xref: /openssl/doc/man7/provider-encoder.pod (revision 318a9dfa)
1=pod
2
3=head1 NAME
4
5provider-encoder - The OSSL_ENCODER library E<lt>-E<gt> provider functions
6
7=head1 SYNOPSIS
8
9 #include <openssl/core_dispatch.h>
10
11 /*
12  * None of these are actual functions, but are displayed like this for
13  * the function signatures for functions that are offered as function
14  * pointers in OSSL_DISPATCH arrays.
15  */
16
17 /* Encoder parameter accessor and descriptor */
18 const OSSL_PARAM *OSSL_FUNC_encoder_gettable_params(void *provctx);
19 int OSSL_FUNC_encoder_get_params(OSSL_PARAM params[]);
20
21 /* Functions to construct / destruct / manipulate the encoder context */
22 void *OSSL_FUNC_encoder_newctx(void *provctx);
23 void OSSL_FUNC_encoder_freectx(void *ctx);
24 int OSSL_FUNC_encoder_set_ctx_params(void *ctx, const OSSL_PARAM params[]);
25 const OSSL_PARAM *OSSL_FUNC_encoder_settable_ctx_params(void *provctx);
26
27 /* Functions to check selection support */
28 int OSSL_FUNC_encoder_does_selection(void *provctx, int selection);
29
30 /* Functions to encode object data */
31 int OSSL_FUNC_encoder_encode(void *ctx, OSSL_CORE_BIO *out,
32                              const void *obj_raw,
33                              const OSSL_PARAM obj_abstract[],
34                              int selection,
35                              OSSL_PASSPHRASE_CALLBACK *cb,
36                              void *cbarg);
37
38 /* Functions to import and free a temporary object to be encoded */
39 void *OSSL_FUNC_encoder_import_object(void *ctx, int selection,
40                                       const OSSL_PARAM params[]);
41 void OSSL_FUNC_encoder_free_object(void *obj);
42
43
44=head1 DESCRIPTION
45
46I<We use the wide term "encode" in this manual.  This includes but is
47not limited to serialization.>
48
49The ENCODER operation is a generic method to encode a provider-native
50object (I<obj_raw>) or an object abstraction (I<object_abstract>, see
51L<provider-object(7)>) into an encoded form, and write the result to
52the given OSSL_CORE_BIO.  If the caller wants to get the encoded
53stream to memory, it should provide a L<BIO_s_mem(3)> B<BIO>.
54
55The encoder doesn't need to know more about the B<OSSL_CORE_BIO>
56pointer than being able to pass it to the appropriate BIO upcalls (see
57L<provider-base(7)/Core functions>).
58
59The ENCODER implementation may be part of a chain, where data is
60passed from one to the next.  For example, there may be an
61implementation to encode an object to DER (that object is assumed to
62be provider-native and thereby passed via I<obj_raw>), and another one
63that encodes DER to PEM (that one would receive the DER encoding via
64I<obj_abstract>).
65
66=begin comment
67
68Having the DER encoding passed via I<obj_abstract> may seem
69complicated.  However, there may be associated meta-data, such as the
70original data type, that need to be passed alongside it, and since
71L<provider-object(7)> already defines a way to pass such data,
72inventing another way to do it makes things even more complicated.
73
74=end comment
75
76The encoding using the L<OSSL_PARAM(3)> array form allows a
77encoder to be used for data that's been exported from another
78provider, and thereby allow them to exist independently of each
79other.
80
81The encoding using a provider side object can only be safely used
82with provider data coming from the same provider, for example keys
83with the L<KEYMGMT|provider-keymgmt(7)> provider.
84
85All "functions" mentioned here are passed as function pointers between
86F<libcrypto> and the provider in L<OSSL_DISPATCH(3)> arrays via
87L<OSSL_ALGORITHM(3)> arrays that are returned by the provider's
88provider_query_operation() function
89(see L<provider-base(7)/Provider Functions>).
90
91All these "functions" have a corresponding function type definition
92named B<OSSL_FUNC_{name}_fn>, and a helper function to retrieve the
93function pointer from an L<OSSL_DISPATCH(3)> element named
94B<OSSL_FUNC_{name}>.
