From 70a1f7b4d7a0611508f45ef884472b9d84cbe108 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sat, 6 Jul 2019 21:57:15 +0200 Subject: Add evp_keymgmt_export_to_provider(), for key transfer between providers This function is used to transport private key materia from whatever is already attached to the EVP_PKEY to the new provider, using key data export and import functionality. If a legacy lower level key has been assigned to the EVP_PKEY, we use its data to create a provider side key, and thereby have a bridge between old style public key types and the EVP_PKEY on providers. If successful, this function returns a reference to the appropriate provider side data for the key. This can be used by any operation that wants to use this key. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9312) --- .../man3/evp_keymgmt_export_to_provider.pod | 50 ++++++++++++++++++++++ doc/man3/EVP_PKEY_ASN1_METHOD.pod | 10 +++++ 2 files changed, 60 insertions(+) create mode 100644 doc/internal/man3/evp_keymgmt_export_to_provider.pod (limited to 'doc') diff --git a/doc/internal/man3/evp_keymgmt_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_export_to_provider.pod new file mode 100644 index 0000000000..51234bd609 --- /dev/null +++ b/doc/internal/man3/evp_keymgmt_export_to_provider.pod @@ -0,0 +1,50 @@ +=pod + +=head1 NAME + +evp_keymgmt_export_to_provider - key material exporter to providers for EVP + +=head1 SYNOPSIS + + #include "internal/evp_int.h" + + void *evp_keymgmt_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); + +=head1 DESCRIPTION + +evp_keymgmt_export_to_provider() exports the key material from the +given key I to a provider via a B interface, if this +hasn't already been done. +It maintains a cache of provider key references in I to keep track +of all such exports. + +If I has an assigned legacy key, a check is done to see if any of +its key material has changed since last export, i.e. the legacy key's +is_dirty() method returns 1. +If it has, the cache of already exported keys is cleared, and a new +export is made with the new key material. + +=head1 RETURN VALUES + +evp_keymgmt_export_to_provider() returns a pointer to the newly +created provider side key, or NULL on error. + +=head1 NOTES + +"Legacy key" is the term used for any key that has been assigned to an +B with EVP_PKEY_assign_RSA() and similar functions. + +=head1 SEE ALSO + +L, L + +=head1 COPYRIGHT + +Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod b/doc/man3/EVP_PKEY_ASN1_METHOD.pod index 1d89c38f29..ed44749cc2 100644 --- a/doc/man3/EVP_PKEY_ASN1_METHOD.pod +++ b/doc/man3/EVP_PKEY_ASN1_METHOD.pod @@ -361,6 +361,16 @@ public key data for an EVP_PKEY. They MUST return 0 on error, or 1 on success. They are called by L, and L respectively. + size_t (*dirty) (const EVP_PKEY *pk); + void *(*export_to) (const EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); + +dirty_cnt() returns the internal key's dirty count. +This can be used to synchronise different copies of the same keys. + +The export_to() method exports the key material from the given key to +a provider, through the L interface, if that provider +supports importing key material. + =head2 Functions EVP_PKEY_asn1_new() creates and returns a new B -- cgit v1.2.3