1PROVIDER-KEYMGMT(7ossl) OpenSSL PROVIDER-KEYMGMT(7ossl)
2
6 provider-keymgmt - The KEYMGMT library <-> provider functions
7
9 #include <openssl/core_dispatch.h>
10 /*
12 * None of these are actual functions, but are displayed like this for
13 * the function signatures for functions that are offered as function
14 * pointers in OSSL_DISPATCH arrays.
15 */
16 /* Key object (keydata) creation and destruction */
18 void *OSSL_FUNC_keymgmt_new(void *provctx);
19 void OSSL_FUNC_keymgmt_free(void *keydata);
20 /* Generation, a more complex constructor */
22 void *OSSL_FUNC_keymgmt_gen_init(void *provctx, int selection,
23 const OSSL_PARAM params[]);
24 int OSSL_FUNC_keymgmt_gen_set_template(void *genctx, void *template);
25 int OSSL_FUNC_keymgmt_gen_set_params(void *genctx, const OSSL_PARAM params[]);
26 const OSSL_PARAM *OSSL_FUNC_keymgmt_gen_settable_params(void *genctx,
27 void *provctx);
28 void *OSSL_FUNC_keymgmt_gen(void *genctx, OSSL_CALLBACK *cb, void *cbarg);
29 void OSSL_FUNC_keymgmt_gen_cleanup(void *genctx);
30 /* Key loading by object reference, also a constructor */
32 void *OSSL_FUNC_keymgmt_load(const void *reference, size_t *reference_sz);
33 /* Key object information */
35 int OSSL_FUNC_keymgmt_get_params(void *keydata, OSSL_PARAM params[]);
36 const OSSL_PARAM *OSSL_FUNC_keymgmt_gettable_params(void *provctx);
37 int OSSL_FUNC_keymgmt_set_params(void *keydata, const OSSL_PARAM params[]);
38 const OSSL_PARAM *OSSL_FUNC_keymgmt_settable_params(void *provctx);
39 /* Key object content checks */
41 int OSSL_FUNC_keymgmt_has(const void *keydata, int selection);
42 int OSSL_FUNC_keymgmt_match(const void *keydata1, const void *keydata2,
43 int selection);
44 /* Discovery of supported operations */
46 const char *OSSL_FUNC_keymgmt_query_operation_name(int operation_id);
47 /* Key object import and export functions */
49 int OSSL_FUNC_keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[]);
50 const OSSL_PARAM *OSSL_FUNC_keymgmt_import_types(int selection);
51 int OSSL_FUNC_keymgmt_export(void *keydata, int selection,
52 OSSL_CALLBACK *param_cb, void *cbarg);
53 const OSSL_PARAM *OSSL_FUNC_keymgmt_export_types(int selection);
54 /* Key object duplication, a constructor */
56 void *OSSL_FUNC_keymgmt_dup(const void *keydata_from, int selection);
57 /* Key object validation */
59 int OSSL_FUNC_keymgmt_validate(const void *keydata, int selection, int checktype);
60
62 The KEYMGMT operation doesn't have much public visibility in OpenSSL
63 libraries, it's rather an internal operation that's designed to work in
64 tandem with operations that use private/public key pairs.
65 Because the KEYMGMT operation shares knowledge with the operations it
67 works with in tandem, they must belong to the same provider. The
68 OpenSSL libraries will ensure that they do.
69 The primary responsibility of the KEYMGMT operation is to hold the
71 provider side key data for the OpenSSL library EVP_PKEY structure.
72 All "functions" mentioned here are passed as function pointers between
74 libcrypto and the provider in OSSL_DISPATCH(3) arrays via
75 OSSL_ALGORITHM(3) arrays that are returned by the provider's
76 provider_query_operation() function (see "Provider Functions" in
77 provider-base(7)).
