1=pod 2 3=head1 NAME 4 5provider-keymgmt - The KEYMGMT library E<lt>-E<gt> provider functions 6 7=head1 SYNOPSIS 8 9 #include <openssl/core_dispatch.h> 10 11 /* 12 * None of these are actual functions, but are displayed like this for 13 * the function signatures for functions that are offered as function 14 * pointers in OSSL_DISPATCH arrays. 15 */ 16 17 /* Key object (keydata) creation and destruction */ 18 void *OSSL_FUNC_keymgmt_new(void *provctx); 19 void OSSL_FUNC_keymgmt_free(void *keydata); 20 21 /* Generation, a more complex constructor */ 22 void *OSSL_FUNC_keymgmt_gen_init(void *provctx, int selection, 23 const OSSL_PARAM params[]); 24 int OSSL_FUNC_keymgmt_gen_set_template(void *genctx, void *template); 25 int OSSL_FUNC_keymgmt_gen_get_params(void *genctx, OSSL_PARAM params[]); 26 int OSSL_FUNC_keymgmt_gen_set_params(void *genctx, const OSSL_PARAM params[]); 27 const OSSL_PARAM *OSSL_FUNC_keymgmt_gen_gettable_params(void *genctx, 28 void *provctx); 29 const OSSL_PARAM *OSSL_FUNC_keymgmt_gen_settable_params(void *genctx, 30 void *provctx); 31 void *OSSL_FUNC_keymgmt_gen(void *genctx, OSSL_CALLBACK *cb, void *cbarg); 32 void OSSL_FUNC_keymgmt_gen_cleanup(void *genctx); 33 34 /* Key loading by object reference, also a constructor */ 35 void *OSSL_FUNC_keymgmt_load(const void *reference, size_t *reference_sz); 36 37 /* Key object information */ 38 int OSSL_FUNC_keymgmt_get_params(void *keydata, OSSL_PARAM params[]); 39 const OSSL_PARAM *OSSL_FUNC_keymgmt_gettable_params(void *provctx); 40 int OSSL_FUNC_keymgmt_set_params(void *keydata, const OSSL_PARAM params[]); 41 const OSSL_PARAM *OSSL_FUNC_keymgmt_settable_params(void *provctx); 42 43 /* Key object content checks */ 44 int OSSL_FUNC_keymgmt_has(const void *keydata, int selection); 45 int OSSL_FUNC_keymgmt_match(const void *keydata1, const void *keydata2, 46 int selection); 47 48 /* Discovery of supported operations */ 49 const char *OSSL_FUNC_keymgmt_query_operation_name(int operation_id); 50 51 /* Key object import and export functions */ 52 int OSSL_FUNC_keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[]); 53 const OSSL_PARAM *OSSL_FUNC_keymgmt_import_types(int selection); 54 const OSSL_PARAM *OSSL_FUNC_keymgmt_import_types_ex(void *provctx, int selection); 55 int OSSL_FUNC_keymgmt_export(void *keydata, int selection, 56 OSSL_CALLBACK *param_cb, void *cbarg); 57 const OSSL_PARAM *OSSL_FUNC_keymgmt_export_types(int selection); 58 const OSSL_PARAM *OSSL_FUNC_keymgmt_export_types_ex(void *provctx, int selection); 59 60 /* Key object duplication, a constructor */ 61 void *OSSL_FUNC_keymgmt_dup(const void *keydata_from, int selection); 62 63 /* Key object validation */ 64 int OSSL_FUNC_keymgmt_validate(const void *keydata, int selection, int checktype); 65 66=head1 DESCRIPTION 67 68The KEYMGMT operation doesn't have much public visibility in OpenSSL 69libraries, it's rather an internal operation that's designed to work 70in tandem with operations that use private/public key pairs. 71 72Because the KEYMGMT operation shares knowledge with the operations it 73works with in tandem, they must belong to the same provider. 74The OpenSSL libraries will ensure that they do. 75 76The primary responsibility of the KEYMGMT operation is to hold the 77provider side key data for the OpenSSL library EVP_PKEY structure. 78 79All "functions" mentioned here are passed as function pointers between 80F<libcrypto> and the provider in L<OSSL_DISPATCH(3)> arrays via 81L<OSSL_ALGORITHM(3)> arrays that are returned by the provider's 82provider_query_operation() function 83(see L<provider-base(7)/Provider Functions>). 84 85All these "functions" have a corresponding function type definition 86named B<OSSL_FUNC_{name}_fn>, and a helper function to retrieve the 87function pointer from a L<OSSL_DISPATCH(3)> element named 88B<OSSL_FUNC_{name}>. 