95For example, the "function" OSSL_FUNC_encoder_encode() has these:
96
97 typedef int
98     (OSSL_FUNC_encoder_encode_fn)(void *ctx, OSSL_CORE_BIO *out,
99                                   const void *obj_raw,
100                                   const OSSL_PARAM obj_abstract[],
101                                   int selection,
102                                   OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg);
103 static ossl_inline OSSL_FUNC_encoder_encode_fn
104     OSSL_FUNC_encoder_encode(const OSSL_DISPATCH *opf);
105
106L<OSSL_DISPATCH(3)> arrays are indexed by numbers that are provided as
107macros in L<openssl-core_dispatch.h(7)>, as follows:
108
109 OSSL_FUNC_encoder_get_params          OSSL_FUNC_ENCODER_GET_PARAMS
110 OSSL_FUNC_encoder_gettable_params     OSSL_FUNC_ENCODER_GETTABLE_PARAMS
111
112 OSSL_FUNC_encoder_newctx              OSSL_FUNC_ENCODER_NEWCTX
113 OSSL_FUNC_encoder_freectx             OSSL_FUNC_ENCODER_FREECTX
114 OSSL_FUNC_encoder_set_ctx_params      OSSL_FUNC_ENCODER_SET_CTX_PARAMS
115 OSSL_FUNC_encoder_settable_ctx_params OSSL_FUNC_ENCODER_SETTABLE_CTX_PARAMS
116
117 OSSL_FUNC_encoder_does_selection      OSSL_FUNC_ENCODER_DOES_SELECTION
118
119 OSSL_FUNC_encoder_encode              OSSL_FUNC_ENCODER_ENCODE
120
121 OSSL_FUNC_encoder_import_object       OSSL_FUNC_ENCODER_IMPORT_OBJECT
122 OSSL_FUNC_encoder_free_object         OSSL_FUNC_ENCODER_FREE_OBJECT
123
124=head2 Names and properties
125
126The name of an implementation should match the type of object it handles.
127For example, an implementation that encodes an RSA key should be named "RSA".
128Likewise, an implementation that further encodes DER should be named "DER".
129
130Properties can be used to further specify details about an implementation:
131
132=over 4
133
134=item output
135
136This property is used to specify what type of output the implementation
137produces.
138
139This property is I<mandatory>.
140
141OpenSSL providers recognize the following output types:
142
143=over 4
144
145=item text
146
147An implementation with that output type outputs human readable text, making
148that implementation suitable for C<-text> output in diverse L<openssl(1)>
149commands.
150
151=item pem
152
153An implementation with that output type outputs PEM formatted data.
154
155=item der
156
157An implementation with that output type outputs DER formatted data.
158
159=item msblob
160
161An implementation with that output type outputs MSBLOB formatted data.
162
163=item pvk
164
165An implementation with that output type outputs PVK formatted data.
166
167=back
168
169=item structure
170
171This property is used to specify the structure that is used for the encoded
172object.  An example could be C<pkcs8>, to specify explicitly that an object
173(presumably an asymmetric key pair, in this case) will be wrapped in a
174PKCS#8 structure as part of the encoding.
175
176This property is I<optional>.
177
178=back
179
180The possible values of both these properties is open ended.  A provider may
181very well specify output types and structures that libcrypto doesn't know
182anything about.
183
184=head2 Subset selections
185
186Sometimes, an object has more than one subset of data that is interesting to
187treat separately or together.  It's possible to specify what subsets are to
188be encoded, with a set of bits I<selection> that are passed in an B<int>.
189
190This set of bits depend entirely on what kind of provider-side object is
191passed.  For example, those bits are assumed to be the same as those used
192with L<provider-keymgmt(7)> (see L<provider-keymgmt(7)/Key Objects>) when
193the object is an asymmetric keypair.
194
195ENCODER implementations are free to regard the I<selection> as a set of
196hints, but must do so with care.  In the end, the output must make sense,
197and if there's a corresponding decoder, the resulting decoded object must
198match the original object that was encoded.
199
200OSSL_FUNC_encoder_does_selection() should tell if a particular implementation
201supports any of the combinations given by I<selection>.
202
203=head2 Context functions
204
205OSSL_FUNC_encoder_newctx() returns a context to be used with the rest of
206the functions.
207
208OSSL_FUNC_encoder_freectx() frees the given I<ctx>, if it was created by
209OSSL_FUNC_encoder_newctx().
210
211OSSL_FUNC_encoder_set_ctx_params() sets context data according to parameters
212from I<params> that it recognises.  Unrecognised parameters should be
213ignored.
214Passing NULL for I<params> should return true.
215
216OSSL_FUNC_encoder_settable_ctx_params() returns a constant L<OSSL_PARAM(3)>
217array describing the parameters that OSSL_FUNC_encoder_set_ctx_params()
218can handle.
219
220See L<OSSL_PARAM(3)> for further details on the parameters structure used by
221OSSL_FUNC_encoder_set_ctx_params() and OSSL_FUNC_encoder_settable_ctx_params().
222
223=head2 Import functions
224
225A provider-native object may be associated with a foreign provider, and may
226therefore be unsuitable for direct use with a given ENCODER implementation.
227Provided that the foreign provider's implementation to handle the object has
228a function to export that object in L<OSSL_PARAM(3)> array form, the ENCODER
229implementation should be able to import that array and create a suitable
230object to be passed to OSSL_FUNC_encoder_encode()'s I<obj_raw>.
231
232OSSL_FUNC_encoder_import_object() should import the subset of I<params>
233given with I<selection> to create a provider-native object that can be
234passed as I<obj_raw> to OSSL_FUNC_encoder_encode().
235
236OSSL_FUNC_encoder_free_object() should free the object that was created with
237OSSL_FUNC_encoder_import_object().
238
239=head2 Encoding functions
240
241OSSL_FUNC_encoder_encode() should take a provider-native object (in
242I<obj_raw>) or an object abstraction (in I<obj_abstract>), and should output
243the object in encoded form to the B<OSSL_CORE_BIO>.  The I<selection> bits,
244if relevant, should determine in greater detail what will be output.
245The encoding functions also take an L<OSSL_PASSPHRASE_CALLBACK(3)> function
246pointer along with a pointer to application data I<cbarg>, which should be
247used when a pass phrase prompt is needed.
248
249=head2 Encoder operation parameters
250
251Operation parameters currently recognised by built-in encoders are as
252follows:
253
254=over 4
255
256=item "cipher" (B<OSSL_ENCODER_PARAM_CIPHER>) <UTF8 string>
257
258The name of the encryption cipher to be used when generating encrypted
259encoding.  This is used when encoding private keys, as well as
260other objects that need protection.
261
262If this name is invalid for the encoding implementation, the
263implementation should refuse to perform the encoding, i.e.
264OSSL_FUNC_encoder_encode_data() and OSSL_FUNC_encoder_encode_object()
265should return an error.
266
267=item "properties" (B<OSSL_ENCODER_PARAM_PROPERTIES>) <UTF8 string>
268
269The properties to be queried when trying to fetch the algorithm given
270with the "cipher" parameter.
271This must be given together with the "cipher" parameter to be
272considered valid.
273
274The encoding implementation isn't obligated to use this value.
275However, it is recommended that implementations that do not handle
276property strings return an error on receiving this parameter unless
277its value NULL or the empty string.
278
279=item "save-parameters" (B<OSSL_ENCODER_PARAM_SAVE_PARAMETERS>) <integer>
280
281If set to 0 disables saving of key domain parameters. Default is 1.
282It currently has an effect only on DSA keys.
283
284=back
285
286Parameters currently recognised by the built-in pass phrase callback:
287
288=over 4
289
290=item "info" (B<OSSL_PASSPHRASE_PARAM_INFO>) <UTF8 string>
291
292A string of information that will become part of the pass phrase
293prompt.  This could be used to give the user information on what kind
294of object it's being prompted for.
295
296=back
297
298=head1 RETURN VALUES
299
300OSSL_FUNC_encoder_newctx() returns a pointer to a context, or NULL on
301failure.
302
303OSSL_FUNC_encoder_set_ctx_params() returns 1, unless a recognised
304parameter was invalid or caused an error, for which 0 is returned.
305
306OSSL_FUNC_encoder_settable_ctx_params() returns a pointer to an array of
307constant L<OSSL_PARAM(3)> elements.
308
309OSSL_FUNC_encoder_does_selection() returns 1 if the encoder implementation
310supports any of the I<selection> bits, otherwise 0.
311
312OSSL_FUNC_encoder_encode() returns 1 on success, or 0 on failure.
313
314=head1 SEE ALSO
315
316L<provider(7)>
317
318=head1 HISTORY
319
320The ENCODER interface was introduced in OpenSSL 3.0.
321
322=head1 COPYRIGHT
323
324Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
325
326Licensed under the Apache License 2.0 (the "License").  You may not use
327this file except in compliance with the License.  You can obtain a copy
328in the file LICENSE in the source distribution or at
329L<https://www.openssl.org/source/license.html>.
330
331=cut
332