Richard Levitte wrote:
After first review of API delared in openssl/store.h I misunderstand
goal of load method.
In message<58472e4f.3010...@roumenpetrov.info> on Tue, 06 Dec 2016 23:31:59 +0200,
Roumen Petrov<open...@roumenpetrov.info> said:
openssl> Hi Richard,
openssl> > Check. My STORE branch is made to support that.
openssl> One URI could represent more then one item.
openssl> STORE_INFO_types is enumerate but URI could be associated to custom
openssl> data (handle) and this data could be used to get other data(handles).
openssl> See capi engine CAPI_KEY *capi_find_key(CAPI_CTX * ctx, const char
openssl> Is above case PKEY is loaded only if CERT is located(found).
I'm trying to understand but am failing. Looking at your example,
it's quite clear that what you want to retrieve is a key, even though
you have to go through the corresponding certificate to get to it.
I think that code of capi engine could be considered as sample what is
need for an loadable module (engine) to use "OpenSSL Store API". I post
above code just to get idea where currently is used an "external store api".
Just imagine how existing capi code could be changed to use store-API
and to implement loader(scheme?).
I'm asking as currently there is no interface (API) that could associate
key (private) and X.509 certificate. Currently engines implement custom
command as work-around. For instance LOAD_CERT_CTRL (pkcs11 and e_nss)
This one of areas where applications could benefit from "Store API".
I post a sniped from CAPI code because it is part of OpenSSL, but king
of "external store api" is used by other engines.
However,*nothing* stops anyone from making a loader for the "capi"
scheme (if there is such a thing) that has a load method that will
return the certificate (STORE_INFO_CERT) on the first call and the
associated key (STORE_INFO_PKEY) on the second for the same URI. It's
all about caching information, and there is a context variable (type
STORE_LOADER_CTX, which is just a template type for loader defined
'struct store_loader_ctx_st') to be used exactly for that kind of
I guess that "load" method is supposed to return all data at once.
Actually it is an iterator!
Please update comments before method and if possible to change name of
I also fail to see why a store scheme has to return "custom data". Note
that thread start from request for load TPM keys and some one mention
that TMP key has custom data.
In your example above, I fail to see where the custom data would be
needed... And frankly, STORE is first of all meant to handle types
that can be used with the rest of OpenSSL. That being said, adding a
"whatever" STORE_INFO type isn't very hard either. I'm just not
terribly convinced yet, but let's keep talking, I'll probably
understand sooner or later what you're actually after.
In addition to load of key from file there is one another interfaces
where could be used store api - see RT4681.
The goal is expired from fact that X.509 load method is hidden in
I guess that "by dir" and "by file" could be updated to use store api.
Also applications has to able to register that a "store scheme" could by
used by X.509 lookups.
Richard ( oh, and if example code is needed, I can provide )
+4 for OpenSSL store api ;)
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev