xref: /freebsd/crypto/openssl/doc/man7/provider-keymgmt.pod (revision 4b15965daa99044daf184221b7c283bf7f2d7e66)
1=pod
2
3=head1 NAME
4
5provider-keymgmt - The KEYMGMT library E<lt>-E<gt> provider functions
6
7=head1 SYNOPSIS
8
9 #include <openssl/core_dispatch.h>
10
11 /*
12  * None of these are actual functions, but are displayed like this for
13  * the function signatures for functions that are offered as function
14  * pointers in OSSL_DISPATCH arrays.
15  */
16
17 /* Key object (keydata) creation and destruction */
18 void *OSSL_FUNC_keymgmt_new(void *provctx);
19 void OSSL_FUNC_keymgmt_free(void *keydata);
20
21 /* Generation, a more complex constructor */
22 void *OSSL_FUNC_keymgmt_gen_init(void *provctx, int selection,
23                                  const OSSL_PARAM params[]);
24 int OSSL_FUNC_keymgmt_gen_set_template(void *genctx, void *template);
25 int OSSL_FUNC_keymgmt_gen_get_params(void *genctx, OSSL_PARAM params[]);
26 int OSSL_FUNC_keymgmt_gen_set_params(void *genctx, const OSSL_PARAM params[]);
27 const OSSL_PARAM *OSSL_FUNC_keymgmt_gen_gettable_params(void *genctx,
28                                                         void *provctx);
29 const OSSL_PARAM *OSSL_FUNC_keymgmt_gen_settable_params(void *genctx,
30                                                         void *provctx);
31 void *OSSL_FUNC_keymgmt_gen(void *genctx, OSSL_CALLBACK *cb, void *cbarg);
32 void OSSL_FUNC_keymgmt_gen_cleanup(void *genctx);
33
34 /* Key loading by object reference, also a constructor */
35 void *OSSL_FUNC_keymgmt_load(const void *reference, size_t reference_sz);
36
37 /* Key object information */
38 int OSSL_FUNC_keymgmt_get_params(void *keydata, OSSL_PARAM params[]);
39 const OSSL_PARAM *OSSL_FUNC_keymgmt_gettable_params(void *provctx);
40 int OSSL_FUNC_keymgmt_set_params(void *keydata, const OSSL_PARAM params[]);
41 const OSSL_PARAM *OSSL_FUNC_keymgmt_settable_params(void *provctx);
42
43 /* Key object content checks */
44 int OSSL_FUNC_keymgmt_has(const void *keydata, int selection);
45 int OSSL_FUNC_keymgmt_match(const void *keydata1, const void *keydata2,
46                             int selection);
47
48 /* Discovery of supported operations */
49 const char *OSSL_FUNC_keymgmt_query_operation_name(int operation_id);
50
51 /* Key object import and export functions */
52 int OSSL_FUNC_keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[]);
53 const OSSL_PARAM *OSSL_FUNC_keymgmt_import_types(int selection);
54 const OSSL_PARAM *OSSL_FUNC_keymgmt_import_types_ex(void *provctx, int selection);
55 int OSSL_FUNC_keymgmt_export(void *keydata, int selection,
56                              OSSL_CALLBACK *param_cb, void *cbarg);
57 const OSSL_PARAM *OSSL_FUNC_keymgmt_export_types(int selection);
58 const OSSL_PARAM *OSSL_FUNC_keymgmt_export_types_ex(void *provctx, int selection);
59
60 /* Key object duplication, a constructor */
61 void *OSSL_FUNC_keymgmt_dup(const void *keydata_from, int selection);
62
63 /* Key object validation */
64 int OSSL_FUNC_keymgmt_validate(const void *keydata, int selection, int checktype);
65
66=head1 DESCRIPTION
67
68The KEYMGMT operation doesn't have much public visibility in OpenSSL
69libraries, it's rather an internal operation that's designed to work
70in tandem with operations that use private/public key pairs.
