OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS,
OPT_RAND_SERIAL,
- OPT_R_ENUM, OPT_SM2ID, OPT_SM2HEXID,
+ OPT_R_ENUM, OPT_SM2ID, OPT_SM2HEXID, OPT_PROV_ENUM,
/* Do not change the order here; see related case statements below */
OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE, OPT_CRL_CA_COMPROMISE
} OPTION_CHOICE;
{"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"certreq", 0, 0, "Certificate requests to be signed (optional)"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_KEY:
key = opt_arg();
break;
OPT_PSK,
OPT_SRP,
OPT_CIPHERSUITES,
- OPT_V, OPT_UPPER_V, OPT_S
+ OPT_V, OPT_UPPER_V, OPT_S, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ciphers_options[] = {
#endif
{"ciphersuites", OPT_CIPHERSUITES, 's',
"Configure the TLSv1.3 ciphersuites to use"},
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"cipher", 0, 0, "Cipher string to decode (optional)"},
case OPT_CIPHERSUITES:
ciphersuites = opt_arg();
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argv = opt_rest();
OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE,
OPT_R_ENUM,
+ OPT_PROV_ENUM,
OPT_V_ENUM,
OPT_CIPHER,
OPT_ORIGINATOR
OPT_R_OPTIONS,
OPT_V_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"cert", 0, 0, "Recipient certs (optional; used only when encrypting)"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_3DES_WRAP:
# ifndef OPENSSL_NO_DES
wrap_cipher = EVP_des_ede3_wrap();
OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT,
OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_VERIFY, OPT_TEXT, OPT_HASH,
- OPT_HASH_OLD, OPT_NOOUT, OPT_NAMEOPT, OPT_MD
+ OPT_HASH_OLD, OPT_NOOUT, OPT_NAMEOPT, OPT_MD, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS crl_options[] = {
"Do not load certificates from the default certificates directory"},
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store"},
+ OPT_PROV_OPTIONS,
{NULL}
};
case OPT_MD:
if (!opt_md(opt_unknown(), &digest))
goto opthelp;
+ break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE
+ OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS crl2pkcs7_options[] = {
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file"},
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
+
+ OPT_PROV_OPTIONS,
{NULL}
};
if (!sk_OPENSSL_STRING_push(certflst, opt_arg()))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT,
OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT,
OPT_DIGEST,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dgst_options[] = {
"Compute HMAC with the key used in OpenSSL-FIPS fingerprint"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"file", 0, 0, "Files to digest (optional; default is stdin)"},
goto opthelp;
md = m;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT,
OPT_DSAPARAM, OPT_C, OPT_2, OPT_3, OPT_5,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dhparam_options[] = {
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"numbits", 0, 0, "Number of bits if generating parameters (optional)"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
/* Do not change the order here; see case statements below */
OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG,
OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN,
- OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT
+ OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dsa_options[] = {
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+ OPT_PROV_OPTIONS,
{NULL}
};
if (!opt_cipher(opt_unknown(), &enc))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
OPT_NOOUT, OPT_GENKEY, OPT_ENGINE, OPT_VERBOSE,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS dsaparam_options[] = {
{"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"numbits", 0, 0, "Number of bits if generating parameters (optional)"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_NOOUT:
noout = 1;
break;
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT,
OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER,
- OPT_NO_PUBLIC, OPT_CHECK
+ OPT_NO_PUBLIC, OPT_CHECK, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ec_options[] = {
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
{"no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+
+ OPT_PROV_OPTIONS,
{NULL}
};
case OPT_CHECK:
check = 1;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME,
OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_ENGINE, OPT_CHECK_NAMED,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ecparam_options[] = {
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
{NULL}
};
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS enc_options[] = {
{"", OPT_CIPHER, '-', "Any supported cipher"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
{NULL}
};
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
if (opt_num_rest() != 0) {
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_CIPHER, OPT_VERBOSE,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS gendsa_options[] = {
{"out", OPT_OUT, '>', "Output the key to the specified file"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_CIPHER:
if (!opt_cipher(opt_unknown(), &enc))
goto end;
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE,
- OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER
+ OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS genpkey_options[] = {
{"text", OPT_TEXT, '-', "Print the in text"},
{"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"},
+ OPT_PROV_OPTIONS,
+
/* This is deliberately last. */
{OPT_HELP_STR, 1, 1,
"Order of options may be important! See the documentation.\n"},
BIO_printf(bio_err, "%s: cipher mode not supported\n", prog);
goto end;
}
+ break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_3, OPT_F4, OPT_ENGINE,
OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES, OPT_VERBOSE,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS genrsa_options[] = {
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"numbits", 0, 0, "Size of key in bits"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_PASSOUT:
passoutarg = opt_arg();
break;
OPT_R__FIRST: case OPT_R__LAST: break; \
case OPT_R_RAND: case OPT_R_WRITERAND
+/*
+ * Provider options.
