{
    "mode": "info",
    "parameter": "provider-keymgmt",
    "section": "",
    "url": "https://www.chedong.com/phpMan.php/info/provider-keymgmt/json",
    "generated": "2026-07-05T15:55:07Z",
    "synopsis": "#include <openssl/coredispatch.h>\n/*\n* None of these are actual functions, but are displayed like this for\n* the function signatures for functions that are offered as function\n* pointers in OSSLDISPATCH arrays.\n*/\n/* Key object (keydata) creation and destruction */\nvoid *OSSLFUNCkeymgmtnew(void *provctx);\nvoid OSSLFUNCkeymgmtfree(void *keydata);\n/* Generation, a more complex constructor */\nvoid *OSSLFUNCkeymgmtgeninit(void *provctx, int selection,\nconst OSSLPARAM params[]);\nint OSSLFUNCkeymgmtgensettemplate(void *genctx, void *template);\nint OSSLFUNCkeymgmtgensetparams(void *genctx, const OSSLPARAM params[]);\nconst OSSLPARAM *OSSLFUNCkeymgmtgensettableparams(void *genctx,\nvoid *provctx);\nvoid *OSSLFUNCkeymgmtgen(void *genctx, OSSLCALLBACK *cb, void *cbarg);\nvoid OSSLFUNCkeymgmtgencleanup(void *genctx);\n/* Key loading by object reference, also a constructor */\nvoid *OSSLFUNCkeymgmtload(const void *reference, sizet *referencesz);\n/* Key object information */\nint OSSLFUNCkeymgmtgetparams(void *keydata, OSSLPARAM params[]);\nconst OSSLPARAM *OSSLFUNCkeymgmtgettableparams(void *provctx);\nint OSSLFUNCkeymgmtsetparams(void *keydata, const OSSLPARAM params[]);\nconst OSSLPARAM *OSSLFUNCkeymgmtsettableparams(void *provctx);\n/* Key object content checks */\nint OSSLFUNCkeymgmthas(const void *keydata, int selection);\nint OSSLFUNCkeymgmtmatch(const void *keydata1, const void *keydata2,\nint selection);\n/* Discovery of supported operations */\nconst char *OSSLFUNCkeymgmtqueryoperationname(int operationid);\n/* Key object import and export functions */\nint OSSLFUNCkeymgmtimport(int selection, void *keydata, const OSSLPARAM params[]);\nconst OSSLPARAM *OSSLFUNCkeymgmtimporttypes(int selection);\nint OSSLFUNCkeymgmtexport(int selection, void *keydata,\nOSSLCALLBACK *paramcb, void *cbarg);\nconst OSSLPARAM *OSSLFUNCkeymgmtexporttypes(int selection);\n/* Key object duplication, a constructor */\nvoid *OSSLFUNCkeymgmtdup(const void *keydatafrom, int selection);\n/* Key object validation */\nint OSSLFUNCkeymgmtvalidate(const void *keydata, int selection, int checktype);",
    "sections": {
        "NAME": {
            "content": "provider-keymgmt - The KEYMGMT library <-> provider functions\n",
            "subsections": []
        },
        "SYNOPSIS": {
            "content": "#include <openssl/coredispatch.h>\n\n/*\n* None of these are actual functions, but are displayed like this for\n* the function signatures for functions that are offered as function\n* pointers in OSSLDISPATCH arrays.\n*/\n\n/* Key object (keydata) creation and destruction */\nvoid *OSSLFUNCkeymgmtnew(void *provctx);\nvoid OSSLFUNCkeymgmtfree(void *keydata);\n\n/* Generation, a more complex constructor */\nvoid *OSSLFUNCkeymgmtgeninit(void *provctx, int selection,\nconst OSSLPARAM params[]);\nint OSSLFUNCkeymgmtgensettemplate(void *genctx, void *template);\nint OSSLFUNCkeymgmtgensetparams(void *genctx, const OSSLPARAM params[]);\nconst OSSLPARAM *OSSLFUNCkeymgmtgensettableparams(void *genctx,\nvoid *provctx);\nvoid *OSSLFUNCkeymgmtgen(void *genctx, OSSLCALLBACK *cb, void *cbarg);\nvoid OSSLFUNCkeymgmtgencleanup(void *genctx);\n\n/* Key loading by object reference, also a constructor */\nvoid *OSSLFUNCkeymgmtload(const void *reference, sizet *referencesz);\n\n/* Key object information */\nint OSSLFUNCkeymgmtgetparams(void *keydata, OSSLPARAM params[]);\nconst OSSLPARAM *OSSLFUNCkeymgmtgettableparams(void *provctx);\nint OSSLFUNCkeymgmtsetparams(void *keydata, const OSSLPARAM params[]);\nconst OSSLPARAM *OSSLFUNCkeymgmtsettableparams(void *provctx);\n\n/* Key object content checks */\nint OSSLFUNCkeymgmthas(const void *keydata, int selection);\nint OSSLFUNCkeymgmtmatch(const void *keydata1, const void *keydata2,\nint selection);\n\n/* Discovery of supported operations */\nconst char *OSSLFUNCkeymgmtqueryoperationname(int operationid);\n\n/* Key object import and export functions */\nint OSSLFUNCkeymgmtimport(int selection, void *keydata, const OSSLPARAM params[]);\nconst OSSLPARAM *OSSLFUNCkeymgmtimporttypes(int selection);\nint OSSLFUNCkeymgmtexport(int selection, void *keydata,\nOSSLCALLBACK *paramcb, void *cbarg);\nconst OSSLPARAM *OSSLFUNCkeymgmtexporttypes(int selection);\n\n/* Key object duplication, a constructor */\nvoid *OSSLFUNCkeymgmtdup(const void *keydatafrom, int selection);\n\n/* Key object validation */\nint OSSLFUNCkeymgmtvalidate(const void *keydata, int selection, int checktype);\n",
            "subsections": []
        },
        "DESCRIPTION": {
            "content": "The KEYMGMT operation doesn't have much public visibility in OpenSSL\nlibraries, it's rather an internal operation that's designed to work in\ntandem with operations that use private/public key pairs.\n\nBecause the KEYMGMT operation shares knowledge with the operations it\nworks with in tandem, they must belong to the same provider.  The\nOpenSSL libraries will ensure that they do.\n\nThe primary responsibility of the KEYMGMT operation is to hold the\nprovider side key data for the OpenSSL library EVPPKEY structure.\n\nAll \"functions\" mentioned here are passed as function pointers between\nlibcrypto and the provider in OSSLDISPATCH arrays via OSSLALGORITHM\narrays that are returned by the provider's providerqueryoperation()\nfunction (see \"Provider Functions\" in provider-base(7)).\n\nAll these \"functions\" have a corresponding function type definition\nnamed OSSLFUNC{name}fn, and a helper function to retrieve the\nfunction pointer from a OSSLDISPATCH element named OSSLFUNC{name}.\nFor example, the \"function\" OSSLFUNCkeymgmtnew() has these:\n\ntypedef void *(OSSLFUNCkeymgmtnewfn)(void *provctx);\nstatic osslinline OSSLFUNCkeymgmtnewfn\nOSSLFUNCkeymgmtnew(const OSSLDISPATCH *opf);\n\nOSSLDISPATCH arrays are indexed by numbers that are provided as macros\nin openssl-coredispatch.h(7), as follows:\n\nOSSLFUNCkeymgmtnew                  OSSLFUNCKEYMGMTNEW\nOSSLFUNCkeymgmtfree                 OSSLFUNCKEYMGMTFREE\n\nOSSLFUNCkeymgmtgeninit             OSSLFUNCKEYMGMTGENINIT\nOSSLFUNCkeymgmtgensettemplate     OSSLFUNCKEYMGMTGENSETTEMPLATE\nOSSLFUNCkeymgmtgensetparams       OSSLFUNCKEYMGMTGENSETPARAMS\nOSSLFUNCkeymgmtgensettableparams  OSSLFUNCKEYMGMTGENSETTABLEPARAMS\nOSSLFUNCkeymgmtgen                  OSSLFUNCKEYMGMTGEN\nOSSLFUNCkeymgmtgencleanup          OSSLFUNCKEYMGMTGENCLEANUP\n\nOSSLFUNCkeymgmtload                 OSSLFUNCKEYMGMTLOAD\n\nOSSLFUNCkeymgmtgetparams           OSSLFUNCKEYMGMTGETPARAMS\nOSSLFUNCkeymgmtgettableparams      OSSLFUNCKEYMGMTGETTABLEPARAMS\nOSSLFUNCkeymgmtsetparams           OSSLFUNCKEYMGMTSETPARAMS\nOSSLFUNCkeymgmtsettableparams      OSSLFUNCKEYMGMTSETTABLEPARAMS\n\nOSSLFUNCkeymgmtqueryoperationname OSSLFUNCKEYMGMTQUERYOPERATIONNAME\n\nOSSLFUNCkeymgmthas                  