78 All these "functions" have a corresponding function type definition
80 named OSSL_FUNC_{name}_fn, and a helper function to retrieve the
81 function pointer from a OSSL_DISPATCH(3) element named
82 OSSL_FUNC_{name}. For example, the "function" OSSL_FUNC_keymgmt_new()
83 has these:
84 typedef void *(OSSL_FUNC_keymgmt_new_fn)(void *provctx);
86 static ossl_inline OSSL_FUNC_keymgmt_new_fn
87 OSSL_FUNC_keymgmt_new(const OSSL_DISPATCH *opf);
88 OSSL_DISPATCH(3) arrays are indexed by numbers that are provided as
90 macros in openssl-core_dispatch.h(7), as follows:
91 OSSL_FUNC_keymgmt_new OSSL_FUNC_KEYMGMT_NEW
93 OSSL_FUNC_keymgmt_free OSSL_FUNC_KEYMGMT_FREE
94 OSSL_FUNC_keymgmt_gen_init OSSL_FUNC_KEYMGMT_GEN_INIT
96 OSSL_FUNC_keymgmt_gen_set_template OSSL_FUNC_KEYMGMT_GEN_SET_TEMPLATE
97 OSSL_FUNC_keymgmt_gen_set_params OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS
98 OSSL_FUNC_keymgmt_gen_settable_params OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS
99 OSSL_FUNC_keymgmt_gen OSSL_FUNC_KEYMGMT_GEN
100 OSSL_FUNC_keymgmt_gen_cleanup OSSL_FUNC_KEYMGMT_GEN_CLEANUP
101 OSSL_FUNC_keymgmt_load OSSL_FUNC_KEYMGMT_LOAD
103 OSSL_FUNC_keymgmt_get_params OSSL_FUNC_KEYMGMT_GET_PARAMS
105 OSSL_FUNC_keymgmt_gettable_params OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS
106 OSSL_FUNC_keymgmt_set_params OSSL_FUNC_KEYMGMT_SET_PARAMS
107 OSSL_FUNC_keymgmt_settable_params OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS
108 OSSL_FUNC_keymgmt_query_operation_name OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME
110 OSSL_FUNC_keymgmt_has OSSL_FUNC_KEYMGMT_HAS
112 OSSL_FUNC_keymgmt_validate OSSL_FUNC_KEYMGMT_VALIDATE
113 OSSL_FUNC_keymgmt_match OSSL_FUNC_KEYMGMT_MATCH
114 OSSL_FUNC_keymgmt_import OSSL_FUNC_KEYMGMT_IMPORT
116 OSSL_FUNC_keymgmt_import_types OSSL_FUNC_KEYMGMT_IMPORT_TYPES
117 OSSL_FUNC_keymgmt_export OSSL_FUNC_KEYMGMT_EXPORT
118 OSSL_FUNC_keymgmt_export_types OSSL_FUNC_KEYMGMT_EXPORT_TYPES
119 OSSL_FUNC_keymgmt_dup OSSL_FUNC_KEYMGMT_DUP
121 Key Objects
123 A key object is a collection of data for an asymmetric key, and is
124 represented as keydata in this manual.
125 The exact contents of a key object are defined by the provider, and it
127 is assumed that different operations in one and the same provider use
128 the exact same structure to represent this collection of data, so that
129 for example, a key object that has been created using the KEYMGMT
130 interface that we document here can be passed as is to other provider
131 operations, such as OP_signature_sign_init() (see
132 provider-signature(7)).
133 With some of the KEYMGMT functions, it's possible to select a specific
135 subset of data to handle, governed by the bits in a selection
136 indicator. The bits are:
137 OSSL_KEYMGMT_SELECT_PRIVATE_KEY
139 Indicating that the private key data in a key object should be
140 considered.
141 OSSL_KEYMGMT_SELECT_PUBLIC_KEY
143 Indicating that the public key data in a key object should be
144 considered.
145 OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS
147 Indicating that the domain parameters in a key object should be
148 considered.
149 OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS
151 Indicating that other parameters in a key object should be
152 considered.
153 Other parameters are key parameters that don't fit any other
155 classification. In other words, this particular selector bit works
156 as a last resort bit bucket selector.
157 Some selector bits have also been combined for easier use:
159 OSSL_KEYMGMT_SELECT_ALL_PARAMETERS
161 Indicating that all key object parameters should be considered,
162 regardless of their more granular classification.