+ */
+# define OPT_PROV_ENUM \
+ OPT_PROV__FIRST=1600, \
+ OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, \
+ OPT_PROV__LAST
+
+# define OPT_PROV_OPTIONS \
+ OPT_SECTION("Provider"), \
+ { "provider", OPT_PROV_PROVIDER, 's', "Provder to load (can be specified multiple times)" }, \
+ { "provider_path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path" }
+
+# define OPT_PROV_CASES \
+ OPT_PROV__FIRST: case OPT_PROV__LAST: break; \
+ case OPT_PROV_PROVIDER: \
+ case OPT_PROV_PROVIDER_PATH
+
/*
* Option parsing.
*/
int opt_num_rest(void);
int opt_verify(int i, X509_VERIFY_PARAM *vpm);
int opt_rand(int i);
+int opt_provider(int i);
void opt_help(const OPTIONS * list);
void opt_print(const OPTIONS * opt, int doingparams, int width);
int opt_format_error(const char *s, unsigned long flags);
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_KDFOPT, OPT_BIN, OPT_KEYLEN, OPT_OUT
+ OPT_KDFOPT, OPT_BIN, OPT_KEYLEN, OPT_OUT,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS kdf_options[] = {
{"binary", OPT_BIN, '-',
"Output in binary format (default is hexadecimal)"},
+ OPT_PROV_OPTIONS,
+
OPT_PARAMETERS(),
{"kdf_name", 0, 0, "Name of the KDF algorithm"},
{NULL}
if (opts == NULL || !sk_OPENSSL_STRING_push(opts, opt_arg()))
goto opthelp;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto err;
+ break;
}
}
argc = opt_num_rest();
--- /dev/null
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/provider.h>
+
+/*
+ * See comments in opt_verify for explanation of this.
+ */
+enum prov_range { OPT_PROV_ENUM };
+
+static int opt_provider_load(const char *provider)
+{
+ OSSL_PROVIDER *prov;
+
+ prov = OSSL_PROVIDER_load(NULL, provider);
+ if (prov == NULL) {
+ opt_printf_stderr("%s: unable to load provider %s\n",
+ opt_getprog(), provider);
+ return 0;
+ }
+ return 1;
+}
+
+static int opt_provider_path(const char *path)
+{
+ if (path != NULL && *path == '\0')
+ path = NULL;
+ return OSSL_PROVIDER_set_default_search_path(NULL, path);
+}
+
+int opt_provider(int opt)
+{
+ switch ((enum prov_range)opt) {
+ case OPT_PROV__FIRST:
+ case OPT_PROV__LAST:
+ return 1;
+ case OPT_PROV_PROVIDER:
+ return opt_provider_load(opt_arg());
+ case OPT_PROV_PROVIDER_PATH:
+ return opt_provider_path(opt_arg());
+ }
+ return 0;
+}
# Source for libapps
$LIBAPPSSRC=apps.c apps_ui.c opt.c fmt.c s_cb.c s_socket.c app_rand.c \
- columns.c app_params.c names.c
+ columns.c app_params.c names.c app_provider.c
IF[{- !$disabled{apps} -}]
LIBS{noinst}=../libapps.a
OPT_COMMANDS, OPT_DIGEST_COMMANDS, OPT_MAC_ALGORITHMS, OPT_OPTIONS,
OPT_DIGEST_ALGORITHMS, OPT_CIPHER_COMMANDS, OPT_CIPHER_ALGORITHMS,
OPT_PK_ALGORITHMS, OPT_PK_METHOD, OPT_ENGINES, OPT_DISABLED,
- OPT_KDF_ALGORITHMS, OPT_MISSING_HELP, OPT_OBJECTS
+ OPT_KDF_ALGORITHMS, OPT_MISSING_HELP, OPT_OBJECTS,
+ OPT_PROV_ENUM
} HELPLIST_CHOICE;
const OPTIONS list_options[] = {
"List options for specified command"},
{"objects", OPT_OBJECTS, '-',
"List built in objects (OID<->name mappings)"},
+
+ OPT_PROV_OPTIONS,
{NULL}
};
case OPT_VERBOSE:
verbose = 1;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ return 1;
+ break;
}
done = 1;
}
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_MACOPT, OPT_BIN, OPT_IN, OPT_OUT
+ OPT_MACOPT, OPT_BIN, OPT_IN, OPT_OUT,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS mac_options[] = {
{"binary", OPT_BIN, '-',
"Output in binary format (default is hexadecimal)"},
+ OPT_PROV_OPTIONS,
+
OPT_PARAMETERS(),
{"mac_name", 0, 0, "MAC algorithm"},
{NULL}
if (opts == NULL || !sk_OPENSSL_STRING_push(opts, opt_arg()))
goto opthelp;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto err;
+ break;
}
}
argc = opt_num_rest();
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_TOSEQ, OPT_IN, OPT_OUT
+ OPT_TOSEQ, OPT_IN, OPT_OUT,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS nseq_options[] = {
OPT_SECTION("Output"),
{"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"},
{"out", OPT_OUT, '>', "Output file"},
+
+ OPT_PROV_OPTIONS,
{NULL}
};
case OPT_OUT:
outfile = opt_arg();
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_RCID,
OPT_V_ENUM,
OPT_MD,
- OPT_MULTI
+ OPT_MULTI, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ocsp_options[] = {
{"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
OPT_V_OPTIONS,
+ OPT_PROV_OPTIONS,
{NULL}
};
multi = atoi(opt_arg());
# endif
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
if (trailing_md) {
OPT_IN,
OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1,
OPT_1, OPT_5, OPT_6, OPT_CRYPT, OPT_AIXMD5, OPT_SALT, OPT_STDIN,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS passwd_options[] = {
#endif
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"password", 0, 0, "Password text to digest (optional)"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME,
OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkcs12_options[] = {
{"", OPT_CIPHER, '-', "Any supported cipher"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
{NULL}
};
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT,
- OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_ENGINE
+ OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_ENGINE,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkcs7_options[] = {
{"print", OPT_PRINT, '-', "Print out all fields of the PKCS7 structure"},
{"print_certs", OPT_PRINT_CERTS, '-',
"Print_certs print any certs or crl in the input"},
+
+ OPT_PROV_OPTIONS,
{NULL}
};
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
#endif
OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT,
OPT_TRADITIONAL,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkcs8_options[] = {
#endif
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
{NULL}
};
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_TRADITIONAL:
traditional = 1;
break;
OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE,
OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB,
OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK,
- OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM
+ OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkey_options[] = {
{"text", OPT_TEXT, '-', "Output in plaintext as well"},
{"noout", OPT_NOOUT, '-', "Don't output the key"},
+ OPT_PROV_OPTIONS,
{NULL}
};
ec_asn1_flag = i;
break;
#endif
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_IN, OPT_OUT, OPT_TEXT, OPT_NOOUT,
- OPT_ENGINE, OPT_CHECK
+ OPT_ENGINE, OPT_CHECK,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS pkeyparam_options[] = {
{"out", OPT_OUT, '>', "Output file"},
{"text", OPT_TEXT, '-', "Print parameters as text"},
{"noout", OPT_NOOUT, '-', "Don't output encoded parameters"},
+
+ OPT_PROV_OPTIONS,
{NULL}
};
case OPT_CHECK:
check = 1;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
- OPT_KDFLEN, OPT_R_ENUM,
+ OPT_KDFLEN, OPT_R_ENUM, OPT_PROV_ENUM,
OPT_RAWIN, OPT_DIGEST
} OPTION_CHOICE;
{"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
{NULL}
};
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_HEX, OPT_GENERATE, OPT_BITS, OPT_SAFE, OPT_CHECKS
+ OPT_HEX, OPT_GENERATE, OPT_BITS, OPT_SAFE, OPT_CHECKS,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS prime_options[] = {
{"safe", OPT_SAFE, '-',
"When used with -generate, generate a safe prime"},
+ OPT_PROV_OPTIONS,
+
OPT_PARAMETERS(),
{"number", 0, 0, "Number(s) to check for primality if not generating"},
{NULL}
/* ignore parameter and argument */
opt_arg();
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_OUT, OPT_ENGINE, OPT_BASE64, OPT_HEX,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS rand_options[] = {
{"hex", OPT_HEX, '-', "Hex encode output"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"num", 0, 0, "Number of bytes to generate"},
