From da2addc515d547b0d724a4fc730c4345ed713221 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 22 Jul 2019 10:46:10 +0200 Subject: [PATCH] provider-keymgmt(7): Document the KEYMGMT interface Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9429) --- doc/man7/provider-keymgmt.pod | 178 ++++++++++++++++++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 doc/man7/provider-keymgmt.pod diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod new file mode 100644 index 0000000000..ed3deaae7b --- /dev/null +++ b/doc/man7/provider-keymgmt.pod @@ -0,0 +1,178 @@ +=pod + +=head1 NAME + +provider-keymgmt - The KEYMGMT library E-E provider functions + +=head1 SYNOPSIS + + #include + + /* + * None of these are actual functions, but are displayed like this for + * the function signatures for functions that are offered as function + * pointers in OSSL_DISPATCH arrays. + */ + + /* Key domain parameter creation and destruction */ + void *OP_keymgmt_importdomparams(void *provctx, const OSSL_PARAM params[]); + void *OP_keymgmt_gendomparams(void *provctx, const OSSL_PARAM params[]); + void OP_keymgmt_freedomparams(void *domparams); + + /* Key domain parameter export */ + int OP_keymgmt_exportdomparams(void *domparams, OSSL_PARAM params[]); + + /* Key domain parameter discovery */ + const OSSL_PARAM *OP_keymgmt_importdomparam_types(void); + const OSSL_PARAM *OP_keymgmt_exportdomparam_types(void); + + /* Key creation and destruction */ + void *OP_keymgmt_importkey(void *provctx, const OSSL_PARAM params[]); + void *OP_keymgmt_genkey(void *provctx, + void *domparams, const OSSL_PARAM genkeyparams[]); + void *OP_keymgmt_loadkey(void *provctx, void *id, size_t idlen); + void OP_keymgmt_freekey(void *key); + + /* Key export */ + int OP_keymgmt_exportkey(void *key, OSSL_PARAM params[]); + + /* Key discovery */ + const OSSL_PARAM *OP_keymgmt_importkey_types(void); + const OSSL_PARAM *OP_keymgmt_exportkey_types(void); + +=head1 DESCRIPTION + +The KEYMGMT operation doesn't have much public visibility in OpenSSL +libraries, it's rather an internal operation that's designed to work +in tandem with operations that use private/public key pairs. + +Because the KEYMGMT operation shares knowledge with the operations it +works with in tandem, they must belong to the same provider. +The OpenSSL libraries will ensure that they do. + +The primary responsibility of the KEYMGMT operation is to hold the +provider side domain parameters and keys for the OpenSSL library +EVP_PKEY structure. + +All "functions" mentioned here are passed as function pointers between +F and the provider in B arrays via +B arrays that are returned by the provider's +provider_query_operation() function +(see L). + +All these "functions" have a corresponding function type definition +named B, and a helper function to retrieve the +function pointer from a B element named +B. +For example, the "function" OP_keymgmt_importdomparams() has these: + + typedef void * + (OSSL_OP_keymgmt_importdomparams_fn)(void *provctx, + const OSSL_PARAM params[]); + static ossl_inline OSSL_NAME_keymgmt_importdomparams_fn + OSSL_get_OP_keymgmt_importdomparams(const OSSL_DISPATCH *opf); + +B arrays are indexed by numbers that are provided as +macros in L, as follows: + + OP_keymgmt_importdomparams OSSL_FUNC_KEYMGMT_IMPORTDOMPARAMS + OP_keymgmt_gendomparams OSSL_FUNC_KEYMGMT_GENDOMPARAMS + OP_keymgmt_freedomparams OSSL_FUNC_KEYMGMT_FREEDOMPARAMS + OP_keymgmt_exportdomparams OSSL_FUNC_KEYMGMT_EXPORTDOMPARAMS + OP_keymgmt_importdomparam_types OSSL_FUNC_KEYMGMT_IMPORTDOMPARAM_TYPES + OP_keymgmt_exportdomparam_types OSSL_FUNC_KEYMGMT_EXPORTDOMPARAM_TYPES + + OP_keymgmt_importkey OSSL_FUNC_KEYMGMT_IMPORTKEY + OP_keymgmt_genkey OSSL_FUNC_KEYMGMT_GENKEY + OP_keymgmt_loadkey OSSL_FUNC_KEYMGMT_LOADKEY + OP_keymgmt_freekey OSSL_FUNC_KEYMGMT_FREEKEY + OP_keymgmt_exportkey OSSL_FUNC_KEYMGMT_EXPORTKEY + OP_keymgmt_importkey_types OSSL_FUNC_KEYMGMT_IMPORTKEY_TYPES + OP_keymgmt_exportkey_types OSSL_FUNC_KEYMGMT_EXPORTKEY_TYPES + +=head2 Domain Parameter Functions + +OP_keymgmt_importdomparams() should create a provider side structure +for domain parameters, with values taken from the passed B +array I. + +OP_keymgmt_gendomparams() should generate domain parameters and create +a provider side structure for them. +Values of the passed B array I should be used as +input for parameter generation. + +OP_keymgmt_freedomparams() should free the passed provider side domain +parameter structure I. + +OP_keymgmt_exportdomparams() should extract values from the passed +provider side domain parameter structure I into the passed +B I. +Only the values specified in I should be extracted. + +OP_keymgmt_importdomparam_types() should return a constant array of +descriptor B, for parameters that OP_keymgmt_importdomparams() +can handle. + +=for comment There should be one corresponding to OP_keymgmt_gendomparams() +as well... + +OP_keymgmt_exportdomparam_types() should return a constant array of +descriptor B, for parameters that can be exported with +OP_keymgmt_exportdomparams(). + +=head2 Key functions + +OP_keymgmt_importkey() should create a provider side structure +for keys, with values taken from the passed B array +I. + +OP_keymgmt_genkey() should generate keys and create a provider side +structure for them. +Values from the passed domain parameters I as well as from +the passed B array I should be used as input for +key generation. + +OP_keymgmt_loadkey() should return a provider side key structure with +a key loaded from a location known only to the provider, identitified +with the identity I of size I. +This identity is internal to the provider and is retrieved from the +provider through other means. + +=for comment Right now, OP_keymgmt_loadkey is useless, but will be +useful as soon as we have a OSSL_STORE interface + +OP_keymgmt_freekey() should free the passed I. + +OP_keymgmt_exportkey() should extract values from the passed +provider side key I into the passed B I. +Only the values specified in I should be extracted. + +OP_keymgmt_importkey_types() should return a constant array of +descriptor B, for parameters that OP_keymgmt_importkey() +can handle. + +=for comment There should be one corresponding to OP_keymgmt_genkey() +as well... + +OP_keymgmt_exportkey_types() should return a constant array of +descriptor B, for parameters that can be exported with +OP_keymgmt_exportkeys(). + +=head1 SEE ALSO + +L + +=head1 HISTORY + +The KEYMGMT interface was introduced in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut -- 2.25.1