1=pod 2 3=head1 NAME 4 5provider-encoder - The OSSL_ENCODER library E<lt>-E<gt> provider functions 6 7=head1 SYNOPSIS 8 9 #include <openssl/core_dispatch.h> 10 11 /* 12 * None of these are actual functions, but are displayed like this for 13 * the function signatures for functions that are offered as function 14 * pointers in OSSL_DISPATCH arrays. 15 */ 16 17 /* Encoder parameter accessor and descriptor */ 18 const OSSL_PARAM *OSSL_FUNC_encoder_gettable_params(void *provctx); 19 int OSSL_FUNC_encoder_get_params(OSSL_PARAM params[]); 20 21 /* Functions to construct / destruct / manipulate the encoder context */ 22 void *OSSL_FUNC_encoder_newctx(void *provctx); 23 void OSSL_FUNC_encoder_freectx(void *ctx); 24 int OSSL_FUNC_encoder_set_ctx_params(void *ctx, const OSSL_PARAM params[]); 25 const OSSL_PARAM *OSSL_FUNC_encoder_settable_ctx_params(void *provctx); 26 27 /* Functions to check selection support */ 28 int OSSL_FUNC_encoder_does_selection(void *provctx, int selection); 29 30 /* Functions to encode object data */ 31 int OSSL_FUNC_encoder_encode(void *ctx, OSSL_CORE_BIO *out, 32 const void *obj_raw, 33 const OSSL_PARAM obj_abstract[], 34 int selection, 35 OSSL_PASSPHRASE_CALLBACK *cb, 36 void *cbarg); 37 38 /* Functions to import and free a temporary object to be encoded */ 39 void *OSSL_FUNC_encoder_import_object(void *ctx, int selection, 40 const OSSL_PARAM params[]); 41 void OSSL_FUNC_encoder_free_object(void *obj); 42 43 44=head1 DESCRIPTION 45 46I<We use the wide term "encode" in this manual. This includes but is 47not limited to serialization.> 48 49The ENCODER operation is a generic method to encode a provider-native 50object (I<obj_raw>) or an object abstraction (I<object_abstract>, see 51L<provider-object(7)>) into an encoded form, and write the result to 52the given OSSL_CORE_BIO. If the caller wants to get the encoded 53stream to memory, it should provide a L<BIO_s_mem(3)> B<BIO>. 54 55The encoder doesn't need to know more about the B<OSSL_CORE_BIO> 56pointer than being able to pass it to the appropriate BIO upcalls (see 57L<provider-base(7)/Core functions>). 58 59The ENCODER implementation may be part of a chain, where data is 60passed from one to the next. For example, there may be an 61implementation to encode an object to DER (that object is assumed to 62be provider-native and thereby passed via I<obj_raw>), and another one 63that encodes DER to PEM (that one would receive the DER encoding via 64I<obj_abstract>). 65 66=begin comment 67 68Having the DER encoding passed via I<obj_abstract> may seem 69complicated. However, there may be associated meta-data, such as the 70original data type, that need to be passed alongside it, and since 71L<provider-object(7)> already defines a way to pass such data, 72inventing another way to do it makes things even more complicated. 73 74=end comment 75 76The encoding using the L<OSSL_PARAM(3)> array form allows a 77encoder to be used for data that's been exported from another 78provider, and thereby allow them to exist independently of each 79other. 80 81The encoding using a provider side object can only be safely used 82with provider data coming from the same provider, for example keys 83with the L<KEYMGMT|provider-keymgmt(7)> provider. 84 85All "functions" mentioned here are passed as function pointers between 86F<libcrypto> and the provider in L<OSSL_DISPATCH(3)> arrays via 87L<OSSL_ALGORITHM(3)> arrays that are returned by the provider's 88provider_query_operation() function 89(see L<provider-base(7)/Provider Functions>). 90 91All these "functions" have a corresponding function type definition 92named B<OSSL_FUNC_{name}_fn>, and a helper function to retrieve the 93function pointer from an L<OSSL_DISPATCH(3)> element named 94B<OSSL_FUNC_{name}>. 