openssl/openssl
Base provider
Active contributors: Pauli, Matt Caswell, Tomas Mraz
Purpose
The base provider contains the non-cryptographic helpers needed to load and store keys: encoders, decoders, and store loaders. It is meant to be loaded alongside the FIPS provider so that you can read PEM/DER keys from disk while keeping crypto operations confined to the FIPS module.
It is built into libcrypto (not a separate module).
Entry point: providers/baseprov.c (~6 KB).
Why it exists
The default provider already includes encoders, decoders, and the file: store loader. But if you load only the FIPS provider, you have no way to convert a PEM file into an EVP_PKEY because there is no DER↔EVP_PKEY decoder available — the FIPS module deliberately does not include them. Loading base fills the gap without bringing in any of the default provider's algorithms.
graph LR
APP[App that wants FIPS-only crypto] -->|OSSL_DECODER_from_file| Dec[OSSL_DECODER<br/>provider=base]
Dec -->|encoded key bytes| KMgmt[EVP_KEYMGMT<br/>provider=fips]
APP -->|EVP_PKEY_sign| Sig[EVP_SIGNATURE<br/>provider=fips]What it offers
- All the same
OSSL_OP_ENCODER/OSSL_OP_DECODERalgorithms the default provider exposes (RSA/EC/EdDSA/X-curve/DH/DSA/ML-DSA/ML-KEM/SLH-DSA/LMS encode and decode in DER, PEM, OSSL_PARAM forms, with PKCS#8 and SubjectPublicKeyInfo wrappers). - The
file:URI store loader.
It does not offer any digest, cipher, MAC, KDF, or RNG — those must come from a different provider (default, FIPS, or third-party).
The arrays in providers/baseprov.c reference the same *_functions symbols defined in providers/implementations/encode_decode/ and providers/implementations/storemgmt/ that the default provider uses.
Recommended pairings
Documented in README-FIPS.md:
[provider_sect]
fips = fips_sect
base = base_sect
[fips_sect]
activate = 1
[base_sect]
activate = 1This produces a libctx with FIPS-only crypto plus working PEM/DER I/O.
Property
Base provider algorithms register with provider=base. Property queries that filter on provider!=fips would still find them (which is the point — encoders aren't crypto).
Entry points for modification
The base provider is intentionally a thin selection from the encode/decode tables. Most edits happen in the implementations themselves under providers/implementations/encode_decode/; baseprov.c only changes if a new top-level encoder/decoder algorithm is added or one is renamed.
Documentation
doc/man7/OSSL_PROVIDER-base.pod— the canonical reference.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.