Home Explore Help
Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Files Issues 1 Wiki
Tree: bd0c71298a
Branches Tags
openssl
/
doc
/
man7
/
provider-object.pod

provider-object.pod 6.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194 
  1. =pod
    2. 

  2. 

  3. =head1 NAME
    4. 

  4. 

  5. provider-object - A specification for a provider-native object abstraction
    6. 

  6. 

  7. =head1 SYNOPSIS
    8. 

  8. 

  9. =for openssl multiple includes
    10. 

  10. 

  11.  #include <openssl/core_object.h>
    12. 

  12.  #include <openssl/core_names.h>
    13. 

  13. 

  14. =head1 DESCRIPTION
    15. 

  15. 

  16. The provider-native object abstraction is a set of L<OSSL_PARAM(3)> keys and
    17. 

  17. values that can be used to pass provider-native objects to OpenSSL library
    18. 

  18. code or between different provider operation implementations with the help
    19. 

  19. of OpenSSL library code.
    20. 

  20. 

  21. The intention is that certain provider-native operations can pass any sort
    22. 

  22. of object that belong with other operations, or with OpenSSL library code.
    23. 

  23. 

  24. An object may be passed in the following manners:
    25. 

  25. 

  26. =over 4
    27. 

  27. 

  28. =item 1.
    29. 

  29. 

  30. I<By value>
    31. 

  31. 

  32. This means that the I<object data> is passed as an octet string or an UTF8
    33. 

  33. string, which can be handled in diverse ways by other provided implementations.
    34. 

  34. The encoding of the object depends on the context it's used in; for example,
    35. 

  35. L<OSSL_DECODER(3)> allows multiple encodings, depending on existing decoders.
    36. 

  36. If central OpenSSL library functionality is to handle the data directly, it
    37. 

  37. B<must> be encoded in DER for all object types except for B<OSSL_OBJECT_NAME>
    38. 

  38. (see L</Parameter reference> below), where it's assumed to a plain UTF8 string.
    39. 

  39. 

  40. =for comment A future extension might be to be able to specify encoding as a
    41. 

  41. separate parameter.
    42. 

  42. 

  43. =item 2.
    44. 

  44. 

  45. I<By reference>
    46. 

  46. 

  47. This means that the I<object data> isn't passed directly, an I<object
    48. 

  48. reference> is passed instead.  It's an octet string that only the correct
    49. 

  49. provider understands correctly.
    50. 

  50. 

  51. =back
    52. 

  52. 

  53. Objects I<by value> can be used by anything that handles DER encoded
    54. 

  54. objects.
    55. 

  55. 

  56. Objects I<by reference> need a higher level of cooperation from the
    57. 

  57. implementation where the object originated (let's call it X) and its target
    58. 

  58. implementation (let's call it Y):
    59. 

  59. 

  60. =over 4
    61. 

  61. 

  62. =item 1.
    63. 

  63. 

  64. I<An object loading function in the target implementation>
    65. 

  65. 

  66. The target implementation (Y) may have a function that can take an I<object
    67. 

  67. reference>.  This can only be used if the target implementation is from the
    68. 

  68. same provider as the one originating the object abstraction in question (X).
    69. 

  69. 

  70. The exact target implementation to use is determined from the I<object type>
    71. 

  71. and possibly the I<object data type>.
    72. 

  72. For example, when the OpenSSL library receives an object abstraction with the
    73. 

  73. I<object type> B<OSSL_OBJECT_PKEY>, it will fetch a L<provider-keymgmt(7)>
    74. 

  74. using the I<object data type> as its key type (the second argument in
    75. 

  75. L<EVP_KEYMGMT_fetch(3)>).
    76. 

  76. 

  77. =item 2.
    78. 

  78. 

  79. I<An object exporter in the originating implementation>
    80. 

  80. 

  81. The originating implementation (X) may have an exporter function.  This
    82. 

  82. exporter function can be used to export the object in L<OSSL_PARAM(3)> form,
    83. 

  83. that can then be imported by the target implementation's imported function.
    84. 

  84. 

  85. This can be used when it's not possible to fetch the target implementation
    86. 

  86. (Y) from the same provider.
    87. 

  87. 

  88. =back
    89. 

  89. 

  90. =head2 Parameter reference
    91. 

  91. 

  92. A provider-native object abstraction is an L<OSSL_PARAM(3)> with a selection
    93. 

  93. of the following parameters:
    94. 

  94. 

  95. =over 4
    96. 

  96. 

  97. =item "data" (B<OSSL_OBJECT_PARAM_DATA>) <octet string> or <utf8 string>
    98. 

  98. 

  99. The object data I<passed by value>.
    100. 

  100. 