OSSLFUNCKEYMGMTHAS\nOSSLFUNCkeymgmtvalidate             OSSLFUNCKEYMGMTVALIDATE\nOSSLFUNCkeymgmtmatch                OSSLFUNCKEYMGMTMATCH\n\nOSSLFUNCkeymgmtimport               OSSLFUNCKEYMGMTIMPORT\nOSSLFUNCkeymgmtimporttypes         OSSLFUNCKEYMGMTIMPORTTYPES\nOSSLFUNCkeymgmtexport               OSSLFUNCKEYMGMTEXPORT\nOSSLFUNCkeymgmtexporttypes         OSSLFUNCKEYMGMTEXPORTTYPES\n\nOSSLFUNCkeymgmtdup                  OSSLFUNCKEYMGMTDUP\n\nKey Objects\nA key object is a collection of data for an asymmetric key, and is\nrepresented as keydata in this manual.\n\nThe exact contents of a key object are defined by the provider, and it\nis assumed that different operations in one and the same provider use\nthe exact same structure to represent this collection of data, so that\nfor example, a key object that has been created using the KEYMGMT\ninterface that we document here can be passed as is to other provider\noperations, such as OPsignaturesigninit() (see\nprovider-signature(7)).\n\nWith some of the KEYMGMT functions, it's possible to select a specific\nsubset of data to handle, governed by the bits in a selection\nindicator.  The bits are:\n\nOSSLKEYMGMTSELECTPRIVATEKEY\nIndicating that the private key data in a key object should be\nconsidered.\n\nOSSLKEYMGMTSELECTPUBLICKEY\nIndicating that the public key data in a key object should be\nconsidered.\n\nOSSLKEYMGMTSELECTDOMAINPARAMETERS\nIndicating that the domain parameters in a key object should be\nconsidered.\n\nOSSLKEYMGMTSELECTOTHERPARAMETERS\nIndicating that other parameters in a key object should be\nconsidered.\n\nOther parameters are key parameters that don't fit any other\nclassification.  In other words, this particular selector bit works\nas a last resort bit bucket selector.\n\nSome selector bits have also been combined for easier use:\n\nOSSLKEYMGMTSELECTALLPARAMETERS\nIndicating that all key object parameters should be considered,\nregardless of their more granular classification.\n\nThis is a combination of OSSLKEYMGMTSELECTDOMAINPARAMETERS and\nOSSLKEYMGMTSELECTOTHERPARAMETERS.\n\nOSSLKEYMGMTSELECTKEYPAIR\nIndicating that both the whole key pair in a key object should be\nconsidered, i.e. the combination of public and private key.\n\nThis is a combination of OSSLKEYMGMTSELECTPRIVATEKEY and\nOSSLKEYMGMTSELECTPUBLICKEY.\n\nOSSLKEYMGMTSELECTALL\nIndicating that everything in a key object should be considered.\n\nThe exact interpretation of those bits or how they combine is left to\neach function where you can specify a selector.\n\nIt's left to the provider implementation to decide what is reasonable\nto do with regards to received selector bits and how to do it.  Among\nothers, an implementation of OSSLFUNCkeymgmtmatch() might opt to not\ncompare the private half if it has compared the public half, since a\nmatch of one half implies a match of the other half.\n\nConstructing and Destructing Functions\nOSSLFUNCkeymgmtnew() should create a provider side key object.  The\nprovider context provctx is passed and may be incorporated in the key\nobject, but that is not mandatory.\n\nOSSLFUNCkeymgmtfree() should free the passed keydata.\n\nOSSLFUNCkeymgmtgeninit(), OSSLFUNCkeymgmtgensettemplate(),\nOSSLFUNCkeymgmtgensetparams(),\nOSSLFUNCkeymgmtgensettableparams(), OSSLFUNCkeymgmtgen() and\nOSSLFUNCkeymgmtgencleanup() work together as a more elaborate\ncontext based key object constructor.