openssl/doc/man3/d2i_RSAPrivateKey.pod
Matt Caswell 3dbf824380 Clarify the deprecation warnings in the docs
There was recently an instance where a user was confused by the
deprecation warnings in the docs. They believed the warning applied to
the immediately preceding function declarations, when it fact it applied
to the following function declarations.

https://mta.openssl.org/pipermail/openssl-users/2021-December/014665.html

We clarify the wording to make it clear that the warning applies to the
following functions.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17180)
2021-12-06 11:23:34 +00:00

320 lines
10 KiB
Plaintext

=pod
=begin comment
Any deprecated keypair/params d2i or i2d functions are collected on this page.
=end comment
=head1 NAME
d2i_DSAPrivateKey,
d2i_DSAPrivateKey_bio,
d2i_DSAPrivateKey_fp,
d2i_DSAPublicKey,
d2i_DSA_PUBKEY,
d2i_DSA_PUBKEY_bio,
d2i_DSA_PUBKEY_fp,
d2i_DSAparams,
d2i_RSAPrivateKey,
d2i_RSAPrivateKey_bio,
d2i_RSAPrivateKey_fp,
d2i_RSAPublicKey,
d2i_RSAPublicKey_bio,
d2i_RSAPublicKey_fp,
d2i_RSA_PUBKEY,
d2i_RSA_PUBKEY_bio,
d2i_RSA_PUBKEY_fp,
d2i_DHparams,
d2i_DHparams_bio,
d2i_DHparams_fp,
d2i_ECPKParameters,
d2i_ECParameters,
d2i_ECPrivateKey,
d2i_ECPrivateKey_bio,
d2i_ECPrivateKey_fp,
d2i_EC_PUBKEY,
d2i_EC_PUBKEY_bio,
d2i_EC_PUBKEY_fp,
i2d_RSAPrivateKey,
i2d_RSAPrivateKey_bio,
i2d_RSAPrivateKey_fp,
i2d_RSAPublicKey,
i2d_RSAPublicKey_bio,
i2d_RSAPublicKey_fp,
i2d_RSA_PUBKEY,
i2d_RSA_PUBKEY_bio,
i2d_RSA_PUBKEY_fp,
i2d_DHparams,
i2d_DHparams_bio,
i2d_DHparams_fp,
i2d_DSAPrivateKey,
i2d_DSAPrivateKey_bio,
i2d_DSAPrivateKey_fp,
i2d_DSAPublicKey,
i2d_DSA_PUBKEY,
i2d_DSA_PUBKEY_bio,
i2d_DSA_PUBKEY_fp,
i2d_DSAparams,
i2d_ECPKParameters,
i2d_ECParameters,
i2d_ECPrivateKey,
i2d_ECPrivateKey_bio,
i2d_ECPrivateKey_fp,
i2d_EC_PUBKEY,
i2d_EC_PUBKEY_bio,
i2d_EC_PUBKEY_fp
- DEPRECATED
=head1 SYNOPSIS
=for openssl generic
The following functions have been deprecated since OpenSSL 3.0, and can be
hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
see L<openssl_user_macros(7)>:
TYPE *d2i_TYPEPrivateKey(TYPE **a, const unsigned char **ppin, long length);
TYPE *d2i_TYPEPrivateKey_bio(BIO *bp, TYPE **a);
TYPE *d2i_TYPEPrivateKey_fp(FILE *fp, TYPE **a);
TYPE *d2i_TYPEPublicKey(TYPE **a, const unsigned char **ppin, long length);
TYPE *d2i_TYPEPublicKey_bio(BIO *bp, TYPE **a);
TYPE *d2i_TYPEPublicKey_fp(FILE *fp, TYPE **a);
TYPE *d2i_TYPEparams(TYPE **a, const unsigned char **ppin, long length);
TYPE *d2i_TYPEparams_bio(BIO *bp, TYPE **a);
TYPE *d2i_TYPEparams_fp(FILE *fp, TYPE **a);
TYPE *d2i_TYPE_PUBKEY(TYPE **a, const unsigned char **ppin, long length);
TYPE *d2i_TYPE_PUBKEY_bio(BIO *bp, TYPE **a);
TYPE *d2i_TYPE_PUBKEY_fp(FILE *fp, TYPE **a);
int i2d_TYPEPrivateKey(const TYPE *a, unsigned char **ppout);
int i2d_TYPEPrivateKey(TYPE *a, unsigned char **ppout);
int i2d_TYPEPrivateKey_fp(FILE *fp, const TYPE *a);
int i2d_TYPEPrivateKey_fp(FILE *fp, TYPE *a);
int i2d_TYPEPrivateKey_bio(BIO *bp, const TYPE *a);
int i2d_TYPEPrivateKey_bio(BIO *bp, TYPE *a);
int i2d_TYPEPublicKey(const TYPE *a, unsigned char **ppout);
int i2d_TYPEPublicKey(TYPE *a, unsigned char **ppout);
int i2d_TYPEPublicKey_fp(FILE *fp, const TYPE *a);
int i2d_TYPEPublicKey_fp(FILE *fp, TYPE *a);
int i2d_TYPEPublicKey_bio(BIO *bp, const TYPE *a);
int i2d_TYPEPublicKey_bio(BIO *bp, TYPE *a);
