diff options
| author | Tomas Mraz <tomas@openssl.org> | 2021-03-11 13:31:13 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2021-03-17 14:57:47 +0100 |
| commit | 9a4854405869158bd87ee90345b933815882a24d (patch) | |
| tree | 3bad42c70a66232ac69c0d9e2adcc41ed7b27c17 /doc | |
| parent | e08993eab65cdc67a3f2078e99f366c155eed49d (diff) | |
Make EVP_PKEY_missing_parameters work properly on provided RSA keys
This requires changing semantics of the keymgmt_has()
function a little in the sense that it now returns 1
if the selection has no meaning for the key type. It
was already doing so for ECX keys for example.
The keymgmt_validate function semantics is changed
similarly to allow passing validation on the same
selection that the key returns 1 for.
Fixes #14509
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14511)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man7/provider-keymgmt.pod | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index fa901b2742..ce24cc485f 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -294,7 +294,10 @@ OSSL_FUNC_keymgmt_has() should check whether the given I<keydata> contains the s of data indicated by the I<selector>. A combination of several selector bits must consider all those subsets, not just one. An implementation is, however, free to consider an empty subset of data -to still be a valid subset. +to still be a valid subset. For algorithms where some selection is +not meaningful such as B<OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS> for +RSA keys the function should just return 1 as the selected subset +is not really missing in the key. OSSL_FUNC_keymgmt_validate() should check if the I<keydata> contains valid data subsets indicated by I<selection>. Some combined selections of @@ -307,7 +310,10 @@ performed on the subset of data. Two types of check are defined: B<OSSL_KEYMGMT_VALIDATE_FULL_CHECK> and B<OSSL_KEYMGMT_VALIDATE_QUICK_CHECK>. The interpretation of how much checking is performed in a full check versus a quick check is key type specific. Some providers may have no distinction -between a full check and a quick check. +between a full check and a quick check. For algorithms where some selection is +not meaningful such as B<OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS> for +RSA keys the function should just return 1 as there is nothing to validate for +that selection. OSSL_FUNC_keymgmt_match() should check if the data subset indicated by I<selection> in I<keydata1> and I<keydata2> match. It is assumed that |