71
72Because the KEYMGMT operation shares knowledge with the operations it
73works with in tandem, they must belong to the same provider.
74The OpenSSL libraries will ensure that they do.
75
76The primary responsibility of the KEYMGMT operation is to hold the
77provider side key data for the OpenSSL library EVP_PKEY structure.
78
79All "functions" mentioned here are passed as function pointers between
80F<libcrypto> and the provider in L<OSSL_DISPATCH(3)> arrays via
81L<OSSL_ALGORITHM(3)> arrays that are returned by the provider's
82provider_query_operation() function
83(see L<provider-base(7)/Provider Functions>).
84
85All these "functions" have a corresponding function type definition
86named B<OSSL_FUNC_{name}_fn>, and a helper function to retrieve the
87function pointer from a L<OSSL_DISPATCH(3)> element named
88B<OSSL_FUNC_{name}>.
89For example, the "function" OSSL_FUNC_keymgmt_new() has these:
90
91 typedef void *(OSSL_FUNC_keymgmt_new_fn)(void *provctx);
92 static ossl_inline OSSL_FUNC_keymgmt_new_fn
93     OSSL_FUNC_keymgmt_new(const OSSL_DISPATCH *opf);
94
95L<OSSL_DISPATCH(3)> arrays are indexed by numbers that are provided as
96macros in L<openssl-core_dispatch.h(7)>, as follows:
97
98 OSSL_FUNC_keymgmt_new                  OSSL_FUNC_KEYMGMT_NEW
99 OSSL_FUNC_keymgmt_free                 OSSL_FUNC_KEYMGMT_FREE
100
101 OSSL_FUNC_keymgmt_gen_init             OSSL_FUNC_KEYMGMT_GEN_INIT
102 OSSL_FUNC_keymgmt_gen_set_template     OSSL_FUNC_KEYMGMT_GEN_SET_TEMPLATE
103 OSSL_FUNC_keymgmt_gen_get_params       OSSL_FUNC_KEYMGMT_GEN_GET_PARAMS
104 OSSL_FUNC_keymgmt_gen_gettable_params  OSSL_FUNC_KEYMGMT_GEN_GETTABLE_PARAMS
105 OSSL_FUNC_keymgmt_gen_set_params       OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS
106 OSSL_FUNC_keymgmt_gen_settable_params  OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS
107 OSSL_FUNC_keymgmt_gen                  OSSL_FUNC_KEYMGMT_GEN
108 OSSL_FUNC_keymgmt_gen_cleanup          OSSL_FUNC_KEYMGMT_GEN_CLEANUP
109
110 OSSL_FUNC_keymgmt_load                 OSSL_FUNC_KEYMGMT_LOAD
111
112 OSSL_FUNC_keymgmt_get_params           OSSL_FUNC_KEYMGMT_GET_PARAMS
113 OSSL_FUNC_keymgmt_gettable_params      OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS
114 OSSL_FUNC_keymgmt_set_params           OSSL_FUNC_KEYMGMT_SET_PARAMS
115 OSSL_FUNC_keymgmt_settable_params      OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS
116
117 OSSL_FUNC_keymgmt_query_operation_name OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME
118
119 OSSL_FUNC_keymgmt_has                  OSSL_FUNC_KEYMGMT_HAS
120 OSSL_FUNC_keymgmt_validate             OSSL_FUNC_KEYMGMT_VALIDATE
121 OSSL_FUNC_keymgmt_match                OSSL_FUNC_KEYMGMT_MATCH
122
123 OSSL_FUNC_keymgmt_import               OSSL_FUNC_KEYMGMT_IMPORT
124 OSSL_FUNC_keymgmt_import_types         OSSL_FUNC_KEYMGMT_IMPORT_TYPES
125 OSSL_FUNC_keymgmt_import_types_ex      OSSL_FUNC_KEYMGMT_IMPORT_TYPES_EX
126 OSSL_FUNC_keymgmt_export               OSSL_FUNC_KEYMGMT_EXPORT
127 OSSL_FUNC_keymgmt_export_types         OSSL_FUNC_KEYMGMT_EXPORT_TYPES
128 OSSL_FUNC_keymgmt_export_types_ex      OSSL_FUNC_KEYMGMT_EXPORT_TYPES_EX
129
130 OSSL_FUNC_keymgmt_dup                  OSSL_FUNC_KEYMGMT_DUP
131
132=head2 Key Objects
133
134A key object is a collection of data for an asymmetric key, and is
135represented as I<keydata> in this manual.