int i2d_TYPEparams(const TYPE *a, unsigned char **ppout);
int i2d_TYPEparams(TYPE *a, unsigned char **ppout);
int i2d_TYPEparams_fp(FILE *fp, const TYPE *a);
int i2d_TYPEparams_fp(FILE *fp, TYPE *a);
int i2d_TYPEparams_bio(BIO *bp, const TYPE *a);
int i2d_TYPEparams_bio(BIO *bp, TYPE *a);
int i2d_TYPE_PUBKEY(const TYPE *a, unsigned char **ppout);
int i2d_TYPE_PUBKEY(TYPE *a, unsigned char **ppout);
int i2d_TYPE_PUBKEY_fp(FILE *fp, const TYPE *a);
int i2d_TYPE_PUBKEY_fp(FILE *fp, TYPE *a);
int i2d_TYPE_PUBKEY_bio(BIO *bp, const TYPE *a);
int i2d_TYPE_PUBKEY_bio(BIO *bp, TYPE *a);
=head1 DESCRIPTION
All functions described here are deprecated. Please use L<OSSL_DECODER(3)>
instead of the B<d2i> functions and L<OSSL_ENCODER(3)> instead of the B<i2d>
functions. See L</Migration> below.
In the description here, B<I<TYPE>> is used a placeholder for any of the
OpenSSL datatypes, such as B<RSA>.
The function parameters I<ppin> and I<ppout> are generally either both named
I<pp> in the headers, or I<in> and I<out>.
All the functions here behave the way that's described in L<d2i_X509(3)>.
Please note that not all functions in the synopsis are available for all key
types. For example, there are no d2i_RSAparams() or i2d_RSAparams(),
because the PKCS#1 B<RSA> structure doesn't include any key parameters.
B<d2i_I<TYPE>PrivateKey>() and derivates thereof decode DER encoded
B<I<TYPE>> private key data organized in a type specific structure.
B<d2i_I<TYPE>PublicKey>() and derivates thereof decode DER encoded
B<I<TYPE>> public key data organized in a type specific structure.
B<d2i_I<TYPE>params>() and derivates thereof decode DER encoded B<I<TYPE>>
key parameters organized in a type specific structure.
B<d2i_I<TYPE>_PUBKEY>() and derivates thereof decode DER encoded B<I<TYPE>>
public key data organized in a B<SubjectPublicKeyInfo> structure.
B<i2d_I<TYPE>PrivateKey>() and derivates thereof encode the private key
B<I<TYPE>> data into a type specific DER encoded structure.
B<i2d_I<TYPE>PublicKey>() and derivates thereof encode the public key
B<I<TYPE>> data into a type specific DER encoded structure.
B<i2d_I<TYPE>params>() and derivates thereof encode the B<I<TYPE>> key
parameters data into a type specific DER encoded structure.
B<i2d_I<TYPE>_PUBKEY>() and derivates thereof encode the public key
B<I<TYPE>> data into a DER encoded B<SubjectPublicKeyInfo> structure.
For example, d2i_RSAPrivateKey() and d2i_RSAPublicKey() expects the
structure defined by PKCS#1.
Similarly, i2d_RSAPrivateKey() and i2d_RSAPublicKey() produce DER encoded
string organized according to PKCS#1.
=head2 Migration
Migration from the diverse B<I<TYPE>>s requires using corresponding new
OpenSSL types. For all B<I<TYPE>>s described here, the corresponding new
type is B<EVP_PKEY>. The rest of this section assumes that this has been
done, exactly how to do that is described elsewhere.
There are two migration paths:
=over 4
=item *
Replace
b<d2i_I<TYPE>PrivateKey()> with L<d2i_PrivateKey(3)>,
b<d2i_I<TYPE>PublicKey()> with L<d2i_PublicKey(3)>,
b<d2i_I<TYPE>params()> with L<d2i_KeyParams(3)>,
b<d2i_I<TYPE>_PUBKEY()> with L<d2i_PUBKEY(3)>,
b<i2d_I<TYPE>PrivateKey()> with L<i2d_PrivateKey(3)>,
b<i2d_I<TYPE>PublicKey()> with L<i2d_PublicKey(3)>,
b<i2d_I<TYPE>params()> with L<i2d_KeyParams(3)>,
b<i2d_I<TYPE>_PUBKEY()> with L<i2d_PUBKEY(3)>.