\n\nOSSLFUNCkeymgmtgeninit() should create the key object generation\ncontext and initialize it with selections, which will determine what\nkind of contents the key object to be generated should get.  The\nparams, if not NULL, should be set on the context in a manner similar\nto using OSSLFUNCkeymgmtsetparams().\n\nOSSLFUNCkeymgmtgensettemplate() should add template to the context\ngenctx.  The template is assumed to be a key object constructed with\nthe same KEYMGMT, and from which content that the implementation\nchooses can be used as a template for the key object to be generated.\nTypically, the generation of a DSA or DH key would get the domain\nparameters from this template.\n\nOSSLFUNCkeymgmtgensetparams() should set additional parameters\nfrom params in the key object generation context genctx.\n\nOSSLFUNCkeymgmtgensettableparams() should return a constant array\nof descriptor OSSLPARAM, for parameters that\nOSSLFUNCkeymgmtgensetparams() can handle.\n\nOSSLFUNCkeymgmtgen() should perform the key object generation\nitself, and return the result.  The callback cb should be called at\nregular intervals with indications on how the key object generation\nprogresses.\n\nOSSLFUNCkeymgmtgencleanup() should clean up and free the key object\ngeneration context genctx\n\nOSSLFUNCkeymgmtload() creates a provider side key object based on a\nreference object with a size of referencesz bytes, that only the\nprovider knows how to interpret, but that may come from other\noperations.  Outside the provider, this reference is simply an array of\nbytes.\n\nAt least one of OSSLFUNCkeymgmtnew(), OSSLFUNCkeymgmtgen() and\nOSSLFUNCkeymgmtload() are mandatory, as well as\nOSSLFUNCkeymgmtfree() and OSSLFUNCkeymgmthas(). Additionally, if\nOSSLFUNCkeymgmtgen() is present, OSSLFUNCkeymgmtgeninit() and\nOSSLFUNCkeymgmtgencleanup() must be present as well.\n\nKey Object Information Functions\nOSSLFUNCkeymgmtgetparams() should extract information data\nassociated with the given keydata, see \"Common Information Parameters\".\n\nOSSLFUNCkeymgmtgettableparams() should return a constant array of\ndescriptor OSSLPARAM, for parameters that\nOSSLFUNCkeymgmtgetparams() can handle.\n\nIf OSSLFUNCkeymgmtgettableparams() is present,\nOSSLFUNCkeymgmtgetparams() must also be present, and vice versa.\n\nOSSLFUNCkeymgmtsetparams() should update information data\nassociated with the given keydata, see \"Common Information Parameters\".\n\nOSSLFUNCkeymgmtsettableparams() should return a constant array of\ndescriptor OSSLPARAM, for parameters that\nOSSLFUNCkeymgmtsetparams() can handle.\n\nIf OSSLFUNCkeymgmtsettableparams() is present,\nOSSLFUNCkeymgmtsetparams() must also be present, and vice versa.\n\nKey Object Checking Functions\nOSSLFUNCkeymgmtqueryoperationname() should return the name of the\nsupported algorithm for the operation operationid.  This is similar to\nproviderqueryoperation() (see provider-base(7)), but only works as an\nadvisory.  If this function is not present, or returns NULL, the caller\nis free to assume that there's an algorithm from the same provider, of\nthe same name as the one used to fetch the keymgmt and try to use that.\n\nOSSLFUNCkeymgmthas() should check whether the given keydata contains\nthe subsets of data indicated by the selector.  A combination of\nseveral selector bits must consider all those subsets, not just one.\nAn implementation is, however, free to consider an empty subset of data\nto still be a valid subset. For algorithms where some selection is not\nmeaningful such as OSSLKEYMGMTSELECTDOMAINPARAMETERS for RSA keys\nthe function should just return 1 as the selected subset is not really\nmissing in the key.