-*- mode: troff; coding: utf-8 -*-
Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)

Standard preamble:
========================================================================
..

..

.. \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
. ds C` "" . ds C' "" 'br\} . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.

If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.

Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF ========================================================================

Title "PROVIDER-SKEYMGMT 7ossl" For nroff, turn off justification. Always turn off hyphenation; it makes
way too many mistakes in technical documents.
provider-skeymgmt - The SKEYMGMT library <-> provider functions Header "SYNOPSIS" .Vb 1 #include <openssl/core_dispatch.h> \& /* * None of these are actual functions, but are displayed like this for * the function signatures for functions that are offered as function * pointers in OSSL_DISPATCH arrays. */ \& /* Key object destruction */ void OSSL_FUNC_skeymgmt_free(void *keydata); \& /* Key object import and export functions */ void *OSSL_FUNC_skeymgmt_import(void *provctx, int selection, const OSSL_PARAM params[]); int OSSL_FUNC_skeymgmt_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, void *cbarg); void *OSSL_FUNC_skeymgmt_generate(void *provctx, const OSSL_PARAM params[]); const OSSL_PARAM *OSSL_FUNC_skeymgmt_gen_settable_params(void *provctx); const OSSL_PARAM *OSSL_FUNC_skeymgmt_imp_settable_params(void *provctx); const char *OSSL_FUNC_skeymgmt_get_key_id(void *keydata); .Ve Header "DESCRIPTION" The SKEYMGMT operation doesn't have much public visibility in the OpenSSL libraries, rather it is an internal operation that is designed to work with operations that use opaque symmetric keys objects.

The SKEYMGMT operation shares knowledge with the operations it works with, therefore the SKEYMGMT and the algorithms which use it must belong to the same provider. The OpenSSL libraries will ensure that they do.

The primary responsibility of the SKEYMGMT operation is to hold the provider side key data for the OpenSSL library EVP_SKEY structure.

All "functions" mentioned here are passed as function pointers between \fIlibcrypto and the provider in OSSL_DISPATCH\|(3) arrays via \fBOSSL_ALGORITHM\|(3) arrays that are returned by the provider's \fBprovider_query_operation() function (see "Provider Functions" in provider-base\|(7)).

All these "functions" have a corresponding function type definition named OSSL_FUNC_{name}_fn, and a helper function to retrieve the function pointer from a OSSL_DISPATCH\|(3) element named \fBOSSL_FUNC_{name}.

\fBOSSL_DISPATCH\|(3) arrays are indexed by numbers that are provided as macros in openssl-core_dispatch.h\|(7), as follows:

.Vb 1 OSSL_FUNC_skeymgmt_free OSSL_FUNC_SKEYMGMT_FREE \& OSSL_FUNC_skeymgmt_import OSSL_FUNC_SKEYMGMT_IMPORT OSSL_FUNC_skeymgmt_export OSSL_FUNC_SKEYMGMT_EXPORT \& OSSL_FUNC_skeymgmt_generate OSSL_FUNC_SKEYMGMT_GENERATE \& OSSL_FUNC_skeymgmt_get_key_id OSSL_FUNC_SKEYMGMT_GET_KEY_ID OSSL_FUNC_skeymgmt_imp_settable_params OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS OSSL_FUNC_skeymgmt_gen_settable_params OSSL_FUNC_SKEYMGMT_GEN_SETTABLE_PARAMS .Ve

The SKEYMGMT management is inspired by KEYMGMT but is simpler.

Subsection "Key Objects" A key object is a collection of data for an symmetric key, and is represented as keydata in this manual.

The exact contents of a key object are defined by the provider, and it is assumed that different operations in one and the same provider use the exact same structure to represent this collection of data, so that for example, a key object that has been created using the SKEYMGMT interface can be passed as is to other algorithms from the same provider operations, such as OSSL_FUNC_mac_init_opaque() (see \fBprovider-mac\|(7)).

With the export SKEYMGMT function, it's possible to select a specific subset of data to handle, governed by the bits in a selection indicator. The bits are:

Item "OSSL_SKEYMGMT_SELECT_SECRET_KEY" Indicating that the secret key raw bytes in a key object should be included. Item "OSSL_SKEYMGMT_SELECT_PARAMETERS" Indicating that the parameters in a key object should be included.

Combined selector bits are also defined for easier use:

Item "OSSL_SKEYMGMT_SELECT_ALL" Indicating that everything in a key object should be included.

The exact interpretation of those bits or how they combine is left to each function where you can specify a selector.

Subsection "Destructing Function" \fBOSSL_FUNC_skeymgmt_free() should free the passed keydata. Subsection "Key Object Import and Export Functions" \fBOSSL_FUNC_skeymgmt_import() should import data into keydata with values taken from the OSSL_PARAM\|(3) array params. It allocates the keydata object (there is no separate allocation function).

\fBOSSL_FUNC_skeymgmt_imp_settable_params() returns a list of parameters that can be provided to the OSSL_FUNC_skeymgmt_import() function.

\fBOSSL_FUNC_skeymgmt_export() should extract values indicated by selection from keydata, create an OSSL_PARAM\|(3) array with them and call \fIparam_cb with that array as well as the given cbarg. The passed OSSL_PARAM\|(3) array is transient and is freed upon the return from param_cb.

Subsection "Key Object Generation Functions" \fBOSSL_FUNC_skeymgmt_generate() creates a new key according to the values taken from the OSSL_PARAM\|(3) array params. It allocates the keydata object.

\fBOSSL_FUNC_skeymgmt_gen_settable_params() returns a list of parameters that can be provided to the OSSL_FUNC_skeymgmt_generate() function.

Subsection "Key Object Information functions" \fBOSSL_FUNC_skeymgmt_get_key_id() returns a NUL-terminated string identifying the particular key. The returned string will be freed by a call to EVP_SKEY_free() so callers need to copy it themselves if they want to preserve the value past the key lifetime. The purpose of this function is providing a printable string that can help users to access the specific key. The content of this string is provider-specific. Subsection "Common Import and Export Parameters" See OSSL_PARAM\|(3) for further details on the parameters structure.

Common information parameters currently recognised by built-in skeymgmt algorithms are as follows:

Item """raw-bytes"" (SKEY_PARAM_RAW_BYTES) <octet string>" The value represents symmetric key as a byte array. Item """key-length"" (SKEY_PARAM_KEY_LENGTH) <integer>" The value is the byte length of the given key. Header "RETURN VALUES" \fBOSSL_FUNC_skeymgmt_import() and OSSL_FUNC_skeymgmt_generate() return a pointer to an allocated object on success and NULL on error.

\fBOSSL_FUNC_skeymgmt_export() returns 1 for success or 0 on error.

\fBOSSL_FUNC_skeymgmt_get_key_id() returns a pointer to a 0-terminated string or NULL.

\fBOSSL_FUNC_skeymgmt_gen_settable_params() and OSSL_FUNC_skeymgmt_imp_settable_params() return references to an array of OSSL_PARAM which can be NULL if there are no settable parameters.

Header "SEE ALSO" \fBprovider\|(7), EVP_SKEY\|(3), EVP_KEYMGMT\|(3) Header "HISTORY" The SKEYMGMT interface was introduced in OpenSSL 3.5. Header "COPYRIGHT" Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>.