ref: 5fc2f6af6c9d938dca7dd4b8df061d9eeb87ec75
dir: /sys/src/ape/lib/openssl/crypto/store/README/
The STORE type ============== A STORE, as defined in this code section, is really a rather simple thing which stores objects and per-object associations to a number of attributes. What attributes are supported entirely depends on the particular implementation of a STORE. It has some support for generation of certain objects (for example, keys and CRLs). Supported object types ---------------------- For now, the objects that are supported are the following: X.509 certificate X.509 CRL private key public key number arbitrary (application) data The intention is that a STORE should be able to store everything needed by an application that wants a cert/key store, as well as the data a CA might need to store (this includes the serial number counter, which explains the support for numbers). Supported attribute types ------------------------- For now, the following attributes are supported: Friendly Name - the value is a normal C string Key ID - the value is a 160 bit SHA1 hash Issuer Key ID - the value is a 160 bit SHA1 hash Subject Key ID - the value is a 160 bit SHA1 hash Issuer/Serial Hash - the value is a 160 bit SHA1 hash Issuer - the value is a X509_NAME Serial - the value is a BIGNUM Subject - the value is a X509_NAME Certificate Hash - the value is a 160 bit SHA1 hash Email - the value is a normal C string Filename - the value is a normal C string It is expected that these attributes should be enough to support the need from most, if not all, current applications. Applications that need to do certificate verification would typically use Subject Key ID, Issuer/Serial Hash or Subject to look up issuer certificates. S/MIME applications would typically use Email to look up recipient and signer certificates. There's added support for combined sets of attributes to search for, with the special OR attribute. Supported basic functionality ----------------------------- The functions that are supported through the STORE type are these: generate_object - for example to generate keys and CRLs get_object - to look up one object NOTE: this function is really rather redundant and probably of lesser usage than the list functions store_object - store an object and the attributes associated with it modify_object - modify the attributes associated with a specific object revoke_object - revoke an object NOTE: this only marks an object as invalid, it doesn't remove the object from the database delete_object - remove an object from the database list_object - list objects associated with a given set of attributes NOTE: this is really four functions: list_start, list_next, list_end and list_endp update_store - update the internal data of the store lock_store - lock the store unlock_store - unlock the store The list functions need some extra explanation: list_start is used to set up a lookup. That's where the attributes to use in the search are set up. It returns a search context. list_next returns the next object searched for. list_end closes the search. list_endp is used to check if we have reached the end. A few words on the store functions as well: update_store is typically used by a CA application to update the internal structure of a database. This may for example involve automatic removal of expired certificates. lock_store and unlock_store are used for locking a store to allow exclusive writes.