89For example, the "function" OSSL_FUNC_keymgmt_new() has these: 90 91 typedef void *(OSSL_FUNC_keymgmt_new_fn)(void *provctx); 92 static ossl_inline OSSL_FUNC_keymgmt_new_fn 93 OSSL_FUNC_keymgmt_new(const OSSL_DISPATCH *opf); 94 95L<OSSL_DISPATCH(3)> arrays are indexed by numbers that are provided as 96macros in L<openssl-core_dispatch.h(7)>, as follows: 97 98 OSSL_FUNC_keymgmt_new OSSL_FUNC_KEYMGMT_NEW 99 OSSL_FUNC_keymgmt_free OSSL_FUNC_KEYMGMT_FREE 100 101 OSSL_FUNC_keymgmt_gen_init OSSL_FUNC_KEYMGMT_GEN_INIT 102 OSSL_FUNC_keymgmt_gen_set_template OSSL_FUNC_KEYMGMT_GEN_SET_TEMPLATE 103 OSSL_FUNC_keymgmt_gen_get_params OSSL_FUNC_KEYMGMT_GEN_GET_PARAMS 104 OSSL_FUNC_keymgmt_gen_gettable_params OSSL_FUNC_KEYMGMT_GEN_GETTABLE_PARAMS 105 OSSL_FUNC_keymgmt_gen_set_params OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS 106 OSSL_FUNC_keymgmt_gen_settable_params OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS 107 OSSL_FUNC_keymgmt_gen OSSL_FUNC_KEYMGMT_GEN 108 OSSL_FUNC_keymgmt_gen_cleanup OSSL_FUNC_KEYMGMT_GEN_CLEANUP 109 110 OSSL_FUNC_keymgmt_load OSSL_FUNC_KEYMGMT_LOAD 111 112 OSSL_FUNC_keymgmt_get_params OSSL_FUNC_KEYMGMT_GET_PARAMS 113 OSSL_FUNC_keymgmt_gettable_params OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS 114 OSSL_FUNC_keymgmt_set_params OSSL_FUNC_KEYMGMT_SET_PARAMS 115 OSSL_FUNC_keymgmt_settable_params OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS 116 117 OSSL_FUNC_keymgmt_query_operation_name OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME 118 119 OSSL_FUNC_keymgmt_has OSSL_FUNC_KEYMGMT_HAS 120 OSSL_FUNC_keymgmt_validate OSSL_FUNC_KEYMGMT_VALIDATE 121 OSSL_FUNC_keymgmt_match OSSL_FUNC_KEYMGMT_MATCH 122 123 OSSL_FUNC_keymgmt_import OSSL_FUNC_KEYMGMT_IMPORT 124 OSSL_FUNC_keymgmt_import_types OSSL_FUNC_KEYMGMT_IMPORT_TYPES 125 OSSL_FUNC_keymgmt_import_types_ex OSSL_FUNC_KEYMGMT_IMPORT_TYPES_EX 126 OSSL_FUNC_keymgmt_export OSSL_FUNC_KEYMGMT_EXPORT 127 OSSL_FUNC_keymgmt_export_types OSSL_FUNC_KEYMGMT_EXPORT_TYPES 128 OSSL_FUNC_keymgmt_export_types_ex OSSL_FUNC_KEYMGMT_EXPORT_TYPES_EX 129 130 OSSL_FUNC_keymgmt_dup OSSL_FUNC_KEYMGMT_DUP 131 132=head2 Key Objects 133 134A key object is a collection of data for an asymmetric key, and is 135represented as I<keydata> in this manual. 136 137The exact contents of a key object are defined by the provider, and it 138is assumed that different operations in one and the same provider use 139the exact same structure to represent this collection of data, so that 140for example, a key object that has been created using the KEYMGMT 141interface that we document here can be passed as is to other provider 142operations, such as OP_signature_sign_init() (see 143L<provider-signature(7)>). 144 145With some of the KEYMGMT functions, it's possible to select a specific 146subset of data to handle, governed by the bits in a I<selection> 147indicator. The bits are: 148 149=over 4 150 151=item B<OSSL_KEYMGMT_SELECT_PRIVATE_KEY> 152 153Indicating that the private key data in a key object should be 154considered. 155 156=item B<OSSL_KEYMGMT_SELECT_PUBLIC_KEY> 157 158Indicating that the public key data in a key object should be 159considered. 160 161=item B<OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS> 162 163Indicating that the domain parameters in a key object should be 164considered. 165 166=item B<OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS> 167 168Indicating that other parameters in a key object should be 169considered. 170 171Other parameters are key parameters that don't fit any other 172classification. In other words, this particular selector bit works as 173a last resort bit bucket selector. 174 175=back 176 177Some selector bits have also been combined for easier use: 178 179=over 4 180 181=item B<OSSL_KEYMGMT_SELECT_ALL_PARAMETERS> 182 183Indicating that all key object parameters should be considered, 184regardless of their more granular classification. 185 186=for comment This should used by EVP functions such as 187EVP_PKEY_copy_parameters() and EVP_PKEY_parameters_eq() 188 189This is a combination of B<OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS> and 190B<OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS>. 