What is the difference between OSSL_STORE_INFO_get0_PARAMS() and OSSL_STORE_INFO_get0_PKEY()?
Tomas Mraz
tomas at openssl.org
Wed Dec 27 08:17:45 UTC 2023
OSSL_STORE_INFO_get0_PARAMS() returns an EVP_PKEY object that holds
domain parameters for a particular asymmetric crypto algorithm. For
example in case of EC they would be elliptic curve parameters -
nowadays usually in the form of an elliptic curve name.
X509_VERIFY_PARAM is a completely different type of object that holds
various auxiliary parameters used when performing an X.509 certificate
verification. For example during the verification of the TLS server
certificate on the client side.
Domain parameters held in an EVP_PKEY objects are nowadays not used
much with SSL_CTX. Historically they were mainly used for the finite
field DH parameters with TLS <= 1.2 but OpenSSL currently contains
built-in well known safe primes that can be used for DH. In particular
TLS-1.3 uses only these and cannot use arbitrary DH parameters.
Tomas Mraz, OpenSSL
On Sat, 2023-12-23 at 13:57 +0000, Graham Leggett via openssl-users
wrote:
> Hi all,
>
> Both OSSL_STORE_INFO_get0_PARAMS() and OSSL_STORE_INFO_get0_PKEY()
> return the same type - EVP_PKEY.
>
> When adding params to an SSL_CTX, the type used is X509_VERIFY_PARAM.
>
> I am confused - what exactly is returned by
> OSSL_STORE_INFO_get0_PARAMS(), and how do you add this to SSL_CTX?
>
> Regards,
> Graham
> —
>
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list