case OPT_HEX:
format = FORMAT_TEXT;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_COMPAT, OPT_OLD, OPT_N, OPT_VERBOSE
+ OPT_COMPAT, OPT_OLD, OPT_N, OPT_VERBOSE,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS rehash_options[] = {
OPT_SECTION("Output"),
{"v", OPT_VERBOSE, '-', "Verbose output"},
+ OPT_PROV_OPTIONS,
+
OPT_PARAMETERS(),
{"directory", 0, 0, "One or more directories to process (optional)"},
{NULL}
case OPT_VERBOSE:
verbose = 1;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS,
OPT_REQEXTS, OPT_PRECERT, OPT_MD, OPT_SM2ID, OPT_SM2HEXID,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS req_options[] = {
{"modulus", OPT_MODULUS, '-', "RSA modulus"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
{NULL}
};
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_NEWKEY:
keyalg = opt_arg();
newreq = 1;
OPT_RSAPUBKEY_IN, OPT_RSAPUBKEY_OUT,
/* Do not change the order here; see case statements below */
OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG,
- OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER
+ OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS rsa_options[] = {
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
# endif
+
+ OPT_PROV_OPTIONS,
{NULL}
};
if (!opt_cipher(opt_unknown(), &enc))
goto opthelp;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_RSA_RAW, OPT_OAEP, OPT_SSL, OPT_PKCS, OPT_X931,
OPT_SIGN, OPT_VERIFY, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
OPT_PUBIN, OPT_CERTIN, OPT_INKEY, OPT_PASSIN, OPT_KEYFORM,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS rsautl_options[] = {
{"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
{NULL}
};
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
OPT_ENABLE_PHA,
OPT_SCTP_LABEL_BUG,
- OPT_R_ENUM
+ OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS s_client_options[] = {
{"chainCAfile", OPT_CHAINCAFILE, '<',
"CA file for certificate chain (PEM format)"},
OPT_X_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"host:port", 0, 0, "Where to connect; same as -connect option"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_IGN_EOF:
c_ign_eof = 1;
break;
OPT_R_ENUM,
OPT_S_ENUM,
OPT_V_ENUM,
- OPT_X_ENUM
+ OPT_X_ENUM,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS s_server_options[] = {
{"chainCAfile", OPT_CHAINCAFILE, '<',
"CA file for certificate chain (PEM format)"},
OPT_X_OPTIONS,
+ OPT_PROV_OPTIONS,
{NULL}
};
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_SERVERNAME:
tlsextcbp.servername = opt_arg();
break;
OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME, OPT_SSL3,
- OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3
+ OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS s_time_options[] = {
{"no-CAstore", OPT_NOCASTORE, '-',
"Do not load certificates from the default certificates store URI"},
+ OPT_PROV_OPTIONS,
{NULL}
};
min_version = TLS1_3_VERSION;
max_version = TLS1_3_VERSION;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD,
OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE,
OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE, OPT_NOCAPATH, OPT_NOCASTORE,
- OPT_R_ENUM,
+ OPT_R_ENUM, OPT_PROV_ENUM,
OPT_V_ENUM,
OPT_IN, OPT_INFORM, OPT_OUT,
OPT_OUTFORM, OPT_CONTENT
OPT_R_OPTIONS,
OPT_V_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"cert", 0, 0, "Recipient certs, used when encrypting"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_ELAPSED, OPT_EVP, OPT_HMAC, OPT_DECRYPT, OPT_ENGINE, OPT_MULTI,
- OPT_MR, OPT_MB, OPT_MISALIGN, OPT_ASYNCJOBS, OPT_R_ENUM,
+ OPT_MR, OPT_MB, OPT_MISALIGN, OPT_ASYNCJOBS, OPT_R_ENUM, OPT_PROV_ENUM,
OPT_PRIMES, OPT_SECONDS, OPT_BYTES, OPT_AEAD, OPT_CMAC
} OPTION_CHOICE;
"Use specified offset to mis-align buffers"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"algorithm", 0, 0, "Algorithm(s) to test (optional; otherwise tests all)"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_PRIMES:
#ifndef OPENSSL_NO_DEPRECATED_3_0
if (!opt_int(opt_arg(), &primes))
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT,
OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC,
- OPT_SPKSECT, OPT_KEYFORM
+ OPT_SPKSECT, OPT_KEYFORM,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS spkac_options[] = {
{"noout", OPT_NOOUT, '-', "Don't print SPKAC"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"verify", OPT_VERIFY, '-', "Verify SPKAC signature"},
+
+ OPT_PROV_OPTIONS,
{NULL}
};
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SRPVFILE, OPT_ADD,
OPT_DELETE, OPT_MODIFY, OPT_LIST, OPT_GN, OPT_USERINFO,
- OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, OPT_R_ENUM
+ OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS srp_options[] = {
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
OPT_PARAMETERS(),
{"user", 0, 0, "Username(s) to process (optional)"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_SEARCHFOR_CERTS, OPT_SEARCHFOR_KEYS, OPT_SEARCHFOR_CRLS,
OPT_CRITERION_SUBJECT, OPT_CRITERION_ISSUER, OPT_CRITERION_SERIAL,
OPT_CRITERION_FINGERPRINT, OPT_CRITERION_ALIAS,
- OPT_MD
+ OPT_MD, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS storeutl_options[] = {
{"text", OPT_TEXT, '-', "Print a text form of the objects"},
{"noout", OPT_NOOUT, '-', "No PEM output, just status"},
+ OPT_PROV_OPTIONS,
+
OPT_PARAMETERS(),
{"uri", 0, 0, "URI of the store object"},
{NULL}
case OPT_MD:
if (!opt_md(opt_unknown(), &digest))
goto opthelp;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT,
OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER,
OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_UNTRUSTED,
- OPT_MD, OPT_V_ENUM, OPT_R_ENUM
+ OPT_MD, OPT_V_ENUM, OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS ts_options[] = {
OPT_R_OPTIONS,
OPT_V_OPTIONS,
+ OPT_PROV_OPTIONS,
{NULL}
};
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_TSPOLICY:
policy = opt_arg();
break;
OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN,
OPT_V_ENUM, OPT_NAMEOPT,
- OPT_VERBOSE, OPT_SM2ID, OPT_SM2HEXID
+ OPT_VERBOSE, OPT_SM2ID, OPT_SM2HEXID,
+ OPT_PROV_ENUM
} OPTION_CHOICE;
const OPTIONS verify_options[] = {
"Specify a hex ID string to verify an SM2 certificate"},
#endif
+ OPT_PROV_OPTIONS,
+
OPT_PARAMETERS(),
{"cert", 0, 0, "Certificate(s) to verify (optional; stdin used otherwise)"},
{NULL}
goto end;
}
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
}
}
argc = opt_num_rest();
OPT_SUBJECT_HASH_OLD,
OPT_ISSUER_HASH_OLD,
OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT, OPT_PRESERVE_DATES,
- OPT_R_ENUM, OPT_EXT
+ OPT_R_ENUM, OPT_PROV_ENUM, OPT_EXT
} OPTION_CHOICE;
const OPTIONS x509_options[] = {
"The CA key, must be PEM format; if not in CAfile"},
{"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"},
OPT_R_OPTIONS,
+ OPT_PROV_OPTIONS,
{"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
{"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format - default PEM"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
if (!opt_rand(o))
goto end;
break;
+ case OPT_PROV_CASES:
+ if (!opt_provider(o))
+ goto end;
+ break;
case OPT_EXTENSIONS:
extsect = opt_arg();
break;
#include <openssl/core.h>
#include <openssl/core_numbers.h>
#include <openssl/core_names.h>
+#include <openssl/provider.h>
#include <openssl/params.h>
#include <openssl/opensslv.h>
#include "crypto/cryptlib.h"
struct provider_store_st {
STACK_OF(OSSL_PROVIDER) *providers;
CRYPTO_RWLOCK *lock;
+ char *default_path;
unsigned int use_fallbacks:1;
};
if (store == NULL)
return;
+ OPENSSL_free(store->default_path);
sk_OSSL_PROVIDER_pop_free(store->providers, ossl_provider_free);
CRYPTO_THREAD_lock_free(store->lock);
OPENSSL_free(store);
*/
static const OSSL_DISPATCH *core_dispatch; /* Define further down */