191 192=for comment If more parameter categories are added, they should be 193mentioned here too. 194 195=item B<OSSL_KEYMGMT_SELECT_KEYPAIR> 196 197Indicating that both the whole key pair in a key object should be 198considered, i.e. the combination of public and private key. 199 200This is a combination of B<OSSL_KEYMGMT_SELECT_PRIVATE_KEY> and 201B<OSSL_KEYMGMT_SELECT_PUBLIC_KEY>. 202 203=item B<OSSL_KEYMGMT_SELECT_ALL> 204 205Indicating that everything in a key object should be considered. 206 207=back 208 209The exact interpretation of those bits or how they combine is left to 210each function where you can specify a selector. 211 212It's left to the provider implementation to decide what is reasonable 213to do with regards to received selector bits and how to do it. 214Among others, an implementation of OSSL_FUNC_keymgmt_match() might opt 215to not compare the private half if it has compared the public half, 216since a match of one half implies a match of the other half. 217 218=head2 Constructing and Destructing Functions 219 220OSSL_FUNC_keymgmt_new() should create a provider side key object. The 221provider context I<provctx> is passed and may be incorporated in the 222key object, but that is not mandatory. 223 224OSSL_FUNC_keymgmt_free() should free the passed I<keydata>. 225 226OSSL_FUNC_keymgmt_gen_init(), OSSL_FUNC_keymgmt_gen_set_template(), 227OSSL_FUNC_keymgmt_gen_get_params(), OSSL_FUNC_keymgmt_gen_gettable_params(), 228OSSL_FUNC_keymgmt_gen_set_params(), OSSL_FUNC_keymgmt_gen_settable_params(), 229OSSL_FUNC_keymgmt_gen() and OSSL_FUNC_keymgmt_gen_cleanup() work together as a 230more elaborate context based key object constructor. 231 232OSSL_FUNC_keymgmt_gen_init() should create the key object generation context 233and initialize it with I<selections>, which will determine what kind 234of contents the key object to be generated should get. 235The I<params>, if not NULL, should be set on the context in a manner similar to 236using OSSL_FUNC_keymgmt_set_params(). 237 238OSSL_FUNC_keymgmt_gen_set_template() should add I<template> to the context 239I<genctx>. The I<template> is assumed to be a key object constructed 240with the same KEYMGMT, and from which content that the implementation 241chooses can be used as a template for the key object to be generated. 242Typically, the generation of a DSA or DH key would get the domain 243parameters from this I<template>. 244 245OSSL_FUNC_keymgmt_gen_get_params() should retrieve parameters into 246I<params> in the key object generation context I<genctx>. 247 248OSSL_FUNC_keymgmt_gen_gettable_params() should return a constant array of 249descriptor L<OSSL_PARAM(3)>, for parameters that 250OSSL_FUNC_keymgmt_gen_get_params() can handle. 251 252OSSL_FUNC_keymgmt_gen_set_params() should set additional parameters from 253I<params> in the key object generation context I<genctx>. 254 255OSSL_FUNC_keymgmt_gen_settable_params() should return a constant array of 256descriptor L<OSSL_PARAM(3)>, for parameters that OSSL_FUNC_keymgmt_gen_set_params() 257can handle. 258 259OSSL_FUNC_keymgmt_gen() should perform the key object generation itself, and 260return the result. The callback I<cb> should be called at regular 261intervals with indications on how the key object generation 262progresses. 263 264OSSL_FUNC_keymgmt_gen_cleanup() should clean up and free the key object 265generation context I<genctx> 266 267OSSL_FUNC_keymgmt_load() creates a provider side key object based on a 268I<reference> object with a size of I<reference_sz> bytes, that only the 269provider knows how to interpret, but that may come from other operations. 270Outside the provider, this reference is simply an array of bytes. 