163 This is a combination of OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS and
165 OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS.
166 OSSL_KEYMGMT_SELECT_KEYPAIR
168 Indicating that both the whole key pair in a key object should be
169 considered, i.e. the combination of public and private key.
170 This is a combination of OSSL_KEYMGMT_SELECT_PRIVATE_KEY and
172 OSSL_KEYMGMT_SELECT_PUBLIC_KEY.
173 OSSL_KEYMGMT_SELECT_ALL
175 Indicating that everything in a key object should be considered.
176 The exact interpretation of those bits or how they combine is left to
178 each function where you can specify a selector.
179 It's left to the provider implementation to decide what is reasonable
181 to do with regards to received selector bits and how to do it. Among
182 others, an implementation of OSSL_FUNC_keymgmt_match() might opt to not
183 compare the private half if it has compared the public half, since a
184 match of one half implies a match of the other half.
185 Constructing and Destructing Functions
187 OSSL_FUNC_keymgmt_new() should create a provider side key object. The
188 provider context provctx is passed and may be incorporated in the key
189 object, but that is not mandatory.
190 OSSL_FUNC_keymgmt_free() should free the passed keydata.
192 OSSL_FUNC_keymgmt_gen_init(), OSSL_FUNC_keymgmt_gen_set_template(),
194 OSSL_FUNC_keymgmt_gen_set_params(),
195 OSSL_FUNC_keymgmt_gen_settable_params(), OSSL_FUNC_keymgmt_gen() and
196 OSSL_FUNC_keymgmt_gen_cleanup() work together as a more elaborate
197 context based key object constructor.
198 OSSL_FUNC_keymgmt_gen_init() should create the key object generation
200 context and initialize it with selections, which will determine what
201 kind of contents the key object to be generated should get. The
202 params, if not NULL, should be set on the context in a manner similar
203 to using OSSL_FUNC_keymgmt_set_params().
204 OSSL_FUNC_keymgmt_gen_set_template() should add template to the context
206 genctx. The template is assumed to be a key object constructed with
207 the same KEYMGMT, and from which content that the implementation
208 chooses can be used as a template for the key object to be generated.
209 Typically, the generation of a DSA or DH key would get the domain
210 parameters from this template.
211 OSSL_FUNC_keymgmt_gen_set_params() should set additional parameters
213 from params in the key object generation context genctx.
214 OSSL_FUNC_keymgmt_gen_settable_params() should return a constant array
216 of descriptor OSSL_PARAM(3), for parameters that
217 OSSL_FUNC_keymgmt_gen_set_params() can handle.
218 OSSL_FUNC_keymgmt_gen() should perform the key object generation
220 itself, and return the result. The callback cb should be called at
221 regular intervals with indications on how the key object generation
222 progresses.
223 OSSL_FUNC_keymgmt_gen_cleanup() should clean up and free the key object
225 generation context genctx
226 OSSL_FUNC_keymgmt_load() creates a provider side key object based on a
228 reference object with a size of reference_sz bytes, that only the
229 provider knows how to interpret, but that may come from other
230 operations. Outside the provider, this reference is simply an array of
231 bytes.
232 At least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen() and
234 OSSL_FUNC_keymgmt_load() are mandatory, as well as
235 OSSL_FUNC_keymgmt_free() and OSSL_FUNC_keymgmt_has(). Additionally, if
236 OSSL_FUNC_keymgmt_gen() is present, OSSL_FUNC_keymgmt_gen_init() and
237 OSSL_FUNC_keymgmt_gen_cleanup() must be present as well.
238 Key Object Information Functions
240 OSSL_FUNC_keymgmt_get_params() should extract information data
241 associated with the given keydata, see "Common Information Parameters".
242 OSSL_FUNC_keymgmt_gettable_params() should return a constant array of
244 descriptor OSSL_PARAM(3), for parameters that
245 OSSL_FUNC_keymgmt_get_params() can handle.
246 If OSSL_FUNC_keymgmt_gettable_params() is present,
248 OSSL_FUNC_keymgmt_get_params() must also be present, and vice versa.
249 OSSL_FUNC_keymgmt_set_params() should update information data
251 associated with the given keydata, see "Common Information Parameters".
