{"id":51121833,"url":"https://github.com/tegmentum/openssl-provider-wit","last_synced_at":"2026-06-25T03:30:34.776Z","repository":{"id":361710164,"uuid":"1255315331","full_name":"tegmentum/openssl-provider-wit","owner":"tegmentum","description":"Layer-1 OpenSSL 3 provider ABI as WIT. Mirrors OSSL_DISPATCH / OSSL_PARAM / OSSL_ALGORITHM so wasm components can plug into openssl-wasm without C glue.","archived":false,"fork":false,"pushed_at":"2026-05-31T23:20:40.000Z","size":51,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-01T00:13:54.804Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tegmentum.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-31T17:17:52.000Z","updated_at":"2026-05-31T23:20:44.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/tegmentum/openssl-provider-wit","commit_stats":null,"previous_names":["tegmentum/openssl-provider-wit"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/tegmentum/openssl-provider-wit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tegmentum%2Fopenssl-provider-wit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tegmentum%2Fopenssl-provider-wit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tegmentum%2Fopenssl-provider-wit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tegmentum%2Fopenssl-provider-wit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tegmentum","download_url":"https://codeload.github.com/tegmentum/openssl-provider-wit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tegmentum%2Fopenssl-provider-wit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34758773,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-25T02:00:05.521Z","response_time":101,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-25T03:30:34.051Z","updated_at":"2026-06-25T03:30:34.768Z","avatar_url":"https://github.com/tegmentum.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"openssl:provider-abi WIT\n========================\n\nWIT mirror of the OpenSSL 3 provider ABI (`OSSL_PROVIDER`,\n`OSSL_DISPATCH`, `OSSL_ALGORITHM`, `OSSL_PARAM`, and the\n`OSSL_FUNC_*` families from `\u003copenssl/core_dispatch.h\u003e`).\n\nLets OpenSSL 3 providers ship as wasm components instead of\n`.so`/`.dll` files. openssl-wasm imports this world; provider\ncomponents export it.\n\nStatus: **Phase 1b + Phase 8 STORE complete** — Layer-1 surface is\nsufficient for TLS 1.2 / 1.3 server-side, client-cert auth, and\n`SSLContext.load_cert_chain('pkcs11:...')` via the STORE op\nend-to-end through a real HSM. See [ARCHITECTURE.md](ARCHITECTURE.md)\nfor the full layered stack + composition recipes.\n\n- `pkey/pkey.wit` — shared types: `OSSL_PARAM` variant, key-selection\n  flags, `pkey-error` (with `insufficient-buffer(u64)`), `operation`\n  enum (replaces raw `s32` for OSSL_OP_*), four resource handles\n  (`keydata`, `gen-context`, `signature-context`, `asym-cipher-context`).\n- `keymgmt/keymgmt.wit` — all 25 OSSL_FUNC_KEYMGMT_* mapped.\n- `signature/signature.wit` — OSSL_FUNC_SIGNATURE_* IDs 1–26. The\n  3.2+ one-shot sign-message family (27–32) is deferred to Phase 8.\n- `asym-cipher/asym-cipher.wit` — all 11 OSSL_FUNC_ASYM_CIPHER_* mapped.\n- `provider/provider.wit` — OSSL_FUNC_PROVIDER_* IDs 1024–1032 (the\n  \"provider-implements\" side). Reverse-direction \"core-provided\" funcs\n  (IDs 105–120+) are not in this WIT — they live on the openssl-wasm\n  side as Phase 2 callback-direction work.\n- `worlds/provider-abi.wit` exports all five interfaces.\n\nGenerated surface: 812 lines of C; 36 keymgmt + 34 signature + 19\nasym-cipher + 23 provider + 8 pkey exported funcs.\n\nPhase 2 (`openssl-wasm` loader patch) is the next milestone.\n\nSee `~/git/python-wasm/plans/openssl-provider-wit.md` for the\narchitecture and 13-phase implementation plan, and\n`docs/architecture.md` for the standalone version of the design.