271 272At least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen() and 273OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free() and 274OSSL_FUNC_keymgmt_has(). Additionally, if OSSL_FUNC_keymgmt_gen() is present, 275OSSL_FUNC_keymgmt_gen_init() and OSSL_FUNC_keymgmt_gen_cleanup() must be 276present as well. 277 278=head2 Key Object Information Functions 279 280OSSL_FUNC_keymgmt_get_params() should extract information data associated 281with the given I<keydata>, see L</Common Information Parameters>. 282 283OSSL_FUNC_keymgmt_gettable_params() should return a constant array of 284descriptor L<OSSL_PARAM(3)>, for parameters that OSSL_FUNC_keymgmt_get_params() 285can handle. 286 287If OSSL_FUNC_keymgmt_gettable_params() is present, OSSL_FUNC_keymgmt_get_params() 288must also be present, and vice versa. 289 290OSSL_FUNC_keymgmt_set_params() should update information data associated 291with the given I<keydata>, see L</Common Information Parameters>. 292 293OSSL_FUNC_keymgmt_settable_params() should return a constant array of 294descriptor L<OSSL_PARAM(3)>, for parameters that OSSL_FUNC_keymgmt_set_params() 295can handle. 296 297If OSSL_FUNC_keymgmt_settable_params() is present, OSSL_FUNC_keymgmt_set_params() 298must also be present, and vice versa. 299 300=head2 Key Object Checking Functions 301 302OSSL_FUNC_keymgmt_query_operation_name() should return the name of the 303supported algorithm for the operation I<operation_id>. This is 304similar to provider_query_operation() (see L<provider-base(7)>), 305but only works as an advisory. If this function is not present, or 306returns NULL, the caller is free to assume that there's an algorithm 307from the same provider, of the same name as the one used to fetch the 308keymgmt and try to use that. 309 310OSSL_FUNC_keymgmt_has() should check whether the given I<keydata> contains the subsets 311of data indicated by the I<selector>. A combination of several 312selector bits must consider all those subsets, not just one. An 313implementation is, however, free to consider an empty subset of data 314to still be a valid subset. For algorithms where some selection is 315not meaningful such as B<OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS> for 316RSA keys the function should just return 1 as the selected subset 317is not really missing in the key. 318 319OSSL_FUNC_keymgmt_validate() should check if the I<keydata> contains valid 320data subsets indicated by I<selection>. Some combined selections of 321data subsets may cause validation of the combined data. 322For example, the combination of B<OSSL_KEYMGMT_SELECT_PRIVATE_KEY> and 323B<OSSL_KEYMGMT_SELECT_PUBLIC_KEY> (or B<OSSL_KEYMGMT_SELECT_KEYPAIR> 324for short) is expected to check that the pairwise consistency of 325I<keydata> is valid. The I<checktype> parameter controls what type of check is 326performed on the subset of data. Two types of check are defined: 327B<OSSL_KEYMGMT_VALIDATE_FULL_CHECK> and B<OSSL_KEYMGMT_VALIDATE_QUICK_CHECK>. 328The interpretation of how much checking is performed in a full check versus a 329quick check is key type specific. Some providers may have no distinction 330between a full check and a quick check. For algorithms where some selection is 331not meaningful such as B<OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS> for 332RSA keys the function should just return 1 as there is nothing to validate for 333that selection. 334 335OSSL_FUNC_keymgmt_match() should check if the data subset indicated by 336I<selection> in I<keydata1> and I<keydata2> match. It is assumed that 337the caller has ensured that I<keydata1> and I<keydata2> are both owned 338by the implementation of this function. 339 340=head2 Key Object Import, Export and Duplication Functions 341 342OSSL_FUNC_keymgmt_import() should import data indicated by I<selection> into 343I<keydata> with values taken from the L<OSSL_PARAM(3)> array I<params>. 344 345OSSL_FUNC_keymgmt_export() should extract values indicated by I<selection> 346from I<keydata>, create an L<OSSL_PARAM(3)> array with them and call 347I<param_cb> with that array as well as the given I<cbarg>. 