() first appeared in OpenSSL 0.9.7 and has been available since OpenBSD 3.1.

ASN1_item_sign_ctx() first appeared in OpenSSL 1.0.1 and has been available since OpenBSD 5.3.

OpenBSD 7.8 June 8, 2025 ASN1_ITEM_SIGN(3)