\n\nLayout\n------\n\n```\npkey/pkey.wit                 shared types: OSSL_PARAM variant, key-selection\n                              flags, pkey-error variant, operation enum,\n                              opaque resource handles\nprovider/provider.wit         OSSL_PROVIDER entry point (Phase 1b)\nkeymgmt/keymgmt.wit           OSSL_OP_KEYMGMT (Phase 1a, 25 funcs)\nsignature/signature.wit       OSSL_OP_SIGNATURE (Phase 1a, IDs 1-26)\nasym-cipher/asym-cipher.wit   OSSL_OP_ASYM_CIPHER (Phase 1b, 11 funcs)\nworlds/provider-abi.wit       the Layer-1 contract (combines all)\ndocs/architecture.md          design overview\nscripts/check-wit.sh          resolve + wit-bindgen c + wasi-sdk clang compile\n```\n\nHow a C provider author reads this\n----------------------------------\n\nEach interface (`keymgmt`, `signature`, ...) has top-of-file comments\nmapping every `OSSL_FUNC_*` ID to the WIT method that replaces it.\nTwo intentional model shifts:\n\n- C `void *provctx` / `keydata` / `genctx` / `sigctx` become typed\n  WIT resources. Their `*_free` / `*_cleanup` C functions collapse\n  into the WIT resource destructor (guaranteed to run on drop).\n- C `int 0=fail / 1=ok` returns become `result\u003c_, pkey-error\u003e` /\n  `result\u003cT, pkey-error\u003e`. Output-buffer parameters (`siglen`,\n  `routlen`) become `result\u003clist\u003cu8\u003e, pkey-error\u003e`; insufficient-\n  buffer surfaces via `pkey-error::insufficient-buffer(u64)` so\n  callers can probe the required size and retry.\n\nBackfill (Phase 8) adds sibling interfaces for key-exchange, kdf, mac,\ndigest, cipher, kem, rand, encoder, decoder, store.\n\nPinned OpenSSL version\n----------------------\n\nThe WIT surface tracks **OpenSSL 3.6.2** (release date 2026-04-07, as\nshipped in `~/git/openssl-wasm/third_party/openssl/`).\n\n`core_dispatch.h` SHA-1 we're modeling against:\n**`c475666c52be37e02f0236cbe80ae3faaf54ed8b`** (from openssl-wasm's\nvendored tree).\n\nWhen OpenSSL 3.x adds new `OSSL_FUNC_*` IDs, bump the package version\nof the affected interface (semver-minor for additions, semver-major\nfor any signature change). Mismatched provider/host versions surface\nat link time, not at runtime.\n\nRelated repos (the full openssl-wasm component stack)\n-----------------------------------------------------\n\n| Layer | Repo | Role |\n|---|---|---|\n| Layer 1 (spec) | [openssl-provider-wit](https://github.com/tegmentum/openssl-provider-wit) | This repo — WIT mirror of the OpenSSL 3 provider ABI |\n| Layer 0 (consumer) | [openssl-wasm](https://github.com/tegmentum/openssl-wasm) | OpenSSL 3 compiled to wasm; imports this WIT; bridges OSSL_OP_* to WIT calls |\n| Layer 2 (OSSL adapter) | [simple-provider-adapter](https://github.com/tegmentum/simple-provider-adapter) | Exports openssl:provider-abi, imports narrow tegmentum:key-backend |\n| Layer 2 (STORE backend) | [pkcs11-store-adapter](https://github.com/tegmentum/pkcs11-store-adapter) | Exports openssl:store/store, imports pkcs11:host. Resolves pkcs11: URIs to cert DER + key-references. |\n| Layer 3 (key backend) | [pkcs11-bridge](https://github.com/tegmentum/pkcs11-bridge) | Exports tegmentum:key-backend, imports pkcs11:host |\n| Layer 4 (browser) | [pkcs11-gateway-adapter](https://github.com/tegmentum/pkcs11-gateway-adapter) | Exports pkcs11:host via tegmentum:pkcs11-tunnel (WebSocket) |\n| Bridge (Node) | [ws-gateway-server](https://github.com/tegmentum/ws-gateway-server) | Reference Node server for the KSW1 WebSocket tunnel |\n\nSee [ARCHITECTURE.md](ARCHITECTURE.md) for composition recipes.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftegmentum%2Fopenssl-provider-wit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftegmentum%2Fopenssl-provider-wit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftegmentum%2Fopenssl-provider-wit/lists"}