xref: /freebsd/crypto/openssl/doc/man7/provider-storemgmt.pod (revision 1719886f6d08408b834d270c59ffcfd821c8f63a)
1=pod
2
3=head1 NAME
4
5provider-storemgmt - The OSSL_STORE library E<lt>-E<gt> provider functions
6
7=head1 SYNOPSIS
8
9 #include <openssl/core_dispatch.h>
10
11 /*
12  * None of these are actual functions, but are displayed like this for
13  * the function signatures for functions that are offered as function
14  * pointers in OSSL_DISPATCH arrays.
15  */
16
17 void *OSSL_FUNC_store_open(void *provctx, const char *uri);
18 void *OSSL_FUNC_store_attach(void *provctx, OSSL_CORE_BIO *bio);
19 const OSSL_PARAM *store_settable_ctx_params(void *provctx);
20 int OSSL_FUNC_store_set_ctx_params(void *loaderctx, const OSSL_PARAM[]);
21 int OSSL_FUNC_store_load(void *loaderctx,
22                          OSSL_CALLBACK *object_cb, void *object_cbarg,
23                          OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg);
24 int OSSL_FUNC_store_eof(void *loaderctx);
25 int OSSL_FUNC_store_close(void *loaderctx);
26
27 int OSSL_FUNC_store_export_object
28     (void *loaderctx, const void *objref, size_t objref_sz,
29      OSSL_CALLBACK *export_cb, void *export_cbarg);
30
31=head1 DESCRIPTION
32
33The STORE operation is the provider side of the L<ossl_store(7)> API.
34
35The primary responsibility of the STORE operation is to load all sorts
36of objects from a container indicated by URI.  These objects are given
37to the OpenSSL library in provider-native object abstraction form (see
38L<provider-object(7)>).  The OpenSSL library is then responsible for
39passing on that abstraction to suitable provided functions.
40
41Examples of functions that the OpenSSL library can pass the abstraction to
42include OSSL_FUNC_keymgmt_load() (L<provider-keymgmt(7)>),
43OSSL_FUNC_store_export_object() (which exports the object in parameterized
44form).
45
46All "functions" mentioned here are passed as function pointers between
47F<libcrypto> and the provider in L<OSSL_DISPATCH(3)> arrays via
48L<OSSL_ALGORITHM(3)> arrays that are returned by the provider's
49provider_query_operation() function
50(see L<provider-base(7)/Provider Functions>).
51
52All these "functions" have a corresponding function type definition named
53B<OSSL_FUNC_{name}_fn>, and a helper function to retrieve the function pointer
54from a L<OSSL_DISPATCH(3)> element named B<OSSL_get_{name}>.
55For example, the "function" OSSL_FUNC_store_attach() has these:
56
57 typedef void *(OSSL_FUNC_store_attach_fn)(void *provctx,
58                                           OSSL_CORE_BIO * bio);
59 static ossl_inline OSSL_FUNC_store_attach_fn
60     OSSL_FUNC_store_attach(const OSSL_DISPATCH *opf);
61
62L<OSSL_DISPATCH(3)> arrays are indexed by numbers that are provided as macros
63in L<openssl-core_dispatch.h(7)>, as follows:
64
65 OSSL_FUNC_store_open                 OSSL_FUNC_STORE_OPEN
66 OSSL_FUNC_store_attach               OSSL_FUNC_STORE_ATTACH
67 OSSL_FUNC_store_settable_ctx_params  OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS
68 OSSL_FUNC_store_set_ctx_params       OSSL_FUNC_STORE_SET_CTX_PARAMS
69 OSSL_FUNC_store_load                 OSSL_FUNC_STORE_LOAD
70 OSSL_FUNC_store_eof                  OSSL_FUNC_STORE_EOF
71 OSSL_FUNC_store_close                OSSL_FUNC_STORE_CLOSE
72 OSSL_FUNC_store_export_object        OSSL_FUNC_STORE_EXPORT_OBJECT
73
74=head2 Functions
75
76OSSL_FUNC_store_open() should create a provider side context with data based
77on the input I<uri>.  The implementation is entirely responsible for the
78interpretation of the URI.
79
80OSSL_FUNC_store_attach() should create a provider side context with the core
81B<BIO> I<bio> attached.  This is an alternative to using a URI to find storage,
82supporting L<OSSL_STORE_attach(3)>.