348 349OSSL_FUNC_keymgmt_import_types() and OSSL_FUNC_keymgmt_import_types_ex() 350should return a constant array of descriptor 351L<OSSL_PARAM(3)> for data indicated by I<selection>, for parameters that 352OSSL_FUNC_keymgmt_import() can handle. 353Either OSSL_FUNC_keymgmt_import_types() or OSSL_FUNC_keymgmt_import_types_ex(), 354must be implemented, if OSSL_FUNC_keymgmt_import_types_ex() is implemented, then 355it is preferred over OSSL_FUNC_keymgmt_import_types(). 356Providers that are supposed to be backward compatible with OpenSSL 3.0 or 3.1 357must continue to implement OSSL_FUNC_keymgmt_import_types(). 358 359OSSL_FUNC_keymgmt_export_types() and OSSL_FUNC_keymgmt_export_types_ex() 360should return a constant array of descriptor 361L<OSSL_PARAM(3)> for data indicated by I<selection>, that the 362OSSL_FUNC_keymgmt_export() callback can expect to receive. 363Either OSSL_FUNC_keymgmt_export_types() or OSSL_FUNC_keymgmt_export_types_ex(), 364must be implemented, if OSSL_FUNC_keymgmt_export_types_ex() is implemented, then 365it is preferred over OSSL_FUNC_keymgmt_export_types(). 366Providers that are supposed to be backward compatible with OpenSSL 3.0 or 3.1 367must continue to implement OSSL_FUNC_keymgmt_export_types(). 368 369OSSL_FUNC_keymgmt_dup() should duplicate data subsets indicated by 370I<selection> or the whole key data I<keydata_from> and create a new 371provider side key object with the data. 372 373=head2 Common Information Parameters 374 375See L<OSSL_PARAM(3)> for further details on the parameters structure. 376 377Common information parameters currently recognised by all built-in 378keymgmt algorithms are as follows: 379 380=over 4 381 382=item "bits" (B<OSSL_PKEY_PARAM_BITS>) <integer> 383 384The value should be the cryptographic length of the cryptosystem to 385which the key belongs, in bits. The definition of cryptographic 386length is specific to the key cryptosystem. 387 388=item "max-size" (B<OSSL_PKEY_PARAM_MAX_SIZE>) <integer> 389 390The value should be the maximum size that a caller should allocate to 391safely store a signature (called I<sig> in L<provider-signature(7)>), 392the result of asymmetric encryption / decryption (I<out> in 393L<provider-asym_cipher(7)>, a derived secret (I<secret> in 394L<provider-keyexch(7)>, and similar data). 395 396Providers need to implement this parameter 397in order to properly support various use cases such as CMS signing. 398 399Because an EVP_KEYMGMT method is always tightly bound to another method 400(signature, asymmetric cipher, key exchange, ...) and must be of the 401same provider, this number only needs to be synchronised with the 402dimensions handled in the rest of the same provider. 403 404=item "security-bits" (B<OSSL_PKEY_PARAM_SECURITY_BITS>) <integer> 405 406The value should be the number of security bits of the given key. 407Bits of security is defined in SP800-57. 408 409=item "mandatory-digest" (B<OSSL_PKEY_PARAM_MANDATORY_DIGEST>) <UTF8 string> 410 411If there is a mandatory digest for performing a signature operation with 412keys from this keymgmt, this parameter should get its name as value. 413 414When EVP_PKEY_get_default_digest_name() queries this parameter and it's 415filled in by the implementation, its return value will be 2. 416 417If the keymgmt implementation fills in the value C<""> or C<"UNDEF">, 418L<EVP_PKEY_get_default_digest_name(3)> will place the string C<"UNDEF"> into 419its argument I<mdname>. This signifies that no digest should be specified 420with the corresponding signature operation. 421 422=item "default-digest" (B<OSSL_PKEY_PARAM_DEFAULT_DIGEST>) <UTF8 string> 423 424If there is a default digest for performing a signature operation with 425keys from this keymgmt, this parameter should get its name as value. 426 427When L<EVP_PKEY_get_default_digest_name(3)> queries this parameter and it's 428filled in by the implementation, its return value will be 1. Note that if 429B<OSSL_PKEY_PARAM_MANDATORY_DIGEST> is responded to as well, 430L<EVP_PKEY_get_default_digest_name(3)> ignores the response to this 431parameter. 