See the OpenSSL
documentation for EC_KEY_get0_private_key()
See the OpenSSL
documentation for EC_KEY_set_private_key()
Returns whether this EC
instance has a private key. The private key (BN
) can be retrieved with EC#private_key
.
Encrypt string
with the private key. padding
defaults to PKCS1_PADDING
, which is known to be insecure but is kept for backwards compatibility. The encrypted string output can be decrypted using public_decrypt
.
Deprecated in version 3.0. Consider using PKey::PKey#sign_raw
and PKey::PKey#verify_raw
, and PKey::PKey#verify_recover
instead.
Decrypt string
, which has been encrypted with the public key, with the private key. padding
defaults to PKCS1_PADDING
, which is known to be insecure but is kept for backwards compatibility.
Deprecated in version 3.0. Consider using PKey::PKey#encrypt
and PKey::PKey#decrypt
instead.
Verifies data using the Probabilistic Signature Scheme (RSA-PSS).
The return value is true
if the signature is valid, false
otherwise. RSAError
will be raised if an error occurs.
See sign_pss
for the signing operation and an example code.
A String
containing the message digest algorithm name.
A String
. The data to be signed.
The length in octets of the salt. Two special values are reserved: :digest
means the digest length, and :auto
means automatically determining the length based on the signature.
The hash algorithm used in MGF1.
Sets the list of “supported elliptic curves” for this context.
For a TLS client, the list is directly used in the Supported Elliptic Curves Extension. For a server, the list is used by OpenSSL
to determine the set of shared curves. OpenSSL
will pick the most appropriate one from it.
ctx1 = OpenSSL::SSL::SSLContext.new ctx1.ecdh_curves = "X25519:P-256:P-224" svr = OpenSSL::SSL::SSLServer.new(tcp_svr, ctx1) Thread.new { svr.accept } ctx2 = OpenSSL::SSL::SSLContext.new ctx2.ecdh_curves = "P-256" cli = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx2) cli.connect p cli.tmp_key.group.curve_name # => "prime256v1" (is an alias for NIST P-256)
Closes the stream for writing. The behavior of this method depends on the version of OpenSSL
and the TLS protocol in use.
Sends a ‘close_notify’ alert to the peer.
Does not wait for the peer’s ‘close_notify’ alert in response.
In TLS 1.2 and earlier:
On receipt of a ‘close_notify’ alert, responds with a ‘close_notify’ alert of its own and close down the connection immediately, discarding any pending writes.
Therefore, on TLS 1.2, this method will cause the connection to be completely shut down. On TLS 1.3, the connection will remain open for reading only.
Writes string to the SSL
connection in a non-blocking manner. Raises an SSLError
if writing would block.
Returns the result of the peer certificates verification. See verify(1) for error values and descriptions.
If no peer certificate was presented X509_V_OK is returned.
Returns the human readable error string corresponding to the error code retrieved by error
.
See also the man page X509_verify_cert_error_string(3).
Returns the certificate which caused the error.
See also the man page X509_STORE_CTX_get_current_cert(3).
Returns the CRL
which caused the error.
See also the man page X509_STORE_CTX_get_current_crl(3).
Returns a status string for the response.
Returns the ln (long name) of the hash algorithm used to generate the issuerNameHash and the issuerKeyHash values.
Verifies the signature
for the data
using a public key pkey
. Unlike verify
, this method will not hash data
with digest
automatically.
Returns true
if the signature is successfully verified, false
otherwise. The caller must check the return value.
See sign_raw
for the signing operation and an example code.
Added in version 3.0. See also the man page EVP_PKEY_verify(3).
signature
A String
containing the signature to be verified.
Recovers the signed data from signature
using a public key pkey
. Not all signature algorithms support this operation.
Added in version 3.0. See also the man page EVP_PKEY_verify_recover(3).
signature
A String
containing the signature to be verified.
In cases no timestamp token has been created, this field contains further info about the reason why response creation failed. The method returns either nil (the request was successful and a timestamp token was created) or one of the following:
:BAD_ALG - Indicates that the timestamp server rejects the message imprint algorithm used in the Request
:BAD_REQUEST - Indicates that the timestamp server was not able to process the Request
properly
:BAD_DATA_FORMAT - Indicates that the timestamp server was not able to parse certain data in the Request
:TIME_NOT_AVAILABLE - Indicates that the server could not access its time source
:UNACCEPTED_POLICY - Indicates that the requested policy identifier is not recognized or supported by the timestamp server
:UNACCEPTED_EXTENSIION - Indicates that an extension in the Request
is not supported by the timestamp server
:ADD_INFO_NOT_AVAILABLE -Indicates that additional information requested is either not understood or currently not available
:SYSTEM_FAILURE - Timestamp
creation failed due to an internal error that occurred on the timestamp server
Returns the message imprint digest. For valid timestamps, this is the same value that was already given in the Request
. If status is GRANTED or GRANTED_WITH_MODS, this is never nil
.
mi = token_info.msg_imprint puts mi -> "DEADBEEF"
Returns serial number of the timestamp token. This value shall never be the same for two timestamp tokens issued by a dedicated timestamp authority. If status is GRANTED or GRANTED_WITH_MODS, this is never nil
.
Set
the message imprint digest.
Returns the message imprint (digest) of the data to be timestamped.