I just stumbled back on EVP_KEYEXCH and was reminded that we have the same implicit fetch construct there as we have with EVP_SIGNATURE... is this something I should address in this design as well?

Side note: I really hate our mixed header style rule for markdown (we use :setext_with_atx, see the mdlint header rules. It's jarring, at least to my eyes.

I just stumbled back on EVP_KEYEXCH and was reminded that we have the same implicit fetch construct there as we have with EVP_SIGNATURE... is this something I should address in this design as well?

It would be nice to have it all dealt with in the same way. Don't we have the same issue for asymcipher too?

#22140 might be relevant here too.

#22140 might be relevant here too.

Yes and no. This PR is a bit myopic in the sense that it's an answer to the information you get through the AlgorithmIndentifier.algorithm OID. I'd rather keep it to that scope, and deal with alternative complications elsewhere.

I think I've filled in all the missing pieces at this point, as indicated by @mattcaswell's comments. If something is still missing, I'd like to hear about it.

There's one thing I hadn't thought of yet, but that might be suitable in some cases: having a public API for querying the key type to be used with an algorithm.

This would be useful, I imagine, for any application that holds a number of different keys, one per key type, and for which it would make sense to find the proper key to use with an algorithm, without having to try to init the operation with each key until one goes through fine.
libssl code would be seen as such an application, no?

Should I add something about that?

This pull request is ready to merge

Merged