+int OSSL_PROVIDER_set_default_search_path(OPENSSL_CTX *libctx, const char *path)
+{
+ struct provider_store_st *store;
+ char *p = NULL;
+
+ if (path != NULL) {
+ p = OPENSSL_strdup(path);
+ if (p == NULL) {
+ CRYPTOerr(0, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ }
+ if ((store = get_provider_store(libctx)) != NULL
+ && CRYPTO_THREAD_write_lock(store->lock)) {
+ OPENSSL_free(store->default_path);
+ store->default_path = p;
+ CRYPTO_THREAD_unlock(store->lock);
+ return 1;
+ }
+ OPENSSL_free(p);
+ return 0;
+}
+
/*
* Internal version that doesn't affect the store flags, and thereby avoid
* locking. Direct callers must remember to set the store flags when
char *allocated_path = NULL;
const char *module_path = NULL;
char *merged_path = NULL;
- const char *load_dir = ossl_safe_getenv("OPENSSL_MODULES");
+ const char *load_dir = NULL;
+ struct provider_store_st *store;
if ((prov->module = DSO_new()) == NULL) {
/* DSO_new() generates an error already */
return 0;
}
- if (load_dir == NULL)
- load_dir = MODULESDIR;
+ if ((store = get_provider_store(prov->libctx)) == NULL
+ || !CRYPTO_THREAD_read_lock(store->lock))
+ return 0;
+ load_dir = store->default_path;
+
+ if (load_dir == NULL) {
+ load_dir = ossl_safe_getenv("OPENSSL_MODULES");
+ if (load_dir == NULL)
+ load_dir = MODULESDIR;
+ }
DSO_ctrl(prov->module, DSO_CTRL_SET_FLAGS,
DSO_FLAG_NAME_TRANSLATION_EXT_ONLY, NULL);
DSO_convert_filename(prov->module, prov->name);
if (module_path != NULL)
merged_path = DSO_merge(prov->module, module_path, load_dir);
+ CRYPTO_THREAD_unlock(store->lock);
if (merged_path == NULL
|| (DSO_load(prov->module, merged_path, NULL, 0)) == NULL) {
[B<-sm2-hex-id> I<hex-string>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<certreq>...]
=for openssl ifdef engine sm2-id sm2-hex-id
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 CRL OPTIONS
[B<-stdname>]
[B<-convert> I<name>]
[B<-ciphersuites> I<val>]
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<cipherlist>]
=for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 psk srp
Print a usage message.
+{- $OpenSSL::safe::opt_provider_item -}
+
=item B<-s>
Only list supported ciphers: those consistent with the security level, and
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<cert.pem> ...]
=for openssl ifdef des-wrap engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=item I<cert.pem> ...
One or more certificates of message recipients: used when encrypting
[B<-nextupdate>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef hash_old
{- $OpenSSL::safe::opt_trust_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
[B<-out> I<filename>]
[B<-certfile> I<filename>]
[B<-nocrl>]
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
Normally a CRL is included in the output file. With this option no CRL is
included in the output file and a CRL is not read from the input file.
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
{- $OpenSSL::safe::opt_engine_synopsis -}
[B<-engine_impl> I<id>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<file> ...]
=head1 DESCRIPTION
When used with the B<-engine> option, it specifies to also use
engine I<id> for digest operations.
+{- $OpenSSL::safe::opt_provider_item -}
+
=item I<file> ...
File or files to digest. If no files are specified then standard input is
[B<-5>]
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<numbits>]
=for openssl ifdef dsaparam engine
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 NOTES
[B<-pubin>]
[B<-pubout>]
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef pvk-string pvk-weak pvk-none engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
[B<-verbose>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<numbits>]
=head1 DESCRIPTION
I<numbits>. It must be the last option. If this option is included then
the input file (if any) is ignored.
