On 19/08/2020 02:01, Norm Green wrote: > In 3.0 I see this new function in evp.h : > > int EVP_PKEY_can_sign(const EVP_PKEY *pkey); > > Is there an equivalent way to check if a key can verify? I'm not seeing > an obvious way to do that. Previously I used > EVP_PKEY_meth_get_verifyctx() but that call is now deprecated in 3.0. That function checks whether the algorithm used by the key is capable of doing signature operations. It does *not* check whether the key itself has all the required components in order to perform the signature (nor whether there are any available provider implementations that implement it). >From the docs: "EVP_PKEY_can_sign() checks if the functionality for the key type of I<pkey> supports signing. No other check is done, such as whether I<pkey> contains a private key." Since there's not much point in having an algorithm that can create signatures, which can't also verify them, then the two operations are equivalent, i.e. if we had a function called `EVP_PKEY_can_verify()` it would be synonymous with `EVP_PKEY_can_sign()`. Matt