\n\nOSSLFUNCkeymgmtvalidate() should check if the keydata contains valid\ndata subsets indicated by selection.  Some combined selections of data\nsubsets may cause validation of the combined data.  For example, the\ncombination of OSSLKEYMGMTSELECTPRIVATEKEY and\nOSSLKEYMGMTSELECTPUBLICKEY (or OSSLKEYMGMTSELECTKEYPAIR for\nshort) is expected to check that the pairwise consistency of keydata is\nvalid. The checktype parameter controls what type of check is performed\non the subset of data. Two types of check are defined:\nOSSLKEYMGMTVALIDATEFULLCHECK and OSSLKEYMGMTVALIDATEQUICKCHECK.\nThe interpretation of how much checking is performed in a full check\nversus a quick check is key type specific. Some providers may have no\ndistinction between a full check and a quick check. For algorithms\nwhere some selection is not meaningful such as\nOSSLKEYMGMTSELECTDOMAINPARAMETERS for RSA keys the function should\njust return 1 as there is nothing to validate for that selection.\n\nOSSLFUNCkeymgmtmatch() should check if the data subset indicated by\nselection in keydata1 and keydata2 match.  It is assumed that the\ncaller has ensured that keydata1 and keydata2 are both owned by the\nimplementation of this function.\n\nKey Object Import, Export and Duplication Functions\nOSSLFUNCkeymgmtimport() should import data indicated by selection\ninto keydata with values taken from the OSSLPARAM array params.\n\nOSSLFUNCkeymgmtexport() should extract values indicated by selection\nfrom keydata, create an OSSLPARAM array with them and call paramcb\nwith that array as well as the given cbarg.\n\nOSSLFUNCkeymgmtimporttypes() should return a constant array of\ndescriptor OSSLPARAM for data indicated by selection, for parameters\nthat OSSLFUNCkeymgmtimport() can handle.\n\nOSSLFUNCkeymgmtexporttypes() should return a constant array of\ndescriptor OSSLPARAM for data indicated by selection, that the\nOSSLFUNCkeymgmtexport() callback can expect to receive.\n\nOSSLFUNCkeymgmtdup() should duplicate data subsets indicated by\nselection or the whole key data keydatafrom and create a new provider\nside key object with the data.\n\nCommon Information Parameters\nSee OSSLPARAM(3) for further details on the parameters structure.\n\nCommon information parameters currently recognised by all built-in\nkeymgmt algorithms are as follows:\n\n\"bits\" (OSSLPKEYPARAMBITS) <integer>\nThe value should be the cryptographic length of the cryptosystem to\nwhich the key belongs, in bits.  The definition of cryptographic\nlength is specific to the key cryptosystem.\n\n\"max-size\" (OSSLPKEYPARAMMAXSIZE) <integer>\nThe value should be the maximum size that a caller should allocate\nto safely store a signature (called sig in provider-signature(7)),\nthe result of asymmmetric encryption / decryption (out in\nprovider-asymcipher(7), a derived secret (secret in\nprovider-keyexch(7), and similar data).\n\nBecause an EVPKEYMGMT method is always tightly bound to another\nmethod (signature, asymmetric cipher, key exchange, ...) and must\nbe of the same provider, this number only needs to be synchronised\nwith the dimensions handled in the rest of the same provider.\n\n\"security-bits\" (OSSLPKEYPARAMSECURITYBITS) <integer>\nThe value should be the number of security bits of the given key.\nBits of security is defined in SP800-57.\n",