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 SEE ALSO
[B<-no_public>]
[B<-check>]
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
[B<-genkey>]
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
[B<-none>]
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef z engine ciphers
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
{- $OpenSSL::safe::opt_engine_item -}
=back
[B<-verbose>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<paramfile>]
=for openssl ifdef engine
the size of the private key. DSA parameters can be generated and
examined using the L<openssl-dsaparam(1)> command.
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 NOTES
[B<-genparam>]
[B<-text>]
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 KEY GENERATION OPTIONS
[B<-verbose>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[B<numbits>]
=for openssl ifdef engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=item B<numbits>
The size of the private key to generate in bits. This must be the last option
[B<-keylen> I<num>]
[B<-out> I<filename>]
[B<-binary>]
+{- $OpenSSL::safe::opt_provider_synopsis -}
I<kdf_name>
=head1 DESCRIPTION
=back
+{- $OpenSSL::safe::opt_provider_item -}
+
=item I<kdf_name>
Specifies the name of a supported KDF algorithm which will be used.
[B<-disabled>]
[B<-objects>]
[B<-options> I<command>]
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
This is an internal option, used for checking that the documentation
is complete.
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head2 Display of algorithm names
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-binary>]
+{- $OpenSSL::safe::opt_provider_synopsis -}
I<mac_name>
=head1 DESCRIPTION
=back
+{- $OpenSSL::safe::opt_provider_item -}
+
=item I<mac_name>
Specifies the name of a supported MAC algorithm which will be used.
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-toseq>]
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
situation is reversed: a Netscape certificate sequence is created from
a file of certificates.
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
[B<-I<digest>>]
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_v_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef multi
{- $OpenSSL::safe::opt_v_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head2 OCSP Server Options
[B<-table>]
[B<-reverse>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<password>]
=for openssl ifdef crypt
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 NOTES
[B<-text>]
[B<-noout>]
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
[B<-scrypt_p> I<p>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine scrypt scrypt_N scrypt_r scrypt_p
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 NOTES
[B<-ec_conv_form> I<arg>]
[B<-ec_param_enc> I<arg>]
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
[B<-noout>]
[B<-check>]
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
{- $OpenSSL::safe::opt_engine_synopsis -}
[B<-engine_impl>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine engine_impl
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 NOTES
[B<-generate>]
[B<-bits> I<num>]
[B<-safe>]
+{- $OpenSSL::safe::opt_provider_synopsis -}
[B<-checks> I<num>]
[I<number> ...]
When used with B<-generate>, generates a "safe" prime. If the number
generated is I<n>, then check that C<(I<n>-1)/2> is also prime.
+{- $OpenSSL::safe::opt_provider_item -}
+
=item B<-checks> I<num>
This parameter is ignored.
[B<-hex>]
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
I<num>
=for openssl ifdef engine
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 SEE ALSO
[B<-compat>]
[B<-n>]
[B<-v>]
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<directory>] ...
B<c_rehash>
[B<-old>]
[B<-n>]
[B<-v>]
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<directory>] ...
=head1 DESCRIPTION
Print messages about old links removed and new links created.
By default, this command only lists each directory as it is processed.
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 ENVIRONMENT
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine keygen_engine sm2-id sm2-hex-id
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 CONFIGURATION FILE FORMAT
[B<-RSAPublicKey_in>]
[B<-RSAPublicKey_out>]
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef pvk-strong pvk-weak pvk-none engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
[B<-asn1parse>]
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 NOTES
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_s_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
[B<-ssl_client_engine> I<id>]
{- $OpenSSL::safe::opt_v_synopsis -}
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
{- $OpenSSL::safe::opt_engine_item -}
=item B<-ssl_client_engine> I<id>
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef unix 4 6 unlink no_dhe nextprotoneg use_srtp engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
{- $OpenSSL::safe::opt_v_item -}
If the server requests a client certificate, then
{- $OpenSSL::safe::opt_name_synopsis -}
[B<-cafile> I<file>]
{- $OpenSSL::safe::opt_trust_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3
{- $OpenSSL::safe::opt_trust_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=item B<-cafile> I<file>
This is an obsolete synonym for B<-CAfile>.
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_v_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
I<cert.pem> ...
=for openssl ifdef engine
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=item I<cert.pem> ...
One or more certificates of message recipients, used when encrypting
[B<-mr>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<algorithm> ...]
=for openssl ifdef hmac cmac multi async_jobs engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=item I<algorithm> ...
