Difference between revisions of "EVP Key and Parameter Generation"

From OpenSSLWiki
Jump to navigationJump to search
(Created page with "The EVP functions support the ability to generate parameters and keys if required for EVP_PKEY objects. ==Parameter Generation== Parameter generation is supported for the follo…")
 
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
The EVP functions support the ability to generate parameters and keys if required for EVP_PKEY objects.
+
{{DocInclude
 +
|Name=Key and Parameter Generation
 +
|Url=http://wiki.ope
 +
 
 +
The EVP functions support the ability to generate parameters and keys if required for EVP_PKEY objects. Since these functions use random numbers you should ensure that the random number generator is appropriately seeded as discussed [[Random Numbers|here]].
  
 
==Parameter Generation==
 
==Parameter Generation==
Line 11: Line 15:
  
 
  /* Create the context for generating the parameters */
 
  /* Create the context for generating the parameters */
 +
EVP_PKEY_CTX* pctx;
 
  if(!(pctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
 
  if(!(pctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
 
  if(!EVP_PKEY_paramgen_init(pctx)) goto err;
 
  if(!EVP_PKEY_paramgen_init(pctx)) goto err;
Line 48: Line 53:
 
   if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
 
   if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
 
  }
 
  }
 +
 +
if(!EVP_PKEY_keygen_init(kctx)) goto err;
 
   
 
   
 
  /* RSA keys set the key length during key generation rather than parameter generation! */
 
  /* RSA keys set the key length during key generation rather than parameter generation! */
Line 56: Line 63:
 
   
 
   
 
  /* Generate the key */
 
  /* Generate the key */
 
if(!EVP_PKEY_keygen_init(kctx)) goto err;
 
 
  if (!EVP_PKEY_keygen(kctx, &key)) goto err;
 
  if (!EVP_PKEY_keygen(kctx, &key)) goto err;
  
CMAC keys are generated in a simlar fashion:
+
CMAC keys are generated in a simlar fashion (see [[EVP_Signing_and_Verifying]] for information on generating MAC codes):
  
 
  if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
 
  if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
Line 78: Line 83:
 
   /*key length*/32, "01234567890123456789012345678901") <= 0)
 
   /*key length*/32, "01234567890123456789012345678901") <= 0)
 
   goto err;
 
   goto err;
 
+
 
  /* Generate the key */  
 
  /* Generate the key */  
 
  if (!EVP_PKEY_keygen(kctx, &key)) goto err;
 
  if (!EVP_PKEY_keygen(kctx, &key)) goto err;
Line 85: Line 90:
  
 
  key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, "password", strlen("password"));
 
  key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, "password", strlen("password"));
 +
 +
==See also==
 +
* [[EVP]]
 +
* [[Libcrypto API]]
 +
* [[EVP Symmetric Encryption and Decryption]]
 +
* [[EVP Authenticated Encryption and Decryption]]
 +
* [[EVP Asymmetric Encryption and Decryption of an Envelope]]
 +
* [[EVP Signing and Verifying]]
 +
* [[EVP Message Digests]]
 +
* [[EVP Key Agreement]]
 +
 +
[[Category:Crypto API]]
 +
[[Category:Examples]]
 +
[[Category:C level]]

Latest revision as of 11:58, 12 February 2021

{{DocInclude |Name=Key and Parameter Generation |Url=http://wiki.ope

The EVP functions support the ability to generate parameters and keys if required for EVP_PKEY objects. Since these functions use random numbers you should ensure that the random number generator is appropriately seeded as discussed here.

Parameter Generation[edit]

Parameter generation is supported for the following EVP_PKEY types only:

  • EVP_PKEY_EC (for ECDSA and ECDH keys)
  • EVP_PKEY_DSA
  • EVP_PKEY_DH

The following sample code shows an example of how to generate parameters for each of these key types:

/* Create the context for generating the parameters */
EVP_PKEY_CTX* pctx;
if(!(pctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
if(!EVP_PKEY_paramgen_init(pctx)) goto err;

/* Set the paramgen parameters according to the type */
switch(type)
{
case EVP_PKEY_EC:
  /* Use the NID_X9_62_prime256v1 named curve - defined in obj_mac.h */
  if(!EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1)) goto err;		
  break;

case EVP_PKEY_DSA:
  /* Set a bit length of 2048 */
  if(!EVP_PKEY_CTX_set_dsa_paramgen_bits(pctx, 2048)) goto err;		
  break;

case EVP_PKEY_DH:
  /* Set a prime length of 2048 */
  if(!EVP_PKEY_CTX_set_dh_paramgen_prime_len(pctx, 2048)) goto err;
}

/* Generate parameters */
if (!EVP_PKEY_paramgen(pctx, &params)) goto err;

Key Generation[edit]

The following sample code shows an example of how to generate keys with the exception of EVP_PKEY_HMAC and EVP_PKEY_CMAC keys:

if(*params != NULL)
{
  if(!(kctx = EVP_PKEY_CTX_new(params, NULL))) goto err; 
}
else
{
  /* Create context for the key generation */
  if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
}

if(!EVP_PKEY_keygen_init(kctx)) goto err; 

/* RSA keys set the key length during key generation rather than parameter generation! */
if(type == EVP_PKEY_RSA)
{
  if(!EVP_PKEY_CTX_set_rsa_keygen_bits(kctx, 2048)) goto err;
}

/* Generate the key */
if (!EVP_PKEY_keygen(kctx, &key)) goto err;

CMAC keys are generated in a simlar fashion (see EVP_Signing_and_Verifying for information on generating MAC codes):

if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;


if(!EVP_PKEY_keygen_init(kctx)) goto err;

/* Set the cipher to be used for the CMAC */
if (EVP_PKEY_CTX_ctrl(kctx, -1, EVP_PKEY_OP_KEYGEN,
  EVP_PKEY_CTRL_CIPHER,
  0, (void *)EVP_aes_256_ecb()) <= 0)
  goto err;

/* Set the key data to be used for the CMAC */
if (EVP_PKEY_CTX_ctrl(kctx, -1, EVP_PKEY_OP_KEYGEN,
  EVP_PKEY_CTRL_SET_MAC_KEY,
  /*key length*/32, "01234567890123456789012345678901") <= 0)
  goto err;

/* Generate the key */ 
if (!EVP_PKEY_keygen(kctx, &key)) goto err;

HMAC keys can be generated in the same way as for CMAC keys but do not take a cipher. A convenience function which wraps this process exists to simplify HMAC key generation:

key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, "password", strlen("password"));

See also[edit]