136
137The exact contents of a key object are defined by the provider, and it
138is assumed that different operations in one and the same provider use
139the exact same structure to represent this collection of data, so that
140for example, a key object that has been created using the KEYMGMT
141interface that we document here can be passed as is to other provider
142operations, such as OP_signature_sign_init() (see
143L<provider-signature(7)>).
144
145With some of the KEYMGMT functions, it's possible to select a specific
146subset of data to handle, governed by the bits in a I<selection>
147indicator.  The bits are:
148
149=over 4
150
151=item B<OSSL_KEYMGMT_SELECT_PRIVATE_KEY>
152
153Indicating that the private key data in a key object should be
154considered.
155
156=item B<OSSL_KEYMGMT_SELECT_PUBLIC_KEY>
157
158Indicating that the public key data in a key object should be
159considered.
160
161=item B<OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS>
162
163Indicating that the domain parameters in a key object should be
164considered.
165
166=item B<OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS>
167
168Indicating that other parameters in a key object should be
169considered.
170
171Other parameters are key parameters that don't fit any other
172classification.  In other words, this particular selector bit works as
173a last resort bit bucket selector.
174
175=back
176
177Some selector bits have also been combined for easier use:
178
179=over 4
180
181=item B<OSSL_KEYMGMT_SELECT_ALL_PARAMETERS>
182
183Indicating that all key object parameters should be considered,
184regardless of their more granular classification.
185
186=for comment This should used by EVP functions such as
187EVP_PKEY_copy_parameters() and EVP_PKEY_parameters_eq()
188
189This is a combination of B<OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS> and
190B<OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS>.
191
192=for comment If more parameter categories are added, they should be
193mentioned here too.
194
195=item B<OSSL_KEYMGMT_SELECT_KEYPAIR>
196
197Indicating that both the whole key pair in a key object should be
198considered, i.e. the combination of public and private key.
199
200This is a combination of B<OSSL_KEYMGMT_SELECT_PRIVATE_KEY> and
201B<OSSL_KEYMGMT_SELECT_PUBLIC_KEY>.
202
203=item B<OSSL_KEYMGMT_SELECT_ALL>
204
205Indicating that everything in a key object should be considered.
206
207=back
208
209The exact interpretation of those bits or how they combine is left to
210each function where you can specify a selector.
211
212It's left to the provider implementation to decide what is reasonable
213to do with regards to received selector bits and how to do it.
214Among others, an implementation of OSSL_FUNC_keymgmt_match() might opt
215to not compare the private half if it has compared the public half,
216since a match of one half implies a match of the other half.
217
218=head2 Constructing and Destructing Functions
219
220OSSL_FUNC_keymgmt_new() should create a provider side key object.  The
221provider context I<provctx> is passed and may be incorporated in the
222key object, but that is not mandatory.
223
224OSSL_FUNC_keymgmt_free() should free the passed I<keydata>.
225
226OSSL_FUNC_keymgmt_gen_init(), OSSL_FUNC_keymgmt_gen_set_template(),
227OSSL_FUNC_keymgmt_gen_get_params(), OSSL_FUNC_keymgmt_gen_gettable_params(),
228OSSL_FUNC_keymgmt_gen_set_params(), OSSL_FUNC_keymgmt_gen_settable_params(),
229OSSL_FUNC_keymgmt_gen() and OSSL_FUNC_keymgmt_gen_cleanup() work together as a
230more elaborate context based key object constructor.