252 OSSL_FUNC_keymgmt_settable_params() should return a constant array of
254 descriptor OSSL_PARAM(3), for parameters that
255 OSSL_FUNC_keymgmt_set_params() can handle.
256 If OSSL_FUNC_keymgmt_settable_params() is present,
258 OSSL_FUNC_keymgmt_set_params() must also be present, and vice versa.
259 Key Object Checking Functions
261 OSSL_FUNC_keymgmt_query_operation_name() should return the name of the
262 supported algorithm for the operation operation_id. This is similar to
263 provider_query_operation() (see provider-base(7)), but only works as an
264 advisory. If this function is not present, or returns NULL, the caller
265 is free to assume that there's an algorithm from the same provider, of
266 the same name as the one used to fetch the keymgmt and try to use that.
267 OSSL_FUNC_keymgmt_has() should check whether the given keydata contains
269 the subsets of data indicated by the selector. A combination of
270 several selector bits must consider all those subsets, not just one.
271 An implementation is, however, free to consider an empty subset of data
272 to still be a valid subset. For algorithms where some selection is not
273 meaningful such as OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS for RSA keys
274 the function should just return 1 as the selected subset is not really
275 missing in the key.
276 OSSL_FUNC_keymgmt_validate() should check if the keydata contains valid
278 data subsets indicated by selection. Some combined selections of data
279 subsets may cause validation of the combined data. For example, the
280 combination of OSSL_KEYMGMT_SELECT_PRIVATE_KEY and
281 OSSL_KEYMGMT_SELECT_PUBLIC_KEY (or OSSL_KEYMGMT_SELECT_KEYPAIR for
282 short) is expected to check that the pairwise consistency of keydata is
283 valid. The checktype parameter controls what type of check is performed
284 on the subset of data. Two types of check are defined:
285 OSSL_KEYMGMT_VALIDATE_FULL_CHECK and OSSL_KEYMGMT_VALIDATE_QUICK_CHECK.
286 The interpretation of how much checking is performed in a full check
287 versus a quick check is key type specific. Some providers may have no
288 distinction between a full check and a quick check. For algorithms
289 where some selection is not meaningful such as
290 OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS for RSA keys the function should
291 just return 1 as there is nothing to validate for that selection.
292 OSSL_FUNC_keymgmt_match() should check if the data subset indicated by
294 selection in keydata1 and keydata2 match. It is assumed that the
295 caller has ensured that keydata1 and keydata2 are both owned by the
296 implementation of this function.
297 Key Object Import, Export and Duplication Functions
299 OSSL_FUNC_keymgmt_import() should import data indicated by selection
300 into keydata with values taken from the OSSL_PARAM(3) array params.
301 OSSL_FUNC_keymgmt_export() should extract values indicated by selection
303 from keydata, create an OSSL_PARAM(3) array with them and call param_cb
304 with that array as well as the given cbarg.
305 OSSL_FUNC_keymgmt_import_types() should return a constant array of
307 descriptor OSSL_PARAM(3) for data indicated by selection, for
308 parameters that OSSL_FUNC_keymgmt_import() can handle.
309 OSSL_FUNC_keymgmt_export_types() should return a constant array of
311 descriptor OSSL_PARAM(3) for data indicated by selection, that the
312 OSSL_FUNC_keymgmt_export() callback can expect to receive.
313 OSSL_FUNC_keymgmt_dup() should duplicate data subsets indicated by
315 selection or the whole key data keydata_from and create a new provider
316 side key object with the data.
317 Common Information Parameters
319 See OSSL_PARAM(3) for further details on the parameters structure.
320 Common information parameters currently recognised by all built-in
322 keymgmt algorithms are as follows:
323 "bits" (OSSL_PKEY_PARAM_BITS) <integer>
325 The value should be the cryptographic length of the cryptosystem to
326 which the key belongs, in bits. The definition of cryptographic
327 length is specific to the key cryptosystem.
