provider-keymgmt.7 - OpenGrok cross reference for /freebsd/secure/lib/libcrypto/man/man7/provider-keymgmt.7

Lines Matching +full:other +full:- +full:key
1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "PROVIDER-KEYMGMT 7ossl"
58 .TH PROVIDER-KEYMGMT 7ossl 2025-07-01 3.5.1 OpenSSL
64 provider\-keymgmt \- The KEYMGMT library <\-> provider functions
76 \& /* Key object (keydata) creation and destruction */
93 \& /* Key loading by object reference, also a constructor */
96 \& /* Key object information */
102 \& /* Key object content checks */
110 \& /* Key object import and export functions */
119 \& /* Key object duplication, a constructor */
122 \& /* Key object validation */
129 in tandem with operations that use private/public key pairs.
136 provider side key data for the OpenSSL library EVP_PKEY structure.
142 (see "Provider Functions" in \fBprovider\-base\fR\|(7)).
157 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
194 .SS "Key Objects"
195 .IX Subsection "Key Objects"
196 A key object is a collection of data for an asymmetric key, and is
199 The exact contents of a key object are defined by the provider, and it
202 for example, a key object that has been created using the KEYMGMT
203 interface that we document here can be passed as is to other provider
205 \&\fBprovider\-signature\fR\|(7)).
212 Indicating that the private key data in a key object should be
216 Indicating that the public key data in a key object should be
220 Indicating that the domain parameters in a key object should be
224 Indicating that other parameters in a key object should be
227 Other parameters are key parameters that don't fit any other
228 classification.  In other words, this particular selector bit works as
234 Indicating that all key object parameters should be considered,
241 Indicating that both the whole key pair in a key object should be
242 considered, i.e. the combination of public and private key.
248 Indicating that everything in a key object should be considered.
257 since a match of one half implies a match of the other half.
260 \&\fBOSSL_FUNC_keymgmt_new()\fR should create a provider side key object.  The
270 more elaborate context based key object constructor.
272 \&\fBOSSL_FUNC_keymgmt_gen_init()\fR should create the key object generation context
274 of contents the key object to be generated should get.
279 \&\fIgenctx\fR.  The \fItemplate\fR is assumed to be a key object constructed
281 chooses can be used as a template for the key object to be generated.
282 Typically, the generation of a DSA or DH key would get the domain
286 \&\fIparams\fR in the key object generation context \fIgenctx\fR.
293 \&\fIparams\fR in the key object generation context \fIgenctx\fR.
299 \&\fBOSSL_FUNC_keymgmt_gen()\fR should perform the key object generation itself, and
301 intervals with indications on how the key object generation
304 \&\fBOSSL_FUNC_keymgmt_gen_cleanup()\fR should clean up and free the key object
307 \&\fBOSSL_FUNC_keymgmt_load()\fR creates a provider side key object based on a
309 provider knows how to interpret, but that may come from other operations.
317 .SS "Key Object Information Functions"
318 .IX Subsection "Key Object Information Functions"
338 .SS "Key Object Checking Functions"
339 .IX Subsection "Key Object Checking Functions"
342 similar to \fBprovider_query_operation()\fR (see \fBprovider\-base\fR\|(7)),
355 is not really missing in the key.
367 quick check is key type specific. Some providers may have no distinction
377 .SS "Key Object Import, Export and Duplication Functions"
378 .IX Subsection "Key Object Import, Export and Duplication Functions"
407 \&\fIselection\fR or the whole key data \fIkeydata_from\fR and create a new
408 provider side key object with the data.
413 Common information parameters currently recognised by all built-in
418 which the key belongs, in bits.  The definition of cryptographic
419 length is specific to the key cryptosystem.
420 .IP """max-size"" (\fBOSSL_PKEY_PARAM_MAX_SIZE\fR) <integer>" 4
421 .IX Item """max-size"" (OSSL_PKEY_PARAM_MAX_SIZE) <integer>"
423 safely store a signature (called \fIsig\fR in \fBprovider\-signature\fR\|(7)),
425 \&\fBprovider\-asym_cipher\fR\|(7), a derived secret (\fIsecret\fR in
426 \&\fBprovider\-keyexch\fR\|(7), and similar data).
432 (signature, asymmetric cipher, key exchange, ...) and must be of the
435 .IP """security-bits"" (\fBOSSL_PKEY_PARAM_SECURITY_BITS\fR) <integer>" 4
436 .IX Item """security-bits"" (OSSL_PKEY_PARAM_SECURITY_BITS) <integer>"
437 The value should be the number of security bits of the given key.
438 Bits of security is defined in SP800\-57.
439 .IP """mandatory-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4
440 .IX Item """mandatory-digest"" (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>"
451 .IP """default-digest"" (\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4
452 .IX Item """default-digest"" (OSSL_PKEY_PARAM_DEFAULT_DIGEST) <UTF8 string>"
469 .IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
470 .IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
473 return 0 if either the "key-check", or "sign-check" are set to 0.
474 .IP """key-check"" (\fBOSSL_PKEY_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
475 .IX Item """key-check"" (OSSL_PKEY_PARAM_FIPS_KEY_CHECK) <integer>"
478 The default value of 1 causes an error during the init if the key is not FIPS
479 approved (e.g. The key has a security strength of less than 112 bits). Setting
480 this to 0 will ignore the error and set the approved "fips-indicator" to 0.
481 This option breaks FIPS compliance if it causes the approved "fips-indicator"
483 .IP """sign-check"" (\fBOSSL_PKEY_PARAM_FIPS_SIGN_CHECK\fR) <integer>" 4
484 .IX Item """sign-check"" (OSSL_PKEY_PARAM_FIPS_SIGN_CHECK) <integer>"
487 The default value of 1 will cause an error if the generated key is not
489 Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0.
490 This option breaks FIPS compliance if it causes the approved "fips-indicator"
495 reference to the newly created provider side key object, or NULL on failure.
521 \&\fBEVP_PKEY\-X25519\fR\|(7),
522 \&\fBEVP_PKEY\-X448\fR\|(7),
523 \&\fBEVP_PKEY\-ED25519\fR\|(7),
524 \&\fBEVP_PKEY\-ED448\fR\|(7),
525 \&\fBEVP_PKEY\-EC\fR\|(7),
526 \&\fBEVP_PKEY\-RSA\fR\|(7),
527 \&\fBEVP_PKEY\-DSA\fR\|(7),
528 \&\fBEVP_PKEY\-DH\fR\|(7),
529 \&\fBEVP_PKEY\-ML\-DSA\fR\|(7),
530 \&\fBEVP_PKEY\-ML\-KEM\fR\|(7),
531 \&\fBEVP_PKEY\-SLH\-DSA\fR\|(7).
542 The parameters "sign-check" and "fips-indicator" were added in OpenSSL 3.4.
544 Support for the \fBML-DSA\fR, \fBML-KEM\fR and \fBSLH-DSA\fR algorithms was added in OpenSSL 3.5.
547 Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.