231
232OSSL_FUNC_keymgmt_gen_init() should create the key object generation context
233and initialize it with I<selections>, which will determine what kind
234of contents the key object to be generated should get.
235The I<params>, if not NULL, should be set on the context in a manner similar to
236using OSSL_FUNC_keymgmt_set_params().
237
238OSSL_FUNC_keymgmt_gen_set_template() should add I<template> to the context
239I<genctx>.  The I<template> is assumed to be a key object constructed
240with the same KEYMGMT, and from which content that the implementation
241chooses can be used as a template for the key object to be generated.
242Typically, the generation of a DSA or DH key would get the domain
243parameters from this I<template>.
244
245OSSL_FUNC_keymgmt_gen_get_params() should retrieve parameters into
246I<params> in the key object generation context I<genctx>.
247
248OSSL_FUNC_keymgmt_gen_gettable_params() should return a constant array of
249descriptor L<OSSL_PARAM(3)>, for parameters that
250OSSL_FUNC_keymgmt_gen_get_params() can handle.
251
252OSSL_FUNC_keymgmt_gen_set_params() should set additional parameters from
253I<params> in the key object generation context I<genctx>.
254
255OSSL_FUNC_keymgmt_gen_settable_params() should return a constant array of
256descriptor L<OSSL_PARAM(3)>, for parameters that OSSL_FUNC_keymgmt_gen_set_params()
257can handle.
258
259OSSL_FUNC_keymgmt_gen() should perform the key object generation itself, and
260return the result.  The callback I<cb> should be called at regular
261intervals with indications on how the key object generation
262progresses.
263
264OSSL_FUNC_keymgmt_gen_cleanup() should clean up and free the key object
265generation context I<genctx>
266
267OSSL_FUNC_keymgmt_load() creates a provider side key object based on a
268I<reference> object with a size of I<reference_sz> bytes, that only the
269provider knows how to interpret, but that may come from other operations.
270Outside the provider, this reference is simply an array of bytes.
271
272At least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen() and
273OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free() and
274OSSL_FUNC_keymgmt_has(). Additionally, if OSSL_FUNC_keymgmt_gen() is present,
275OSSL_FUNC_keymgmt_gen_init() and OSSL_FUNC_keymgmt_gen_cleanup() must be
276present as well.
277
278=head2 Key Object Information Functions
279
280OSSL_FUNC_keymgmt_get_params() should extract information data associated
281with the given I<keydata>, see L</Common Information Parameters>.
282
283OSSL_FUNC_keymgmt_gettable_params() should return a constant array of
284descriptor L<OSSL_PARAM(3)>, for parameters that OSSL_FUNC_keymgmt_get_params()
285can handle.
286
287If OSSL_FUNC_keymgmt_gettable_params() is present, OSSL_FUNC_keymgmt_get_params()
288must also be present, and vice versa.
289
290OSSL_FUNC_keymgmt_set_params() should update information data associated
291with the given I<keydata>, see L</Common Information Parameters>.
292
293OSSL_FUNC_keymgmt_settable_params() should return a constant array of
294descriptor L<OSSL_PARAM(3)>, for parameters that OSSL_FUNC_keymgmt_set_params()
295can handle.
296
297If OSSL_FUNC_keymgmt_settable_params() is present, OSSL_FUNC_keymgmt_set_params()
298must also be present, and vice versa.
299
300=head2 Key Object Checking Functions
301
302OSSL_FUNC_keymgmt_query_operation_name() should return the name of the
303supported algorithm for the operation I<operation_id>.  This is
304similar to provider_query_operation() (see L<provider-base(7)>),
305but only works as an advisory.  If this function is not present, or
306returns NULL, the caller is free to assume that there's an algorithm
307from the same provider, of the same name as the one used to fetch the
308keymgmt and try to use that.