432 433If the keymgmt implementation fills in the value C<""> or C<"UNDEF">, 434L<EVP_PKEY_get_default_digest_name(3)> will place the string C<"UNDEF"> into 435its argument I<mdname>. This signifies that no digest has to be specified 436with the corresponding signature operation, but may be specified as an 437option. 438 439=back 440 441The OpenSSL FIPS provider also supports the following parameters: 442 443=over 4 444 445=item "fips-indicator" (B<OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR>) <integer> 446 447A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. 448This may be used after calling OSSL_FUNC_keymgmt_gen() function. It may 449return 0 if either the "key-check", or "sign-check" are set to 0. 450 451=item "key-check" (B<OSSL_PKEY_PARAM_FIPS_KEY_CHECK>) <integer> 452 453If required this parameter should be set using OSSL_FUNC_keymgmt_gen_set_params() 454or OSSL_FUNC_keymgmt_gen_init(). 455The default value of 1 causes an error during the init if the key is not FIPS 456approved (e.g. The key has a security strength of less than 112 bits). Setting 457this to 0 will ignore the error and set the approved "fips-indicator" to 0. 458This option breaks FIPS compliance if it causes the approved "fips-indicator" 459to return 0. 460 461=item "sign-check" (B<OSSL_PKEY_PARAM_FIPS_SIGN_CHECK>) <integer> 462 463If required this parameter should be set before the OSSL_FUNC_keymgmt_gen() 464function. This value is not supported by all keygen algorithms. 465The default value of 1 will cause an error if the generated key is not 466allowed to be used for signing. 467Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0. 468This option breaks FIPS compliance if it causes the approved "fips-indicator" 469to return 0. 470 471=back 472 473=head1 RETURN VALUES 474 475OSSL_FUNC_keymgmt_new() and OSSL_FUNC_keymgmt_dup() should return a valid 476reference to the newly created provider side key object, or NULL on failure. 477 478OSSL_FUNC_keymgmt_import(), OSSL_FUNC_keymgmt_export(), OSSL_FUNC_keymgmt_get_params() and 479OSSL_FUNC_keymgmt_set_params() should return 1 for success or 0 on error. 480 481OSSL_FUNC_keymgmt_validate() should return 1 on successful validation, or 0 on 482failure. 483 484OSSL_FUNC_keymgmt_has() should return 1 if all the selected data subsets are contained 485in the given I<keydata> or 0 otherwise. 486 487OSSL_FUNC_keymgmt_query_operation_name() should return a pointer to a string matching 488the requested operation, or NULL if the same name used to fetch the keymgmt 489applies. 490 491OSSL_FUNC_keymgmt_gettable_params() and OSSL_FUNC_keymgmt_settable_params() 492OSSL_FUNC_keymgmt_import_types(), OSSL_FUNC_keymgmt_import_types_ex(), 493OSSL_FUNC_keymgmt_export_types(), OSSL_FUNC_keymgmt_export_types_ex() 494should 495always return a constant L<OSSL_PARAM(3)> array. 496 497=head1 SEE ALSO 498 499L<EVP_PKEY_get_size(3)>, 500L<EVP_PKEY_get_bits(3)>, 501L<EVP_PKEY_get_security_bits(3)>, 502L<provider(7)>, 503L<EVP_PKEY-X25519(7)>, L<EVP_PKEY-X448(7)>, L<EVP_PKEY-ED25519(7)>, 504L<EVP_PKEY-ED448(7)>, L<EVP_PKEY-EC(7)>, L<EVP_PKEY-RSA(7)>, 505L<EVP_PKEY-DSA(7)>, L<EVP_PKEY-DH(7)> 506 507=head1 HISTORY 508 509The KEYMGMT interface was introduced in OpenSSL 3.0. 510 511Functions OSSL_FUNC_keymgmt_import_types_ex(), and OSSL_FUNC_keymgmt_export_types_ex() 512were added with OpenSSL 3.2. 513 514The functions OSSL_FUNC_keymgmt_gen_get_params() and 515OSSL_FUNC_keymgmt_gen_gettable_params() were added in OpenSSL 3.4. 516 517The parameters "sign-check" and "fips-indicator" were added in OpenSSL 3.4. 518 519=head1 COPYRIGHT 520 521Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. 522 523Licensed under the Apache License 2.0 (the "License"). You may not use 524this file except in compliance with the License. You can obtain a copy 525in the file LICENSE in the source distribution or at 526L<https://www.openssl.org/source/license.html>. 527 528=cut 529