Open-Source Wikis

/

OpenSSL

/

Providers

/

Base provider

openssl/openssl

Base provider

Active contributors: Pauli, Matt Caswell, Tomas Mraz

Purpose

The base provider contains the non-cryptographic helpers needed to load and store keys: encoders, decoders, and store loaders. It is meant to be loaded alongside the FIPS provider so that you can read PEM/DER keys from disk while keeping crypto operations confined to the FIPS module.

It is built into libcrypto (not a separate module).

Entry point: providers/baseprov.c (~6 KB).

Why it exists

The default provider already includes encoders, decoders, and the file: store loader. But if you load only the FIPS provider, you have no way to convert a PEM file into an EVP_PKEY because there is no DER↔EVP_PKEY decoder available — the FIPS module deliberately does not include them. Loading base fills the gap without bringing in any of the default provider's algorithms.

graph LR
    APP[App that wants FIPS-only crypto] -->|OSSL_DECODER_from_file| Dec[OSSL_DECODER<br/>provider=base]
    Dec -->|encoded key bytes| KMgmt[EVP_KEYMGMT<br/>provider=fips]
    APP -->|EVP_PKEY_sign| Sig[EVP_SIGNATURE<br/>provider=fips]

What it offers

  • All the same OSSL_OP_ENCODER / OSSL_OP_DECODER algorithms the default provider exposes (RSA/EC/EdDSA/X-curve/DH/DSA/ML-DSA/ML-KEM/SLH-DSA/LMS encode and decode in DER, PEM, OSSL_PARAM forms, with PKCS#8 and SubjectPublicKeyInfo wrappers).
  • The file: URI store loader.

It does not offer any digest, cipher, MAC, KDF, or RNG — those must come from a different provider (default, FIPS, or third-party).

The arrays in providers/baseprov.c reference the same *_functions symbols defined in providers/implementations/encode_decode/ and providers/implementations/storemgmt/ that the default provider uses.

Documented in README-FIPS.md:

[provider_sect]
fips = fips_sect
base = base_sect

[fips_sect]
activate = 1

[base_sect]
activate = 1

This produces a libctx with FIPS-only crypto plus working PEM/DER I/O.

Property

Base provider algorithms register with provider=base. Property queries that filter on provider!=fips would still find them (which is the point — encoders aren't crypto).

Entry points for modification

The base provider is intentionally a thin selection from the encode/decode tables. Most edits happen in the implementations themselves under providers/implementations/encode_decode/; baseprov.c only changes if a new top-level encoder/decoder algorithm is added or one is renamed.

Documentation

  • doc/man7/OSSL_PROVIDER-base.pod — the canonical reference.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Base provider – OpenSSL wiki | Factory