309
310OSSL_FUNC_keymgmt_has() should check whether the given I<keydata> contains the subsets
311of data indicated by the I<selector>.  A combination of several
312selector bits must consider all those subsets, not just one.  An
313implementation is, however, free to consider an empty subset of data
314to still be a valid subset. For algorithms where some selection is
315not meaningful such as B<OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS> for
316RSA keys the function should just return 1 as the selected subset
317is not really missing in the key.
318
319OSSL_FUNC_keymgmt_validate() should check if the I<keydata> contains valid
320data subsets indicated by I<selection>.  Some combined selections of
321data subsets may cause validation of the combined data.
322For example, the combination of B<OSSL_KEYMGMT_SELECT_PRIVATE_KEY> and
323B<OSSL_KEYMGMT_SELECT_PUBLIC_KEY> (or B<OSSL_KEYMGMT_SELECT_KEYPAIR>
324for short) is expected to check that the pairwise consistency of
325I<keydata> is valid. The I<checktype> parameter controls what type of check is
326performed on the subset of data. Two types of check are defined:
327B<OSSL_KEYMGMT_VALIDATE_FULL_CHECK> and B<OSSL_KEYMGMT_VALIDATE_QUICK_CHECK>.
328The interpretation of how much checking is performed in a full check versus a
329quick check is key type specific. Some providers may have no distinction
330between a full check and a quick check. For algorithms where some selection is
331not meaningful such as B<OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS> for
332RSA keys the function should just return 1 as there is nothing to validate for
333that selection.
334
335OSSL_FUNC_keymgmt_match() should check if the data subset indicated by
336I<selection> in I<keydata1> and I<keydata2> match.  It is assumed that
337the caller has ensured that I<keydata1> and I<keydata2> are both owned
338by the implementation of this function.
339
340=head2 Key Object Import, Export and Duplication Functions
341
342OSSL_FUNC_keymgmt_import() should import data indicated by I<selection> into
343I<keydata> with values taken from the L<OSSL_PARAM(3)> array I<params>.
344
345OSSL_FUNC_keymgmt_export() should extract values indicated by I<selection>
346from I<keydata>, create an L<OSSL_PARAM(3)> array with them and call
347I<param_cb> with that array as well as the given I<cbarg>.
348
349OSSL_FUNC_keymgmt_import_types() and OSSL_FUNC_keymgmt_import_types_ex()
350should return a constant array of descriptor
351L<OSSL_PARAM(3)> for data indicated by I<selection>, for parameters that
352OSSL_FUNC_keymgmt_import() can handle.
353Either OSSL_FUNC_keymgmt_import_types() or OSSL_FUNC_keymgmt_import_types_ex(),
354must be implemented, if OSSL_FUNC_keymgmt_import_types_ex() is implemented, then
355it is preferred over OSSL_FUNC_keymgmt_import_types().
356Providers that are supposed to be backward compatible with OpenSSL 3.0 or 3.1
357must continue to implement OSSL_FUNC_keymgmt_import_types().
358
359OSSL_FUNC_keymgmt_export_types() and OSSL_FUNC_keymgmt_export_types_ex()
360should return a constant array of descriptor
361L<OSSL_PARAM(3)> for data indicated by I<selection>, that the
362OSSL_FUNC_keymgmt_export() callback can expect to receive.
363Either OSSL_FUNC_keymgmt_export_types() or OSSL_FUNC_keymgmt_export_types_ex(),
364must be implemented, if OSSL_FUNC_keymgmt_export_types_ex() is implemented, then
365it is preferred over OSSL_FUNC_keymgmt_export_types().
366Providers that are supposed to be backward compatible with OpenSSL 3.0 or 3.1
367must continue to implement OSSL_FUNC_keymgmt_export_types().
