provider-keymgmt.pod - OpenGrok cross reference for /freebsd/crypto/openssl/doc/man7/provider-keymgmt.pod

Lines Matching +full:other +full:- +full:key
5 provider-keymgmt - The KEYMGMT library E<lt>-E<gt> provider functions
17  /* Key object (keydata) creation and destruction */
34  /* Key loading by object reference, also a constructor */
37  /* Key object information */
43  /* Key object content checks */
51  /* Key object import and export functions */
60  /* Key object duplication, a constructor */
63  /* Key object validation */
70 in tandem with operations that use private/public key pairs.
77 provider side key data for the OpenSSL library EVP_PKEY structure.
83 (see L<provider-base(7)/Provider Functions>).
96 macros in L<openssl-core_dispatch.h(7)>, as follows:
132 =head2 Key Objects
134 A key object is a collection of data for an asymmetric key, and is
137 The exact contents of a key object are defined by the provider, and it
140 for example, a key object that has been created using the KEYMGMT
141 interface that we document here can be passed as is to other provider
143 L<provider-signature(7)>).
153 Indicating that the private key data in a key object should be
158 Indicating that the public key data in a key object should be
163 Indicating that the domain parameters in a key object should be
168 Indicating that other parameters in a key object should be
171 Other parameters are key parameters that don't fit any other
172 classification.  In other words, this particular selector bit works as
183 Indicating that all key object parameters should be considered,
197 Indicating that both the whole key pair in a key object should be
198 considered, i.e. the combination of public and private key.
205 Indicating that everything in a key object should be considered.
216 since a match of one half implies a match of the other half.
220 OSSL_FUNC_keymgmt_new() should create a provider side key object.  The
222 key object, but that is not mandatory.
230 more elaborate context based key object constructor.
232 OSSL_FUNC_keymgmt_gen_init() should create the key object generation context
234 of contents the key object to be generated should get.
239 I<genctx>.  The I<template> is assumed to be a key object constructed
241 chooses can be used as a template for the key object to be generated.
242 Typically, the generation of a DSA or DH key would get the domain
246 I<params> in the key object generation context I<genctx>.
253 I<params> in the key object generation context I<genctx>.
259 OSSL_FUNC_keymgmt_gen() should perform the key object generation itself, and
261 intervals with indications on how the key object generation
264 OSSL_FUNC_keymgmt_gen_cleanup() should clean up and free the key object
267 OSSL_FUNC_keymgmt_load() creates a provider side key object based on a
269 provider knows how to interpret, but that may come from other operations.
278 =head2 Key Object Information Functions
300 =head2 Key Object Checking Functions
304 similar to provider_query_operation() (see L<provider-base(7)>),
317 is not really missing in the key.
329 quick check is key type specific. Some providers may have no distinction
340 =head2 Key Object Import, Export and Duplication Functions
370 I<selection> or the whole key data I<keydata_from> and create a new
371 provider side key object with the data.
377 Common information parameters currently recognised by all built-in
385 which the key belongs, in bits.  The definition of cryptographic
386 length is specific to the key cryptosystem.
388 =item "max-size" (B<OSSL_PKEY_PARAM_MAX_SIZE>) <integer>
391 safely store a signature (called I<sig> in L<provider-signature(7)>),
393 L<provider-asym_cipher(7)>, a derived secret (I<secret> in
394 L<provider-keyexch(7)>, and similar data).
400 (signature, asymmetric cipher, key exchange, ...) and must be of the
404 =item "security-bits" (B<OSSL_PKEY_PARAM_SECURITY_BITS>) <integer>
406 The value should be the number of security bits of the given key.
407 Bits of security is defined in SP800-57.
409 =item "mandatory-digest" (B<OSSL_PKEY_PARAM_MANDATORY_DIGEST>) <UTF8 string>
422 =item "default-digest" (B<OSSL_PKEY_PARAM_DEFAULT_DIGEST>) <UTF8 string>
445 =item "fips-indicator" (B<OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
449 return 0 if either the "key-check", or "sign-check" are set to 0.
451 =item "key-check" (B<OSSL_PKEY_PARAM_FIPS_KEY_CHECK>) <integer>
455 The default value of 1 causes an error during the init if the key is not FIPS
456 approved (e.g. The key has a security strength of less than 112 bits). Setting
457 this to 0 will ignore the error and set the approved "fips-indicator" to 0.
458 This option breaks FIPS compliance if it causes the approved "fips-indicator"
461 =item "sign-check" (B<OSSL_PKEY_PARAM_FIPS_SIGN_CHECK>) <integer>
465 The default value of 1 will cause an error if the generated key is not
467 Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0.
468 This option breaks FIPS compliance if it causes the approved "fips-indicator"
476 reference to the newly created provider side key object, or NULL on failure.
503 L<EVP_PKEY-X25519(7)>,
504 L<EVP_PKEY-X448(7)>,
505 L<EVP_PKEY-ED25519(7)>,
506 L<EVP_PKEY-ED448(7)>,
507 L<EVP_PKEY-EC(7)>,
508 L<EVP_PKEY-RSA(7)>,
509 L<EVP_PKEY-DSA(7)>,
510 L<EVP_PKEY-DH(7)>,
511 L<EVP_PKEY-ML-DSA(7)>,
512 L<EVP_PKEY-ML-KEM(7)>,
513 L<EVP_PKEY-SLH-DSA(7)>.
525 The parameters "sign-check" and "fips-indicator" were added in OpenSSL 3.4.
527 Support for the B<ML-DSA>, B<ML-KEM> and B<SLH-DSA> algorithms was added in OpenSSL 3.5.
531 Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.