OSSL_PARAM behaviour for unknown keys

Kurt Roeckx kurt at roeckx.be
Tue Dec 15 12:23:58 UTC 2020

On Tue, Dec 15, 2020 at 08:40:03AM +0100, Dmitry Belyavsky wrote:
> There are 2 variants of using OpenSSL.
> 1. Algorithm-agnostic. We can deal with most of the algorithms in a more or
> less similar way.
> That was the way we dealt with various algorithms in libcrypto since 1.0
> version.
> 2. Algorithm-specific. The API user should take into account which
> algorithms are
> supported by their application and provide some specific processing.
> These are two different approaches.

I'm not really sure what you're trying to say. 1) seem to be
things like EVP_CIPHER, EVP_MAC, and so on, while 2) seems to be
RSA, ECDSA, AES APIs. And 2) is then something we want to get rid

What we want is that the interface to the algorithm doesn't depend
on the algorithm. But even in the same type of algorithmd, some
might need more parameters, support different modes, and things like
that, so we need a way set all those options. We now have an
OSSL_PARAM that can make this much more flexible, and we don't need
to add a new function/macro each time we want to do something new.

If an applications wants to switch from one to the other
algorithm, it should be as easy as possible. But the application
might need to change, and might need to be aware which parameters
are needed. If the application passes the RSA parameters itself
to OpenSSL and it wants to switch to EdDSA, it will not continue
to pass the primes, exponent, and so on. I think if it did try that,
we should return an error.


More information about the openssl-project mailing list