95For example, the "function" OSSL_FUNC_encoder_encode() has these: 96 97 typedef int 98 (OSSL_FUNC_encoder_encode_fn)(void *ctx, OSSL_CORE_BIO *out, 99 const void *obj_raw, 100 const OSSL_PARAM obj_abstract[], 101 int selection, 102 OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg); 103 static ossl_inline OSSL_FUNC_encoder_encode_fn 104 OSSL_FUNC_encoder_encode(const OSSL_DISPATCH *opf); 105 106L<OSSL_DISPATCH(3)> arrays are indexed by numbers that are provided as 107macros in L<openssl-core_dispatch.h(7)>, as follows: 108 109 OSSL_FUNC_encoder_get_params OSSL_FUNC_ENCODER_GET_PARAMS 110 OSSL_FUNC_encoder_gettable_params OSSL_FUNC_ENCODER_GETTABLE_PARAMS 111 112 OSSL_FUNC_encoder_newctx OSSL_FUNC_ENCODER_NEWCTX 113 OSSL_FUNC_encoder_freectx OSSL_FUNC_ENCODER_FREECTX 114 OSSL_FUNC_encoder_set_ctx_params OSSL_FUNC_ENCODER_SET_CTX_PARAMS 115 OSSL_FUNC_encoder_settable_ctx_params OSSL_FUNC_ENCODER_SETTABLE_CTX_PARAMS 116 117 OSSL_FUNC_encoder_does_selection OSSL_FUNC_ENCODER_DOES_SELECTION 118 119 OSSL_FUNC_encoder_encode OSSL_FUNC_ENCODER_ENCODE 120 121 OSSL_FUNC_encoder_import_object OSSL_FUNC_ENCODER_IMPORT_OBJECT 122 OSSL_FUNC_encoder_free_object OSSL_FUNC_ENCODER_FREE_OBJECT 123 124=head2 Names and properties 125 126The name of an implementation should match the type of object it handles. 127For example, an implementation that encodes an RSA key should be named "RSA". 128Likewise, an implementation that further encodes DER should be named "DER". 129 130Properties, as defined in the L<OSSL_ALGORITHM(3)> array element of each 131decoder implementation, can be used to further specify details about an 132implementation: 133 134=over 4 135 136=item output 137 138This property is used to specify what type of output the implementation 139produces. 140 141This property is I<mandatory>. 142 143OpenSSL providers recognize the following output types: 144 145=over 4 146 147=item text 148 149An implementation with that output type outputs human readable text, making 150that implementation suitable for C<-text> output in diverse L<openssl(1)> 151commands. 152 153=item pem 154 155An implementation with that output type outputs PEM formatted data. 156 157=item der 158 159An implementation with that output type outputs DER formatted data. 160 161=item msblob 162 163An implementation with that output type outputs MSBLOB formatted data. 164 165=item pvk 166 167An implementation with that output type outputs PVK formatted data. 168 169=back 170 171=item structure 172 173This property is used to specify the structure that is used for the encoded 174object. An example could be C<pkcs8>, to specify explicitly that an object 175(presumably an asymmetric key pair, in this case) will be wrapped in a 176PKCS#8 structure as part of the encoding. 177 178This property is I<optional>. 179 180=back 181 182The possible values of both these properties is open ended. A provider may 183very well specify output types and structures that libcrypto doesn't know 184anything about. 185 186=head2 Subset selections 187 188Sometimes, an object has more than one subset of data that is interesting to 189treat separately or together. It's possible to specify what subsets are to 190be encoded, with a set of bits I<selection> that are passed in an B<int>. 191 192This set of bits depend entirely on what kind of provider-side object is 193passed. For example, those bits are assumed to be the same as those used 194with L<provider-keymgmt(7)> (see L<provider-keymgmt(7)/Key Objects>) when 195the object is an asymmetric keypair. 196 197ENCODER implementations are free to regard the I<selection> as a set of 198hints, but must do so with care. In the end, the output must make sense, 199and if there's a corresponding decoder, the resulting decoded object must 200match the original object that was encoded. 201 202OSSL_FUNC_encoder_does_selection() should tell if a particular implementation 203supports any of the combinations given by I<selection>. 204 205=head2 Context functions 206 207OSSL_FUNC_encoder_newctx() returns a context to be used with the rest of 208the functions. 209 210OSSL_FUNC_encoder_freectx() frees the given I<ctx>, if it was created by 211OSSL_FUNC_encoder_newctx(). 212 213OSSL_FUNC_encoder_set_ctx_params() sets context data according to parameters 214from I<params> that it recognises. Unrecognised parameters should be 215ignored. 216Passing NULL for I<params> should return true. 217 218OSSL_FUNC_encoder_settable_ctx_params() returns a constant L<OSSL_PARAM(3)> 219array describing the parameters that OSSL_FUNC_encoder_set_ctx_params() 220can handle. 221 222See L<OSSL_PARAM(3)> for further details on the parameters structure used by 223OSSL_FUNC_encoder_set_ctx_params() and OSSL_FUNC_encoder_settable_ctx_params(). 