368
369OSSL_FUNC_keymgmt_dup() should duplicate data subsets indicated by
370I<selection> or the whole key data I<keydata_from> and create a new
371provider side key object with the data.
372
373=head2 Common Information Parameters
374
375See L<OSSL_PARAM(3)> for further details on the parameters structure.
376
377Common information parameters currently recognised by all built-in
378keymgmt algorithms are as follows:
379
380=over 4
381
382=item "bits" (B<OSSL_PKEY_PARAM_BITS>) <integer>
383
384The value should be the cryptographic length of the cryptosystem to
385which the key belongs, in bits.  The definition of cryptographic
386length is specific to the key cryptosystem.
387
388=item "max-size" (B<OSSL_PKEY_PARAM_MAX_SIZE>) <integer>
389
390The value should be the maximum size that a caller should allocate to
391safely store a signature (called I<sig> in L<provider-signature(7)>),
392the result of asymmetric encryption / decryption (I<out> in
393L<provider-asym_cipher(7)>, a derived secret (I<secret> in
394L<provider-keyexch(7)>, and similar data).
395
396Providers need to implement this parameter
397in order to properly support various use cases such as CMS signing.
398
399Because an EVP_KEYMGMT method is always tightly bound to another method
400(signature, asymmetric cipher, key exchange, ...) and must be of the
401same provider, this number only needs to be synchronised with the
402dimensions handled in the rest of the same provider.
403
404=item "security-bits" (B<OSSL_PKEY_PARAM_SECURITY_BITS>) <integer>
405
406The value should be the number of security bits of the given key.
407Bits of security is defined in SP800-57.
408
409=item "mandatory-digest" (B<OSSL_PKEY_PARAM_MANDATORY_DIGEST>) <UTF8 string>
410
411If there is a mandatory digest for performing a signature operation with
412keys from this keymgmt, this parameter should get its name as value.
413
414When EVP_PKEY_get_default_digest_name() queries this parameter and it's
415filled in by the implementation, its return value will be 2.
416
417If the keymgmt implementation fills in the value C<""> or C<"UNDEF">,
418L<EVP_PKEY_get_default_digest_name(3)> will place the string C<"UNDEF"> into
419its argument I<mdname>.  This signifies that no digest should be specified
420with the corresponding signature operation.
421
422=item "default-digest" (B<OSSL_PKEY_PARAM_DEFAULT_DIGEST>) <UTF8 string>
423
424If there is a default digest for performing a signature operation with
425keys from this keymgmt, this parameter should get its name as value.
426
427When L<EVP_PKEY_get_default_digest_name(3)> queries this parameter and it's
428filled in by the implementation, its return value will be 1.  Note that if
429B<OSSL_PKEY_PARAM_MANDATORY_DIGEST> is responded to as well,
430L<EVP_PKEY_get_default_digest_name(3)> ignores the response to this
431parameter.
432
433If the keymgmt implementation fills in the value C<""> or C<"UNDEF">,
434L<EVP_PKEY_get_default_digest_name(3)> will place the string C<"UNDEF"> into
435its argument I<mdname>.  This signifies that no digest has to be specified
436with the corresponding signature operation, but may be specified as an
437option.
438
439=back
440
441The OpenSSL FIPS provider also supports the following parameters:
442
443=over 4
444
445=item "fips-indicator" (B<OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
446
447A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
448This may be used after calling OSSL_FUNC_keymgmt_gen() function. It may
449return 0 if either the "key-check", or "sign-check" are set to 0.
450
451=item "key-check" (B<OSSL_PKEY_PARAM_FIPS_KEY_CHECK>) <integer>
452
453If required this parameter should be set using OSSL_FUNC_keymgmt_gen_set_params()
454or OSSL_FUNC_keymgmt_gen_init().
