Difference between revisions of "EVP Key and Parameter Generation"

From OpenSSLWiki
Jump to navigationJump to search
(Added See also section)
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
The EVP functions support the ability to generate parameters and keys if required for EVP_PKEY objects.
+
{{DocInclude
 +
|Name=Key and Parameter Generation
 +
|Url=http://wiki.ope
 +
 
 +
The EVP functions support the ability to generate parameters and keys if required for EVP_PKEY objects. Since these functions use random numbers you should ensure that the random number generator is appropriately seeded as discussed [[Random Numbers|here]].
  
 
==Parameter Generation==
 
==Parameter Generation==
Line 11: Line 15:
  
 
  /* Create the context for generating the parameters */
 
  /* Create the context for generating the parameters */
 +
EVP_PKEY_CTX* pctx;
 
  if(!(pctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
 
  if(!(pctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
 
  if(!EVP_PKEY_paramgen_init(pctx)) goto err;
 
  if(!EVP_PKEY_paramgen_init(pctx)) goto err;
Line 48: Line 53:
 
   if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
 
   if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
 
  }
 
  }
 +
 +
if(!EVP_PKEY_keygen_init(kctx)) goto err;
 
   
 
   
 
  /* RSA keys set the key length during key generation rather than parameter generation! */
 
  /* RSA keys set the key length during key generation rather than parameter generation! */
Line 56: Line 63:
 
   
 
   
 
  /* Generate the key */
 
  /* Generate the key */
 
if(!EVP_PKEY_keygen_init(kctx)) goto err;
 
 
  if (!EVP_PKEY_keygen(kctx, &key)) goto err;
 
  if (!EVP_PKEY_keygen(kctx, &key)) goto err;
  
CMAC keys are generated in a simlar fashion:
+
CMAC keys are generated in a simlar fashion (see [[EVP_Signing_and_Verifying]] for information on generating MAC codes):
  
 
  if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
 
  if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
Line 89: Line 94:
 
* [[EVP]]
 
* [[EVP]]
 
* [[Libcrypto API]]
 
* [[Libcrypto API]]
 +
* [[EVP Symmetric Encryption and Decryption]]
 +
* [[EVP Authenticated Encryption and Decryption]]
 +
* [[EVP Asymmetric Encryption and Decryption of an Envelope]]
 +
* [[EVP Signing and Verifying]]
 +
* [[EVP Message Digests]]
 +
* [[EVP Key Agreement]]
 +
 +
[[Category:Crypto API]]
 +
[[Category:Examples]]
 +
[[Category:C level]]

Latest revision as of 11:58, 12 February 2021

{{DocInclude |Name=Key and Parameter Generation |Url=http://wiki.ope

The EVP functions support the ability to generate parameters and keys if required for EVP_PKEY objects. Since these functions use random numbers you should ensure that the random number generator is appropriately seeded as discussed here.

Parameter Generation[edit]

Parameter generation is supported for the following EVP_PKEY types only:

  • EVP_PKEY_EC (for ECDSA and ECDH keys)
  • EVP_PKEY_DSA
  • EVP_PKEY_DH

The following sample code shows an example of how to generate parameters for each of these key types:

/* Create the context for generating the parameters */
EVP_PKEY_CTX* pctx;
if(!(pctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
if(!EVP_PKEY_paramgen_init(pctx)) goto err;

/* Set the paramgen parameters according to the type */
switch(type)
{
case EVP_PKEY_EC:
  /* Use the NID_X9_62_prime256v1 named curve - defined in obj_mac.h */
  if(!EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1)) goto err;		
  break;

case EVP_PKEY_DSA:
  /* Set a bit length of 2048 */
  if(!EVP_PKEY_CTX_set_dsa_paramgen_bits(pctx, 2048)) goto err;		
  break;

case EVP_PKEY_DH:
  /* Set a prime length of 2048 */
  if(!EVP_PKEY_CTX_set_dh_paramgen_prime_len(pctx, 2048)) goto err;
}

/* Generate parameters */
if (!EVP_PKEY_paramgen(pctx, &params)) goto err;

Key Generation[edit]

The following sample code shows an example of how to generate keys with the exception of EVP_PKEY_HMAC and EVP_PKEY_CMAC keys:

if(*params != NULL)
{
  if(!(kctx = EVP_PKEY_CTX_new(params, NULL))) goto err; 
}
else
{
  /* Create context for the key generation */
  if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;
}

if(!EVP_PKEY_keygen_init(kctx)) goto err; 

/* RSA keys set the key length during key generation rather than parameter generation! */
if(type == EVP_PKEY_RSA)
{
  if(!EVP_PKEY_CTX_set_rsa_keygen_bits(kctx, 2048)) goto err;
}

/* Generate the key */
if (!EVP_PKEY_keygen(kctx, &key)) goto err;

CMAC keys are generated in a simlar fashion (see EVP_Signing_and_Verifying for information on generating MAC codes):

if(!(kctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err;


if(!EVP_PKEY_keygen_init(kctx)) goto err;

/* Set the cipher to be used for the CMAC */
if (EVP_PKEY_CTX_ctrl(kctx, -1, EVP_PKEY_OP_KEYGEN,
  EVP_PKEY_CTRL_CIPHER,
  0, (void *)EVP_aes_256_ecb()) <= 0)
  goto err;

/* Set the key data to be used for the CMAC */
if (EVP_PKEY_CTX_ctrl(kctx, -1, EVP_PKEY_OP_KEYGEN,
  EVP_PKEY_CTRL_SET_MAC_KEY,
  /*key length*/32, "01234567890123456789012345678901") <= 0)
  goto err;

/* Generate the key */ 
if (!EVP_PKEY_keygen(kctx, &key)) goto err;

HMAC keys can be generated in the same way as for CMAC keys but do not take a cipher. A convenience function which wraps this process exists to simplify HMAC key generation:

key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, "password", strlen("password"));

See also[edit]