diff options
| author | Richard Levitte <levitte@openssl.org> | 2019-07-05 00:31:42 +0200 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2019-07-22 06:17:38 +0200 |
| commit | a94a3e0d91378b5c478f687a0dbc51914d4ed497 (patch) | |
| tree | a649885fc1d6560a2928c610d9adaaf4ec6dbfcc /crypto/include | |
| parent | 7312ef3fc4a7d391272f3ba8075eabf81a229ad2 (diff) | |
Add basic EVP_KEYMGMT API and libcrypto <-> provider interface
The idea with the key management "operation" is to support the
following set of functionality:
- Key domain parameter generation
- Key domain parameter import
- Key domain parameter export
- Key generation
- Key import
- Key export
- Key loading (HSM / hidden key support)
With that set of function, we can support handling domain parameters
on one provider, key handling on another, and key usage on a third,
with transparent export / import of applicable data. Of course, if a
provider doesn't offer export / import functionality, then all
operations surrounding a key must be performed with the same
provider.
This method also avoids having to do anything special with legacy
assignment of libcrypto key structures, i.e. EVP_PKEY_assign_RSA().
They will simply be used as keys to be exported from whenever they are
used with provider based operations.
This change only adds the EVP_KEYMGMT API and the libcrypto <->
provider interface. Further changes will integrate them into existing
libcrypto functionality.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9312)
Diffstat (limited to 'crypto/include')
| -rw-r--r-- | crypto/include/internal/evp_int.h | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h index 71833fa49e..359d561342 100644 --- a/crypto/include/internal/evp_int.h +++ b/crypto/include/internal/evp_int.h @@ -504,9 +504,9 @@ typedef struct { * method, as in, can it do arbitrary encryption.... */ struct evp_pkey_st { + /* == Legacy attributes == */ int type; int save_type; - CRYPTO_REF_COUNT references; const EVP_PKEY_ASN1_METHOD *ameth; ENGINE *engine; ENGINE *pmeth_engine; /* If not NULL public key ENGINE to use */ @@ -526,9 +526,25 @@ struct evp_pkey_st { ECX_KEY *ecx; /* X25519, X448, Ed25519, Ed448 */ # endif } pkey; - int save_parameters; - STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ + + /* == Common attributes == */ + CRYPTO_REF_COUNT references; CRYPTO_RWLOCK *lock; + STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ + int save_parameters; + + /* == Provider attributes == */ + /* + * To support transparent export/import between providers that + * support the methods for it, and still not having to do the + * export/import every time a key is used, we maintain a cache + * of imported key, indexed by provider address. + * pkeys[0] is *always* the "original" key. + */ + struct { + EVP_KEYMGMT *keymgmt; + void *provkey; + } pkeys[10]; } /* EVP_PKEY */ ; |