[thirdparty/openssl.git] / crypto / store / README

NOTE:
	This is a planned replacement for X509_STORE.
	It is incomplete, has compile errors, and is
	not built as part of the standard configuration.


The STORE type
==============

A STORE, as defined in this code section, is really a rather simple
thing which stores objects and per-object associations to a number
of attributes.  What attributes are supported entirely depends on
the particular implementation of a STORE.  It has some support for
generation of certain objects (for example, keys and CRLs).


Supported object types
----------------------

For now, the objects that are supported are the following:

X.509 certificate
X.509 CRL
private key
public key
number
arbitrary (application) data

The intention is that a STORE should be able to store everything
needed by an application that wants a cert/key store, as well as
the data a CA might need to store (this includes the serial number
counter, which explains the support for numbers).


Supported attribute types
-------------------------

For now, the following attributes are supported:

Friendly Name		- the value is a normal C string
Key ID			- the value is a 160 bit SHA1 hash
Issuer Key ID		- the value is a 160 bit SHA1 hash
Subject Key ID		- the value is a 160 bit SHA1 hash
Issuer/Serial Hash	- the value is a 160 bit SHA1 hash
Issuer			- the value is a X509_NAME
Serial			- the value is a BIGNUM
Subject			- the value is a X509_NAME
Certificate Hash	- the value is a 160 bit SHA1 hash
Email			- the value is a normal C string
Filename		- the value is a normal C string

It is expected that these attributes should be enough to support
the need from most, if not all, current applications.  Applications
that need to do certificate verification would typically use Subject
Key ID, Issuer/Serial Hash or Subject to look up issuer certificates.
S/MIME applications would typically use Email to look up recipient
and signer certificates.

There's added support for combined sets of attributes to search for,
with the special OR attribute.


Supported basic functionality
-----------------------------

The functions that are supported through the STORE type are these:

generate_object		- for example to generate keys and CRLs
get_object		- to look up one object
			  NOTE: this function is really rather
			  redundant and probably of lesser usage
			  than the list functions
store_object		- store an object and the attributes
			  associated with it
modify_object		- modify the attributes associated with
			  a specific object
revoke_object		- revoke an object
			  NOTE: this only marks an object as
			  invalid, it doesn't remove the object
			  from the database
delete_object		- remove an object from the database
list_object		- list objects associated with a given
			  set of attributes
			  NOTE: this is really four functions:
			  list_start, list_next, list_end and
			  list_endp
update_store		- update the internal data of the store
lock_store		- lock the store
unlock_store		- unlock the store

The list functions need some extra explanation: list_start is
used to set up a lookup.  That's where the attributes to use in
the search are set up.  It returns a search context.  list_next
returns the next object searched for.  list_end closes the search.
list_endp is used to check if we have reached the end.

A few words on the store functions as well: update_store is
typically used by a CA application to update the internal
structure of a database.  This may for example involve automatic
removal of expired certificates.  lock_store and unlock_store
are used for locking a store to allow exclusive writes.
Commit	Line	Data
9fc8dc54 RS	1	NOTE:
	2	This is a planned replacement for X509_STORE.
	3	It is incomplete, has compile errors, and is
	4	not built as part of the standard configuration.
	5
	6
a5db6fa5 RL	7	The STORE type
	8	==============
	9
	10	A STORE, as defined in this code section, is really a rather simple
	11	thing which stores objects and per-object associations to a number
	12	of attributes. What attributes are supported entirely depends on
	13	the particular implementation of a STORE. It has some support for
	14	generation of certain objects (for example, keys and CRLs).
	15
	16
	17	Supported object types
	18	----------------------
	19
	20	For now, the objects that are supported are the following:
	21
	22	X.509 certificate
	23	X.509 CRL
	24	private key
	25	public key
	26	number
0bd71d3b	27	arbitrary (application) data
a5db6fa5 RL	28
	29	The intention is that a STORE should be able to store everything
	30	needed by an application that wants a cert/key store, as well as
	31	the data a CA might need to store (this includes the serial number
	32	counter, which explains the support for numbers).
	33
	34
	35	Supported attribute types
	36	-------------------------
	37
	38	For now, the following attributes are supported:
	39
	40	Friendly Name - the value is a normal C string
	41	Key ID - the value is a 160 bit SHA1 hash
	42	Issuer Key ID - the value is a 160 bit SHA1 hash
	43	Subject Key ID - the value is a 160 bit SHA1 hash
	44	Issuer/Serial Hash - the value is a 160 bit SHA1 hash
	45	Issuer - the value is a X509_NAME
	46	Serial - the value is a BIGNUM
	47	Subject - the value is a X509_NAME
	48	Certificate Hash - the value is a 160 bit SHA1 hash
	49	Email - the value is a normal C string
	50	Filename - the value is a normal C string
	51
	52	It is expected that these attributes should be enough to support
	53	the need from most, if not all, current applications. Applications
	54	that need to do certificate verification would typically use Subject
	55	Key ID, Issuer/Serial Hash or Subject to look up issuer certificates.
	56	S/MIME applications would typically use Email to look up recipient
	57	and signer certificates.
	58
	59	There's added support for combined sets of attributes to search for,
	60	with the special OR attribute.
	61
	62
	63	Supported basic functionality
	64	-----------------------------
	65
	66	The functions that are supported through the STORE type are these:
	67
	68	generate_object - for example to generate keys and CRLs
	69	get_object - to look up one object
	70	NOTE: this function is really rather
	71	redundant and probably of lesser usage
	72	than the list functions
	73	store_object - store an object and the attributes
	74	associated with it
	75	modify_object - modify the attributes associated with
	76	a specific object
	77	revoke_object - revoke an object
	78	NOTE: this only marks an object as
	79	invalid, it doesn't remove the object
	80	from the database
	81	delete_object - remove an object from the database
	82	list_object - list objects associated with a given
	83	set of attributes
	84	NOTE: this is really four functions:
	85	list_start, list_next, list_end and
	86	list_endp
	87	update_store - update the internal data of the store
	88	lock_store - lock the store
	89	unlock_store - unlock the store
	90
	91	The list functions need some extra explanation: list_start is
92	used to set up a lookup. That's where the attributes to use in
93	the search are set up. It returns a search context. list_next
94	returns the next object searched for. list_end closes the search.
95	list_endp is used to check if we have reached the end.
96
97	A few words on the store functions as well: update_store is
98	typically used by a CA application to update the internal
99	structure of a database. This may for example involve automatic
100	removal of expired certificates. lock_store and unlock_store
101	are used for locking a store to allow exclusive writes.