OSSL_PARAM behaviour for unknown keys

Tim Hudson tjh at cryptsoft.com
Tue Dec 15 12:34:37 UTC 2020

On Tue, Dec 15, 2020 at 10:24 PM Kurt Roeckx <kurt at roeckx.be> wrote:

> If an applications wants to switch from one to the other
> algorithm, it should be as easy as possible. But the application
> might need to change, and might need to be aware which parameters
> are needed.

A provider may not need any of those parameters - it might just need (for
example) a label or key name.
That could be entirely sufficient and valid for an HSM usage scenario and
setting up a key in that manner should be permitted.
Then you don't have any of the sort of parameters you are talking about and
it remains perfectly valid - for that provider.
For other providers the list may be different.

This is one of the areas where there is a conceptual difference - it is a
collection of things a provider needs to do its work - it isn't necessarily
a complete standalone portable definition of a cryptographic object with
all elements available and provided by the application.

Part of the point of this is you should be able to use different algorithms
without the application having to change - that is part of the point of the
sort of APIs we have - so that applications can work with whatever the user
of the application wants to work with and you don't have to always go and
add extra code into every application if something new comes along that we
want to support.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-project/attachments/20201215/b81f3326/attachment.html>

More information about the openssl-project mailing list