224 225=head2 Import functions 226 227A provider-native object may be associated with a foreign provider, and may 228therefore be unsuitable for direct use with a given ENCODER implementation. 229Provided that the foreign provider's implementation to handle the object has 230a function to export that object in L<OSSL_PARAM(3)> array form, the ENCODER 231implementation should be able to import that array and create a suitable 232object to be passed to OSSL_FUNC_encoder_encode()'s I<obj_raw>. 233 234OSSL_FUNC_encoder_import_object() should import the subset of I<params> 235given with I<selection> to create a provider-native object that can be 236passed as I<obj_raw> to OSSL_FUNC_encoder_encode(). 237 238OSSL_FUNC_encoder_free_object() should free the object that was created with 239OSSL_FUNC_encoder_import_object(). 240 241=head2 Encoding functions 242 243OSSL_FUNC_encoder_encode() should take a provider-native object (in 244I<obj_raw>) or an object abstraction (in I<obj_abstract>), and should output 245the object in encoded form to the B<OSSL_CORE_BIO>. The I<selection> bits, 246if relevant, should determine in greater detail what will be output. 247The encoding functions also take an L<OSSL_PASSPHRASE_CALLBACK(3)> function 248pointer along with a pointer to application data I<cbarg>, which should be 249used when a pass phrase prompt is needed. 250 251=head2 Encoder operation parameters 252 253Operation parameters currently recognised by built-in encoders are as 254follows: 255 256=over 4 257 258=item "cipher" (B<OSSL_ENCODER_PARAM_CIPHER>) <UTF8 string> 259 260The name of the encryption cipher to be used when generating encrypted 261encoding. This is used when encoding private keys, as well as 262other objects that need protection. 263 264If this name is invalid for the encoding implementation, the 265implementation should refuse to perform the encoding, i.e. 266OSSL_FUNC_encoder_encode_data() and OSSL_FUNC_encoder_encode_object() 267should return an error. 268 269=item "properties" (B<OSSL_ENCODER_PARAM_PROPERTIES>) <UTF8 string> 270 271The properties to be queried when trying to fetch the algorithm given 272with the "cipher" parameter. 273This must be given together with the "cipher" parameter to be 274considered valid. 275 276The encoding implementation isn't obligated to use this value. 277However, it is recommended that implementations that do not handle 278property strings return an error on receiving this parameter unless 279its value NULL or the empty string. 280 281=item "save-parameters" (B<OSSL_ENCODER_PARAM_SAVE_PARAMETERS>) <integer> 282 283If set to 0 disables saving of key domain parameters. Default is 1. 284It currently has an effect only on DSA keys. 285 286=back 287 288Parameters currently recognised by the built-in pass phrase callback: 289 290=over 4 291 292=item "info" (B<OSSL_PASSPHRASE_PARAM_INFO>) <UTF8 string> 293 294A string of information that will become part of the pass phrase 295prompt. This could be used to give the user information on what kind 296of object it's being prompted for. 297 298=back 299 300=head1 RETURN VALUES 301 302OSSL_FUNC_encoder_newctx() returns a pointer to a context, or NULL on 303failure. 304 305OSSL_FUNC_encoder_set_ctx_params() returns 1, unless a recognised 306parameter was invalid or caused an error, for which 0 is returned. 307 308OSSL_FUNC_encoder_settable_ctx_params() returns a pointer to an array of 309constant L<OSSL_PARAM(3)> elements. 310 311OSSL_FUNC_encoder_does_selection() returns 1 if the encoder implementation 312supports any of the I<selection> bits, otherwise 0. 313 314OSSL_FUNC_encoder_encode() returns 1 on success, or 0 on failure. 315 316=head1 SEE ALSO 317 318L<provider(7)> 319 320=head1 HISTORY 321 322The ENCODER interface was introduced in OpenSSL 3.0. 323 324=head1 COPYRIGHT 325 326Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. 327 328Licensed under the Apache License 2.0 (the "License"). You may not use 329this file except in compliance with the License. You can obtain a copy 330in the file LICENSE in the source distribution or at 331L<https://www.openssl.org/source/license.html>. 332 333=cut 334