A caveat is that L<i2d_PrivateKey(3)> may output a DER encoded PKCS#8
outermost structure instead of the type specific structure, and that
L<d2i_PrivateKey(3)> recognises and unpacks a PKCS#8 structures.
=item *
Use L<OSSL_DECODER(3)> and L<OSSL_ENCODER(3)>. How to migrate is described
below. All those descriptions assume that the key to be encoded is in the
variable I<pkey>.
=back
=head3 Migrating B<i2d> functions to B<OSSL_ENCODER>
The exact L<OSSL_ENCODER(3)> output is driven by arguments rather than by
function names. The sample code to get DER encoded output in a type
specific structure is uniform, the only things that vary are the selection
of what part of the B<EVP_PKEY> should be output, and the structure. The
B<i2d> functions names can therefore be translated into two variables,
I<selection> and I<structure> as follows:
=over 4
=item B<i2d_I<TYPE>PrivateKey>() translates into:
int selection = EVP_PKEY_PRIVATE_KEY;
const char *structure = "type-specific";
=item B<i2d_I<TYPE>PublicKey>() translates into:
int selection = EVP_PKEY_PUBLIC_KEY;
const char *structure = "type-specific";
=item B<i2d_I<TYPE>params>() translates into:
int selection = EVP_PKEY_PARAMETERS;
const char *structure = "type-specific";
=item B<i2d_I<TYPE>_PUBKEY>() translates into:
int selection = EVP_PKEY_PUBLIC_KEY;
const char *structure = "SubjectPublicKeyInfo";
=back
The following sample code does the rest of the work:
unsigned char *p = buffer; /* |buffer| is supplied by the caller */
size_t len = buffer_size; /* assumed be the size of |buffer| */
OSSL_ENCODER_CTX *ctx =
OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER", structure,
NULL, NULL);
if (ctx == NULL) {
/* fatal error handling */
}
if (OSSL_ENCODER_CTX_get_num_encoders(ctx) == 0) {
OSSL_ENCODER_CTX_free(ctx);
/* non-fatal error handling */
}
if (!OSSL_ENCODER_to_data(ctx, &p, &len)) {
OSSL_ENCODER_CTX_free(ctx);
/* error handling */
}
OSSL_ENCODER_CTX_free(ctx);
=for comment TODO: a similar section on OSSL_DECODER is to be added
=head1 NOTES
The letters B<i> and B<d> in B<i2d_I<TYPE>>() stand for
"internal" (that is, an internal C structure) and "DER" respectively.
So B<i2d_I<TYPE>>() converts from internal to DER.
The functions can also understand B<BER> forms.
The actual TYPE structure passed to B<i2d_I<TYPE>>() must be a valid
populated B<I<TYPE>> structure -- it B<cannot> simply be fed with an
empty structure such as that returned by TYPE_new().
The encoded data is in binary form and may contain embedded zeros.
Therefore, any FILE pointers or BIOs should be opened in binary mode.
Functions such as strlen() will B<not> return the correct length
of the encoded structure.
The ways that I<*ppin> and I<*ppout> are incremented after the operation
can trap the unwary. See the B<WARNINGS> section in L<d2i_X509(3)> for some
common errors.
The reason for this-auto increment behaviour is to reflect a typical
usage of ASN1 functions: after one structure is encoded or decoded
another will be processed after it.
The following points about the data types might be useful:
=over 4
=item B<DSA_PUBKEY>
Represents a DSA public key using a B<SubjectPublicKeyInfo> structure.
=item B<DSAPublicKey>, B<DSAPrivateKey>
Use a non-standard OpenSSL format and should be avoided; use B<DSA_PUBKEY>,
L<PEM_write_PrivateKey(3)>, or similar instead.
=back
=head1 RETURN VALUES
B<d2i_I<TYPE>>(), B<d2i_I<TYPE>_bio>() and B<d2i_I<TYPE>_fp>() return a valid
B<I<TYPE>> structure or NULL if an error occurs. If the "reuse" capability has
been used with a valid structure being passed in via I<a>, then the object is
freed in the event of error and I<*a> is set to NULL.
B<i2d_I<TYPE>>() returns the number of bytes successfully encoded or a negative
value if an error occurs.
B<i2d_I<TYPE>_bio>() and B<i2d_I<TYPE>_fp>() return 1 for success and 0 if an
error occurs.
=head1 SEE ALSO
L<OSSL_ENCODER(3)>, L<OSSL_DECODER(3)>,
L<d2i_PrivateKey(3)>, L<d2i_PublicKey(3)>, L<d2i_KeyParams(3)>,
L<d2i_PUBKEY(3)>,
L<i2d_PrivateKey(3)>, L<i2d_PublicKey(3)>, L<i2d_KeyParams(3)>,
L<i2d_PUBKEY(3)>
=head1 COPYRIGHT
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut