Add EVP_PKEY_supports_digest.

This is intended for TLS client auth with Windows CAPI- and CNG-backed keys
which implement sign over sign_raw and do not support all hash functions. Only
plumbed through RSA for now.

Change-Id: Ica42e7fb026840f817a169da9372dda226f7d6fd
Reviewed-on: https://boringssl-review.googlesource.com/2250
Reviewed-by: Adam Langley <agl@google.com>

1 files changed, 9 insertions, 1 deletions

diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 16683cec..a545734e 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -259,9 +259,13 @@ OPENSSL_EXPORT int RSA_public_decrypt(int flen, const uint8_t *from,
 OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa);
 
 /* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key
- * material. Otherwise it return zero. */
+ * material. Otherwise it returns zero. */
 OPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa);
 
+/* RSA_supports_digest returns one if |rsa| supports signing digests
+ * of type |md|. Otherwise it returns zero. */
+OPENSSL_EXPORT int RSA_supports_digest(const RSA *rsa, const EVP_MD *md);
+
 /* RSAPublicKey_dup allocates a fresh |RSA| and copies the private key from
  * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
 OPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa);
@@ -410,6 +414,10 @@ struct rsa_meth_st {
   int flags;
 
   int (*keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
+
+  /* supports_digest returns one if |rsa| supports digests of type
+   * |md|. If null, it is assumed that all digests are supported. */
+  int (*supports_digest)(const RSA *rsa, const EVP_MD *md);
 };