            "subsections": []
        },
        "RETURN VALUES": {
            "content": "OSSLFUNCkeymgmtnew() and OSSLFUNCkeymgmtdup() should return a\nvalid reference to the newly created provider side key object, or NULL\non failure.\n\nOSSLFUNCkeymgmtimport(), OSSLFUNCkeymgmtexport(),\nOSSLFUNCkeymgmtgetparams() and OSSLFUNCkeymgmtsetparams()\nshould return 1 for success or 0 on error.\n\nOSSLFUNCkeymgmtvalidate() should return 1 on successful validation,\nor 0 on failure.\n\nOSSLFUNCkeymgmthas() should return 1 if all the selected data\nsubsets are contained in the given keydata or 0 otherwise.\n\nOSSLFUNCkeymgmtqueryoperationname() should return a pointer to a\nstring matching the requested operation, or NULL if the same name used\nto fetch the keymgmt applies.\n\nOSSLFUNCkeymgmtgettableparams() and\nOSSLFUNCkeymgmtsettableparams() OSSLFUNCkeymgmtimporttypes(),\nOSSLFUNCkeymgmtexporttypes() should always return a constant\nOSSLPARAM array.\n",
            "subsections": []
        },
        "SEE ALSO": {
            "content": "provider(7), EVPPKEY-X25519(7), EVPPKEY-X448(7), EVPPKEY-ED25519(7),\nEVPPKEY-ED448(7), EVPPKEY-EC(7), EVPPKEY-RSA(7), EVPPKEY-DSA(7),\nEVPPKEY-DH(7)\n",
            "subsections": []
        },
        "HISTORY": {
            "content": "The KEYMGMT interface was introduced in OpenSSL 3.0.\n",
            "subsections": []
        },
        "COPYRIGHT": {
            "content": "Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.\n\nLicensed under the Apache License 2.0 (the \"License\").  You may not use\nthis file except in compliance with the License.  You can obtain a copy\nin the file LICENSE in the source distribution or at\n<https://www.openssl.org/source/license.html>.\n\n3.0.2                             2026-06-02            PROVIDER-KEYMGMT(7SSL)",
            "subsections": []
        }
    },
    "summary": "provider-keymgmt - The KEYMGMT library <-> provider functions",
    "flags": [],
    "examples": [],
    "see_also": [
        {
            "name": "provider",
            "section": "7",
            "url": "https://www.chedong.com/phpMan.php/man/provider/7/json"
        },
        {
            "name": "EVPPKEY-X25519",
            "section": "7",
            "url": "https://www.chedong.com/phpMan.php/man/EVPPKEY-X25519/7/json"
        },
        {
            "name": "EVPPKEY-X448",
            "section": "7",
            "url": "https://www.chedong.com/phpMan.php/man/EVPPKEY-X448/7/json"
        },
        {
            "name": "EVPPKEY-ED25519",
            "section": "7",
            "url": "https://www.chedong.com/phpMan.php/man/EVPPKEY-ED25519/7/json"
        },
        {
            "name": "EVPPKEY-ED448",
            "section": "7",
            "url": "https://www.chedong.com/phpMan.php/man/EVPPKEY-ED448/7/json"
        },
        {
            "name": "EVPPKEY-EC",
            "section": "7",
            "url": "https://www.chedong.com/phpMan.php/man/EVPPKEY-EC/7/json"
        },
        {
            "name": "EVPPKEY-RSA",
            "section": "7",
            "url": "https://www.chedong.com/phpMan.php/man/EVPPKEY-RSA/7/json"
        },
        {
            "name": "EVPPKEY-DSA",
            "section": "7",
            "url": "https://www.chedong.com/phpMan.php/man/EVPPKEY-DSA/7/json"
        },
        {
            "name": "EVPPKEY-DH",
            "section": "7",
            "url": "https://www.chedong.com/phpMan.php/man/EVPPKEY-DH/7/json"
        }
    ]
}