328 "max-size" (OSSL_PKEY_PARAM_MAX_SIZE) <integer>
330 The value should be the maximum size that a caller should allocate
331 to safely store a signature (called sig in provider-signature(7)),
332 the result of asymmmetric encryption / decryption (out in
333 provider-asym_cipher(7), a derived secret (secret in
334 provider-keyexch(7), and similar data).
335 Because an EVP_KEYMGMT method is always tightly bound to another
337 method (signature, asymmetric cipher, key exchange, ...) and must
338 be of the same provider, this number only needs to be synchronised
339 with the dimensions handled in the rest of the same provider.
340 "security-bits" (OSSL_PKEY_PARAM_SECURITY_BITS) <integer>
342 The value should be the number of security bits of the given key.
343 Bits of security is defined in SP800-57.
344 "mandatory-digest" (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>
346 If there is a mandatory digest for performing a signature operation
347 with keys from this keymgmt, this parameter should get its name as
348 value.
349 When EVP_PKEY_get_default_digest_name() queries this parameter and
351 it's filled in by the implementation, its return value will be 2.
352 If the keymgmt implementation fills in the value "" or "UNDEF",
354 EVP_PKEY_get_default_digest_name(3) will place the string "UNDEF"
355 into its argument mdname. This signifies that no digest should be
356 specified with the corresponding signature operation.
357 "default-digest" (OSSL_PKEY_PARAM_DEFAULT_DIGEST) <UTF8 string>
359 If there is a default digest for performing a signature operation
360 with keys from this keymgmt, this parameter should get its name as
361 value.
362 When EVP_PKEY_get_default_digest_name(3) queries this parameter and
364 it's filled in by the implementation, its return value will be 1.
365 Note that if OSSL_PKEY_PARAM_MANDATORY_DIGEST is responded to as
366 well, EVP_PKEY_get_default_digest_name(3) ignores the response to
367 this parameter.
368 If the keymgmt implementation fills in the value "" or "UNDEF",
370 EVP_PKEY_get_default_digest_name(3) will place the string "UNDEF"
371 into its argument mdname. This signifies that no digest has to be
372 specified with the corresponding signature operation, but may be
373 specified as an option.
374
376 OSSL_FUNC_keymgmt_new() and OSSL_FUNC_keymgmt_dup() should return a
377 valid reference to the newly created provider side key object, or NULL
378 on failure.
379 OSSL_FUNC_keymgmt_import(), OSSL_FUNC_keymgmt_export(),
381 OSSL_FUNC_keymgmt_get_params() and OSSL_FUNC_keymgmt_set_params()
382 should return 1 for success or 0 on error.
383 OSSL_FUNC_keymgmt_validate() should return 1 on successful validation,
385 or 0 on failure.
386 OSSL_FUNC_keymgmt_has() should return 1 if all the selected data
388 subsets are contained in the given keydata or 0 otherwise.
389 OSSL_FUNC_keymgmt_query_operation_name() should return a pointer to a
391 string matching the requested operation, or NULL if the same name used
392 to fetch the keymgmt applies.
393 OSSL_FUNC_keymgmt_gettable_params() and
395 OSSL_FUNC_keymgmt_settable_params() OSSL_FUNC_keymgmt_import_types(),
396 OSSL_FUNC_keymgmt_export_types() should always return a constant
397 OSSL_PARAM(3) array.
398
400 provider(7), EVP_PKEY-X25519(7), EVP_PKEY-X448(7), EVP_PKEY-ED25519(7),
401 EVP_PKEY-ED448(7), EVP_PKEY-EC(7), EVP_PKEY-RSA(7), EVP_PKEY-DSA(7),
402 EVP_PKEY-DH(7)
403
405 The KEYMGMT interface was introduced in OpenSSL 3.0.
406
408 Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
409 Licensed under the Apache License 2.0 (the "License"). You may not use
411 this file except in compliance with the License. You can obtain a copy
412 in the file LICENSE in the source distribution or at
413 <https://www.openssl.org/source/license.html>.
4143.1.1 2023-08-31 PROVIDER-KEYMGMT(7ossl)