455The default value of 1 causes an error during the init if the key is not FIPS
456approved (e.g. The key has a security strength of less than 112 bits). Setting
457this to 0 will ignore the error and set the approved "fips-indicator" to 0.
458This option breaks FIPS compliance if it causes the approved "fips-indicator"
459to return 0.
460
461=item "sign-check" (B<OSSL_PKEY_PARAM_FIPS_SIGN_CHECK>) <integer>
462
463If required this parameter should be set before the OSSL_FUNC_keymgmt_gen()
464function. This value is not supported by all keygen algorithms.
465The default value of 1 will cause an error if the generated key is not
466allowed to be used for signing.
467Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0.
468This option breaks FIPS compliance if it causes the approved "fips-indicator"
469to return 0.
470
471=back
472
473=head1 RETURN VALUES
474
475OSSL_FUNC_keymgmt_new() and OSSL_FUNC_keymgmt_dup() should return a valid
476reference to the newly created provider side key object, or NULL on failure.
477
478OSSL_FUNC_keymgmt_import(), OSSL_FUNC_keymgmt_export(), OSSL_FUNC_keymgmt_get_params() and
479OSSL_FUNC_keymgmt_set_params() should return 1 for success or 0 on error.
480
481OSSL_FUNC_keymgmt_validate() should return 1 on successful validation, or 0 on
482failure.
483
484OSSL_FUNC_keymgmt_has() should return 1 if all the selected data subsets are contained
485in the given I<keydata> or 0 otherwise.
486
487OSSL_FUNC_keymgmt_query_operation_name() should return a pointer to a string matching
488the requested operation, or NULL if the same name used to fetch the keymgmt
489applies.
490
491OSSL_FUNC_keymgmt_gettable_params() and OSSL_FUNC_keymgmt_settable_params()
492OSSL_FUNC_keymgmt_import_types(), OSSL_FUNC_keymgmt_import_types_ex(),
493OSSL_FUNC_keymgmt_export_types(), OSSL_FUNC_keymgmt_export_types_ex()
494should
495always return a constant L<OSSL_PARAM(3)> array.
496
497=head1 SEE ALSO
498
499L<EVP_PKEY_get_size(3)>,
500L<EVP_PKEY_get_bits(3)>,
501L<EVP_PKEY_get_security_bits(3)>,
502L<provider(7)>,
503L<EVP_PKEY-X25519(7)>,
504L<EVP_PKEY-X448(7)>,
505L<EVP_PKEY-ED25519(7)>,
506L<EVP_PKEY-ED448(7)>,
507L<EVP_PKEY-EC(7)>,
508L<EVP_PKEY-RSA(7)>,
509L<EVP_PKEY-DSA(7)>,
510L<EVP_PKEY-DH(7)>,
511L<EVP_PKEY-ML-DSA(7)>,
512L<EVP_PKEY-ML-KEM(7)>,
513L<EVP_PKEY-SLH-DSA(7)>.
514
515=head1 HISTORY
516
517The KEYMGMT interface was introduced in OpenSSL 3.0.
518
519Functions OSSL_FUNC_keymgmt_import_types_ex(), and OSSL_FUNC_keymgmt_export_types_ex()
520were added with OpenSSL 3.2.
521
522The functions OSSL_FUNC_keymgmt_gen_get_params() and
523OSSL_FUNC_keymgmt_gen_gettable_params() were added in OpenSSL 3.4.
524
525The parameters "sign-check" and "fips-indicator" were added in OpenSSL 3.4.
526
527Support for the B<ML-DSA>, B<ML-KEM> and B<SLH-DSA> algorithms was added in OpenSSL 3.5.
528
529=head1 COPYRIGHT
530
531Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
532
533Licensed under the Apache License 2.0 (the "License").  You may not use
534this file except in compliance with the License.  You can obtain a copy
535in the file LICENSE in the source distribution or at
536L<https://www.openssl.org/source/license.html>.
537
538=cut
539