  101. =item "reference" (B<OSSL_OBJECT_PARAM_REFERENCE>) <octet string>
    102. 

  102. 

  103. The object data I<passed by reference>.
    104. 

  104. 

  105. =item "type" (B<OSSL_OBJECT_PARAM_TYPE>) <integer>
    106. 

  106. 

  107. The I<object type>, a number that may have any of the following values (all
    108. 

  108. defined in F<< <openssl/core_object.h> >>):
    109. 

  109. 

  110. =over 4
    111. 

  111. 

  112. =item B<OSSL_OBJECT_NAME>
    113. 

  113. 

  114. The object data may only be I<passed by value>, and should be a UTF8
    115. 

  115. string.
    116. 

  116. 

  117. This is useful for L<provider-storemgmt(7)> when a URI load results in new
    118. 

  118. URIs.
    119. 

  119. 

  120. =item B<OSSL_OBJECT_PKEY>
    121. 

  121. 

  122. The object data is suitable as provider-native B<EVP_PKEY> key data.  The
    123. 

  123. object data may be I<passed by value> or I<passed by reference>.
    124. 

  124. 

  125. =item B<OSSL_OBJECT_CERT>
    126. 

  126. 

  127. The object data is suitable as B<X509> data.  The object data for this
    128. 

  128. object type can only be I<passed by value>, and should be an octet string.
    129. 

  129. 

  130. Since there's no provider-native X.509 object, OpenSSL libraries that
    131. 

  131. receive this object abstraction are expected to convert the data to a
    132. 

  132. B<X509> object with d2i_X509().
    133. 

  133. 

  134. =item B<OSSL_OBJECT_CRL>
    135. 

  135. 

  136. The object data is suitable as B<X509_CRL> data.  The object data can
    137. 

  137. only be I<passed by value>, and should be an octet string.
    138. 

  138. 

  139. Since there's no provider-native X.509 CRL object, OpenSSL libraries that
    140. 

  140. receive this object abstraction are expected to convert the data to a
    141. 

  141. B<X509_CRL> object with d2i_X509_CRL().
    142. 

  142. 

  143. =back
    144. 

  144. 

  145. =item "data-type" (B<OSSL_OBJECT_PARAM_DATA_TYPE>) <utf8 string>
    146. 

  146. 

  147. The specific type of the object content.  Legitimate values depend on the
    148. 

  148. object type; if it is B<OSSL_OBJECT_PKEY>, the data type is expected to be a
    149. 

  149. key type suitable for fetching a L<provider-keymgmt(7)> that can handle the
    150. 

  150. data.
    151. 

  151. 

  152. =for comment For objects with an unknown object type (OSSL_OBJECT_PARAM_TYPE
    153. 

  153. is either missing or has the value OSSL_OBJECT_UNKNOWN), libcrypto
    154. 

  154. interprets the object data type as the input type for a decoder.
    155. 

  155. 

  156. =item "data-structure" (B<OSSL_OBJECT_PARAM_DATA_STRUCTURE>) <utf8 string>
    157. 

  157. 

  158. The outermost structure of the object content.  Legitimate values depend on
    159. 

  159. the object type.
    160. 

  160. 

  161. =item "desc" (B<OSSL_OBJECT_PARAM_DESC>) <utf8 string>
    162. 

  162. 

  163. A human readable text that describes extra details on the object.
    164. 

  164. 

  165. =back
    166. 

  166. 

  167. When a provider-native object abtraction is used, it I<must> contain object
    168. 

  168. data in at least one form (object data I<passed by value>, i.e. the "data"
    169. 

  169. item, or object data I<passed by reference>, i.e. the "reference" item).
    170. 

  170. Both may be present at once, in which case the OpenSSL library code that
    171. 

  171. receives this will use the most optimal variant.
    172. 

  172. 

  173. For objects with the object type B<OSSL_OBJECT_NAME>, that object type
    174. 

  174. I<must> be given.
    175. 

  175. 

  176. =head1 SEE ALSO
    177. 

  177. 

  178. L<provider(7)>, L<OSSL_DECODER(3)>
    179. 

  179. 

  180. =head1 HISTORY
    181. 

  181. 

  182. The concept of providers and everything surrounding them was
    183. 

  183. introduced in OpenSSL 3.0.
    184. 

  184. 

  185. =head1 COPYRIGHT
    186. 

  186. 

  187. Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
    188. 

  188. 

  189. Licensed under the Apache License 2.0 (the "License").  You may not use
    190. 

  190. this file except in compliance with the License.  You can obtain a copy
    191. 

  191. in the file LICENSE in the source distribution or at
    192. 

  192. L<https://www.openssl.org/source/license.html>.
    193. 

  193. 

  194. =cut
    195.