provider-storemgmt.pod 6.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178
  1. =pod
  2. =head1 NAME
  3. provider-storemgmt - The OSSL_STORE library E<lt>-E<gt> provider functions
  4. =head1 SYNOPSIS
  5. #include <openssl/core_dispatch.h>
  6. /*
  7. * None of these are actual functions, but are displayed like this for
  8. * the function signatures for functions that are offered as function
  9. * pointers in OSSL_DISPATCH arrays.
  10. */
  11. void *OSSL_FUNC_store_open(void *provctx, const char *uri);
  12. void *OSSL_FUNC_store_attach(void *provctx, OSSL_CORE_BIO *bio);
  13. const OSSL_PARAM *store_settable_ctx_params(void *provctx);
  14. int OSSL_FUNC_store_set_ctx_params(void *loaderctx, const OSSL_PARAM[]);
  15. int OSSL_FUNC_store_load(void *loaderctx,
  16. OSSL_CALLBACK *object_cb, void *object_cbarg,
  17. OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg);
  18. int OSSL_FUNC_store_eof(void *loaderctx);
  19. int OSSL_FUNC_store_close(void *loaderctx);
  20. int OSSL_FUNC_store_export_object
  21. (void *loaderctx, const void *objref, size_t objref_sz,
  22. OSSL_CALLBACK *export_cb, void *export_cbarg);
  23. =head1 DESCRIPTION
  24. The STORE operation is the provider side of the L<ossl_store(7)> API.
  25. The primary responsibility of the STORE operation is to load all sorts
  26. of objects from a container indicated by URI. These objects are given
  27. to the OpenSSL library in provider-native object abstraction form (see
  28. L<provider-object(7)>). The OpenSSL library is then responsible for
  29. passing on that abstraction to suitable provided functions.
  30. Examples of functions that the OpenSSL library can pass the abstraction to
  31. include OSSL_FUNC_keymgmt_load() (L<provider-keymgmt(7)>),
  32. OSSL_FUNC_store_export_object() (which exports the object in parameterized
  33. form).
  34. All "functions" mentioned here are passed as function pointers between
  35. F<libcrypto> and the provider in B<OSSL_DISPATCH> arrays via
  36. B<OSSL_ALGORITHM> arrays that are returned by the provider's
  37. provider_query_operation() function
  38. (see L<provider-base(7)/Provider Functions>).
  39. All these "functions" have a corresponding function type definition named
  40. B<OSSL_{name}_fn>, and a helper function to retrieve the function pointer
  41. from a B<OSSL_DISPATCH> element named B<OSSL_get_{name}>.
  42. For example, the "function" OSSL_FUNC_store_load() has these:
  43. typedef void *(OSSL_OSSL_FUNC_store_load_fn)(void *provctx,
  44. const OSSL_PARAM params[]);
  45. static ossl_inline OSSL_OSSL_FUNC_store_load_fn
  46. OSSL_OSSL_FUNC_store_load(const OSSL_DISPATCH *opf);
  47. B<OSSL_DISPATCH> arrays are indexed by numbers that are provided as macros
  48. in L<openssl-core_dispatch.h(7)>, as follows:
  49. OSSL_FUNC_store_open OSSL_FUNC_STORE_OPEN
  50. OSSL_FUNC_store_attach OSSL_FUNC_STORE_ATTACH
  51. OSSL_FUNC_store_settable_ctx_params OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS
  52. OSSL_FUNC_store_set_ctx_params OSSL_FUNC_STORE_SET_CTX_PARAMS
  53. OSSL_FUNC_store_load OSSL_FUNC_STORE_LOAD
  54. OSSL_FUNC_store_eof OSSL_FUNC_STORE_EOF
  55. OSSL_FUNC_store_close OSSL_FUNC_STORE_CLOSE
  56. OSSL_FUNC_store_export_object OSSL_FUNC_STORE_EXPORT_OBJECT
  57. =head2 Functions
  58. OSSL_FUNC_store_open() should create a provider side context with data based
  59. on the input I<uri>. The implementation is entirely responsible for the
  60. interpretation of the URI.
  61. OSSL_FUNC_store_attach() should create a provider side context with the core
  62. B<BIO> I<bio> attached. This is an alternative to using a URI to find storage,
  63. supporting L<OSSL_STORE_attach(3)>.
  64. OSSL_FUNC_store_settable_ctx_params() should return a constant array of
  65. descriptor B<OSSL_PARAM>, for parameters that OSSL_FUNC_store_set_ctx_params()
  66. can handle.
  67. OSSL_FUNC_store_set_ctx_params() should set additional parameters, such as what
  68. kind of data to expect, search criteria, and so on. More on those below, in
  69. L</Load Parameters>. Whether unrecognised parameters are an error or simply
  70. ignored is at the implementation's discretion.
  71. OSSL_FUNC_store_load() loads the next object from the URI opened by
  72. OSSL_FUNC_store_open(), creates an object abstraction for it (see
  73. L<provider-object(7)>), and calls I<object_cb> with it as well as
  74. I<object_cbarg>. I<object_cb> will then interpret the object abstraction
  75. and do what it can to wrap it or decode it into an OpenSSL structure. In
  76. case a passphrase needs to be prompted to unlock an object, I<pw_cb> should
  77. be called.
  78. OSSL_FUNC_store_eof() indicates if the end of the set of objects from the
  79. URI has been reached. When that happens, there's no point trying to do any
  80. further loading.
  81. OSSL_FUNC_store_close() frees the provider side context I<ctx>.
  82. =head2 Load Parameters
  83. =over 4
  84. =item "expect" (B<OSSL_STORE_PARAM_EXPECT>) <integer>
  85. Is a hint of what type of data the OpenSSL library expects to get.
  86. This is only useful for optimization, as the library will check that the
  87. object types match the expectation too.
  88. The number that can be given through this parameter is found in
  89. F<< <openssl/store.h> >>, with the macros having names starting with
  90. C<OSSL_STORE_INFO_>. These are further described in
  91. L<OSSL_STORE_INFO(3)/SUPPORTED OBJECTS>.
  92. =item "subject" (B<OSSL_STORE_PARAM_SUBJECT>) <octet string>
  93. Indicates that the caller wants to search for an object with the given
  94. subject associated. This can be used to select specific certificates
  95. by subject.
  96. The contents of the octet string is expected to be in DER form.
  97. =item "issuer" (B<OSSL_STORE_PARAM_ISSUER>) <octet string>
  98. Indicates that the caller wants to search for an object with the given
  99. issuer associated. This can be used to select specific certificates
  100. by issuer.
  101. The contents of the octet string is expected to be in DER form.
  102. =item "serial" (B<OSSL_STORE_PARAM_SERIAL>) <integer>
  103. Indicates that the caller wants to search for an object with the given
  104. serial number associated.
  105. =item "digest" (B<OSSL_STORE_PARAM_DIGEST>) <utf8 string>
  106. =item "fingerprint" (B<OSSL_STORE_PARAM_FINGERPRINT>) <octet string>
  107. Indicates that the caller wants to search for an object with the given
  108. fingerprint, computed with the given digest.
  109. =item "alias" (B<OSSL_STORE_PARAM_ALIAS>) <utf8 string>
  110. Indicates that the caller wants to search for an object with the given
  111. alias (some call it a "friendly name").
  112. =back
  113. Several of these search criteria may be combined. For example, to
  114. search for a certificate by issuer+serial, both the "issuer" and the
  115. "serial" parameters will be given.
  116. =head1 SEE ALSO
  117. L<provider(7)>
  118. =head1 HISTORY
  119. The STORE interface was introduced in OpenSSL 3.0.
  120. =head1 COPYRIGHT
  121. Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
  122. Licensed under the Apache License 2.0 (the "License"). You may not use
  123. this file except in compliance with the License. You can obtain a copy
  124. in the file LICENSE in the source distribution or at
  125. L<https://www.openssl.org/source/license.html>.
  126. =cut