83
84OSSL_FUNC_store_settable_ctx_params() should return a constant array of
85descriptor L<OSSL_PARAM(3)>, for parameters that OSSL_FUNC_store_set_ctx_params()
86can handle.
87
88OSSL_FUNC_store_set_ctx_params() should set additional parameters, such as what
89kind of data to expect, search criteria, and so on.  More on those below, in
90L</Load Parameters>.  Whether unrecognised parameters are an error or simply
91ignored is at the implementation's discretion.
92Passing NULL for I<params> should return true.
93
94OSSL_FUNC_store_load() loads the next object from the URI opened by
95OSSL_FUNC_store_open(), creates an object abstraction for it (see
96L<provider-object(7)>), and calls I<object_cb> with it as well as
97I<object_cbarg>.  I<object_cb> will then interpret the object abstraction
98and do what it can to wrap it or decode it into an OpenSSL structure.  In
99case a passphrase needs to be prompted to unlock an object, I<pw_cb> should
100be called.
101
102OSSL_FUNC_store_eof() indicates if the end of the set of objects from the
103URI has been reached.  When that happens, there's no point trying to do any
104further loading.
105
106OSSL_FUNC_store_close() frees the provider side context I<ctx>.
107
108When a provider-native object is created by a store manager it would be unsuitable
109for direct use with a foreign provider. The export function allows for
110exporting the object to that foreign provider if the foreign provider
111supports the type of the object and provides an import function.
112
113OSSL_FUNC_store_export_object() should export the object of size I<objref_sz>
114referenced by I<objref> as an L<OSSL_PARAM(3)> array and pass that to the
115I<export_cb> as well as the given I<export_cbarg>.
116
117=head2 Load Parameters
118
119=over 4
120
121=item "expect" (B<OSSL_STORE_PARAM_EXPECT>) <integer>
122
123Is a hint of what type of data the OpenSSL library expects to get.
124This is only useful for optimization, as the library will check that the
125object types match the expectation too.
126
127The number that can be given through this parameter is found in
128F<< <openssl/store.h> >>, with the macros having names starting with
129C<OSSL_STORE_INFO_>.  These are further described in
130L<OSSL_STORE_INFO(3)/SUPPORTED OBJECTS>.
131
132=item "subject" (B<OSSL_STORE_PARAM_SUBJECT>) <octet string>
133
134Indicates that the caller wants to search for an object with the given
135subject associated.  This can be used to select specific certificates
136by subject.
137
138The contents of the octet string is expected to be in DER form.
139
140=item "issuer" (B<OSSL_STORE_PARAM_ISSUER>) <octet string>
141
142Indicates that the caller wants to search for an object with the given
143issuer associated.  This can be used to select specific certificates
144by issuer.
145
146The contents of the octet string is expected to be in DER form.
147
148=item "serial" (B<OSSL_STORE_PARAM_SERIAL>) <integer>
149
150Indicates that the caller wants to search for an object with the given
151serial number associated.
152
153=item "digest" (B<OSSL_STORE_PARAM_DIGEST>) <UTF8 string>
154
155=item "fingerprint" (B<OSSL_STORE_PARAM_FINGERPRINT>) <octet string>
156
157Indicates that the caller wants to search for an object with the given
158fingerprint, computed with the given digest.
159
160=item "alias" (B<OSSL_STORE_PARAM_ALIAS>) <UTF8 string>
161
162Indicates that the caller wants to search for an object with the given
163alias (some call it a "friendly name").
164
165=item "properties" (B<OSSL_STORE_PARAM_PROPERTIES>) <utf8 string>
166
167Property string to use when querying for algorithms such as the B<OSSL_DECODER>
168decoder implementations.
169
170=item "input-type" (B<OSSL_STORE_PARAM_INPUT_TYPE>) <utf8 string>
171
172Type of the input format as a hint to use when decoding the objects in the
173store.
174
175=back
176
177Several of these search criteria may be combined.  For example, to
178search for a certificate by issuer+serial, both the "issuer" and the
179"serial" parameters will be given.
180
181=head1 SEE ALSO
182
183L<provider(7)>
184
185=head1 HISTORY
186
187The STORE interface was introduced in OpenSSL 3.0.
188
189=head1 COPYRIGHT
190
191Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
192
193Licensed under the Apache License 2.0 (the "License").  You may not use
194this file except in compliance with the License.  You can obtain a copy
195in the file LICENSE in the source distribution or at
196L<https://www.openssl.org/source/license.html>.
197
198=cut
199