An abstract class that bundles signature creation (PKey#sign) and validation (PKey#verify) that is common to all implementations except OpenSSL::PKey::DH

Class Methods

Because PKey is an abstract class, actually calling this method explicitly will raise a NotImplementedError.

Instance Methods

Used primarily to check if an OpenSSL::X509::Certificate#public_key compares to its private key.

Example

x509 = OpenSSL::X509::Certificate.new(pem_encoded_certificate)
rsa_key = OpenSSL::PKey::RSA.new(pem_encoded_private_key)

rsa_key.compare?(x509.public_key) => true | false

Performs a public key decryption operation using pkey.

See encrypt for a description of the parameters and an example.

Added in version 3.0. See also the man page EVP_PKEY_decrypt(3).

Derives a shared secret from pkey and peer_pkey. pkey must contain the private components, peer_pkey must contain the public components.

Performs a public key encryption operation using pkey.

See decrypt for the reverse operation.

Added in version 3.0. See also the man page EVP_PKEY_encrypt(3).

data

A String to be encrypted.

options

A Hash that contains algorithm specific control operations to OpenSSL. See OpenSSL’s man page EVP_PKEY_CTX_ctrl_str(3) for details.

Example:

pkey = OpenSSL::PKey.generate_key("RSA", rsa_keygen_bits: 2048)
data = "secret data"
encrypted = pkey.encrypt(data, rsa_padding_mode: "oaep")
decrypted = pkey.decrypt(data, rsa_padding_mode: "oaep")
p decrypted #=> "secret data"
No documentation available

Returns a string describing the PKey object.

Returns the short name of the OID associated with pkey.

Serializes the private key to DER-encoded PKCS #8 format. If called without arguments, unencrypted PKCS #8 PrivateKeyInfo format is used. If called with a cipher name and a password, PKCS #8 EncryptedPrivateKeyInfo format with PBES2 encryption scheme is used.

Serializes the private key to PEM-encoded PKCS #8 format. See private_to_der for more details.

An unencrypted PEM-encoded key will look like:

-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----

An encrypted PEM-encoded key will look like:

-----BEGIN ENCRYPTED PRIVATE KEY-----
[...]
-----END ENCRYPTED PRIVATE KEY-----

Serializes the public key to DER-encoded X.509 SubjectPublicKeyInfo format.

Serializes the public key to PEM-encoded X.509 SubjectPublicKeyInfo format.

A PEM-encoded key will look like:

-----BEGIN PUBLIC KEY-----
[...]
-----END PUBLIC KEY-----

See the OpenSSL documentation for EVP_PKEY_get_raw_private_key()

See the OpenSSL documentation for EVP_PKEY_get_raw_public_key()

Hashes and signs the data using a message digest algorithm digest and a private key pkey.

See verify for the verification operation.

See also the man page EVP_DigestSign(3).

digest

A String that represents the message digest algorithm name, or nil if the PKey type requires no digest algorithm. For backwards compatibility, this can be an instance of OpenSSL::Digest. Its state will not affect the signature.

data

A String. The data to be hashed and signed.

options

A Hash that contains algorithm specific control operations to OpenSSL. See OpenSSL’s man page EVP_PKEY_CTX_ctrl_str(3) for details. options parameter was added in version 3.0.

Example:

data = "Sign me!"
pkey = OpenSSL::PKey.generate_key("RSA", rsa_keygen_bits: 2048)
signopts = { rsa_padding_mode: "pss" }
signature = pkey.sign("SHA256", data, signopts)

# Creates a copy of the RSA key pkey, but without the private components
pub_key = pkey.public_key
puts pub_key.verify("SHA256", signature, data, signopts) # => true

Signs data using a private key pkey. Unlike sign, data will not be hashed by digest automatically.

See verify_raw for the verification operation.

Added in version 3.0. See also the man page EVP_PKEY_sign(3).

digest

A String that represents the message digest algorithm name, or nil if the PKey type requires no digest algorithm. Although this method will not hash data with it, this parameter may still be required depending on the signature algorithm.

data

A String. The data to be signed.

options

A Hash that contains algorithm specific control operations to OpenSSL. See OpenSSL’s man page EVP_PKEY_CTX_ctrl_str(3) for details.

Example:

data = "Sign me!"
hash = OpenSSL::Digest.digest("SHA256", data)
pkey = OpenSSL::PKey.generate_key("RSA", rsa_keygen_bits: 2048)
signopts = { rsa_padding_mode: "pss" }
signature = pkey.sign_raw("SHA256", hash, signopts)

# Creates a copy of the RSA key pkey, but without the private components
pub_key = pkey.public_key
puts pub_key.verify_raw("SHA256", signature, hash, signopts) # => true

Dumps key parameters, public key, and private key components contained in the key into a human-readable text.

This is intended for debugging purpose.

See also the man page EVP_PKEY_print_private(3).

Verifies the signature for the data using a message digest algorithm digest and a public key pkey.

Returns true if the signature is successfully verified, false otherwise. The caller must check the return value.

See sign for the signing operation and an example.

See also the man page EVP_DigestVerify(3).

digest

See sign.

signature

A String containing the signature to be verified.

data

See sign.

options

See sign. options parameter was added in version 3.0.

Verifies the signature for the data using a public key pkey. Unlike verify, this method will not hash data with digest automatically.

Returns true if the signature is successfully verified, false otherwise. The caller must check the return value.

See sign_raw for the signing operation and an example code.

Added in version 3.0. See also the man page EVP_PKEY_verify(3).

signature

A String containing the signature to be verified.

Recovers the signed data from signature using a public key pkey. Not all signature algorithms support this operation.

Added in version 3.0. See also the man page EVP_PKEY_verify_recover(3).

signature

A String containing the signature to be verified.