If any I<algorithm> is given, then those algorithms are tested, otherwise a
[B<-noout>]
[B<-verify>]
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 EXAMPLES
[B<-passout> I<arg>]
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<user> ...]
=for openssl ifdef engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
{- $OpenSSL::safe::opt_r_synopsis -}
=back
[B<-fingerprint> I<arg>]
[B<-I<digest>>]
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
I<uri> ...
=head1 DESCRIPTION
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head1 SEE ALSO
[B<-out> I<request.tsq>]
[B<-text>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
B<openssl> B<ts>
B<-reply>
[B<-token_out>]
[B<-text>]
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
B<openssl> B<ts>
B<-verify>
[B<-CApath> I<dir>]
[B<-CAstore> I<uri>]
{- $OpenSSL::safe::opt_v_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head2 Timestamp Response verification
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_v_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[B<-->]
[I<certificate> ...]
{- $OpenSSL::safe::opt_v_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=item B<-->
Indicates the last option. All arguments following this are assumed to be
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef engine subject_hash_old issuer_hash_old
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
=back
=head2 Display Options
=back
+=head2 Provider Options
+
+With the move to provider based cryptographic operations in OpenSSL 3.0,
+options were added to allow specific providers or sets of providers to be used.
+
+=over 4
+
+=item B<-provider> I<name>
+
+Use the provider identified by I<name> and use all the methods it
+implements (algorithms, key storage, etc.). This option can be specified
+multiple time to load more than one provider.
+
+=item B<-provider_path> I<path>
+
+Specify the search I<path> that is used to locate provider modules. The format
+of I<path> varies depending on the operating system being used.
+
+=back
+
=head2 Extended Verification Options
Sometimes there may be more than one certificate chain leading to an
=head1 NAME
+OSSL_PROVIDER_set_default_search_path,
OSSL_PROVIDER, OSSL_PROVIDER_load, OSSL_PROVIDER_unload,
OSSL_PROVIDER_available,
OSSL_PROVIDER_gettable_params, OSSL_PROVIDER_get_params,
typedef struct ossl_provider_st OSSL_PROVIDER;
+ void OSSL_PROVIDER_set_default_search_path(OPENSSL_CTX *libctx,
+ const char *path);
+
OSSL_PROVIDER *OSSL_PROVIDER_load(OPENSSL_CTX *libctx, const char *name);
int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov);
int OSSL_PROVIDER_available(OPENSSL_CTX *libctx, const char *name);
=head2 Functions
+OSSL_PROVIDER_set_default_search_path() specifies the default search B<path>
+that is to be used for looking for providers in the specified B<libctx>.
+If left unspecified, an environment variable and a fall back default value will
+be used instead.
+
OSSL_PROVIDER_add_builtin() is used to add a built in provider to
B<OSSL_PROVIDER> store in the given library context, by associating a
provider name with a provider initialization function.
. "\n"
. "See L<openssl(1)/Random State Options> for details.";
+# Provider options
+$OpenSSL::safe::opt_provider_synopsis = ""
+. "[B<-provider> I<name>]\n"
+. "[B<-provider_path> I<path>]";
+$OpenSSL::safe::opt_provider_item = ""
+. "=item B<-provider> I<name>\n"
+. "\n"
+. "=item B<-provider_path> I<path>\n"
+. "\n"
+. "See L<openssl(1)/Provider Options>.";
+
# Engine option
$OpenSSL::safe::opt_engine_synopsis = ""
. "[B<-engine> I<id>]";
extern "C" {
# endif
+/* Set the default provider search path */
+int OSSL_PROVIDER_set_default_search_path(OPENSSL_CTX *, const char *path);
+
/* Load and unload a provider */
OSSL_PROVIDER *OSSL_PROVIDER_load(OPENSSL_CTX *, const char *name);
int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov);
OSSL_SELF_TEST_onbegin ? 3_0_0 EXIST::FUNCTION:
OSSL_SELF_TEST_oncorrupt_byte ? 3_0_0 EXIST::FUNCTION:
OSSL_SELF_TEST_onend ? 3_0_0 EXIST::FUNCTION:
+OSSL_PROVIDER_set_default_search_path ? 3_0_0 EXIST::FUNCTION:
projects / oweals / openssl.git / commitdiff