OSSL_STORE_INFO_get0_PARAMS() returns an EVP_PKEY object that holds domain parameters for a particular asymmetric crypto algorithm. For example in case of EC they would be elliptic curve parameters - nowadays usually in the form of an elliptic curve name. X509_VERIFY_PARAM is a completely different type of object that holds various auxiliary parameters used when performing an X.509 certificate verification. For example during the verification of the TLS server certificate on the client side. Domain parameters held in an EVP_PKEY objects are nowadays not used much with SSL_CTX. Historically they were mainly used for the finite field DH parameters with TLS <= 1.2 but OpenSSL currently contains built-in well known safe primes that can be used for DH. In particular TLS-1.3 uses only these and cannot use arbitrary DH parameters. Tomas Mraz, OpenSSL On Sat, 2023-12-23 at 13:57 +0000, Graham Leggett via openssl-users wrote: > Hi all, > > Both OSSL_STORE_INFO_get0_PARAMS() and OSSL_STORE_INFO_get0_PKEY() > return the same type - EVP_PKEY. > > When adding params to an SSL_CTX, the type used is X509_VERIFY_PARAM. > > I am confused - what exactly is returned by > OSSL_STORE_INFO_get0_PARAMS(), and how do you add this to SSL_CTX? > > Regards, > Graham > — > -- Tomáš Mráz, OpenSSL
