EVP_PKEY-DSA, EVP_KEYMGMT-DSA, EVP_PKEY-DH, EVP_KEYMGMT-DH - EVP_PKEY DSA and DH keytype and algorithm support
The DSA and DH keytypes are implemented in OpenSSL's default and FIPS providers. The implementations support the basic DSA and DH keys, containing the public and private keys pub and priv as well as the three main domain parameters p, q and g.
Finite field cryptography (FFC) is a method of implementing discrete logarithm cryptography using finite field mathematics. DSA is an example of FFC and Diffie-Hellman key establishment algorithms specified in SP800-56A can also be implemented as FFC.
For DH FFC key agreement, two classes of domain parameters can be used: "safe" domain parameters that are associated with approved named safe-prime groups, and a class of "FIPS 186-type" domain parameters. FIPS 186-type domain parameters should only be used for backward compatibility with existing applications that cannot be upgraded to use the approved safe-prime groups.
For DSA (and DH that is not a named group) the FIPS186-4 standard specifies that the values used for FFC parameter generation are also required for parameter validation. This means that optional FFC domain parameter values for seed, pcounter and gindex may need to be stored for validation purposes. For DH the seed and pcounter can be stored in ASN1 data (but the gindex is not). For DSA however, these fields are not stored in the ASN1 data so they need to be stored externally if validation is required.
A string that associates a DH named safe prime group with known values for p, q and g.
The following values can be used by the default and OpenSSL's FIPS providers: "ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144", "ffdhe8192", "modp_2048", "modp_3072", "modp_4096", "modp_6144", "modp_8192".
The following additional values can also be used by the default provider: "modp_1536", "dh_1024_160", "dh_2048_224", "dh_2048_256".
DH named groups can be easily validated since the parameters are well known. For protocols that only transfer p and g the value of q can also be retrieved.
Used for DH generation of safe primes using the old generator code. It is recommended to use a named safe prime group instead, if domain parameter validation is required. The default value is 2.
These are not named safe prime groups so setting this value for the OpenSSL FIPS provider will instead choose a named safe prime group based on the size of p.
In addition to the common parameters that all keytypes should support (see "pub" (OSSL_PKEY_PARAM_PUB_KEY) <unsigned integer>
The public key value. The private key value. A DSA or Diffie-Hellman prime "p" value. A DSA or Diffie-Hellman prime "q" value. A DSA or Diffie-Hellman generator "g" value. An optional domain parameter seed value used during generation and validation of p, q and canonical g. For validation this needs to set the seed that was produced during generation. Sets the index to use for canonical generation and verification of the generator g. Set this to a positive value from 0..FF to use this mode. This gindex can then be reused during key validation to verify the value of g. If this value is not set or is -1 then unverifiable generation of the generator g will be used. An optional domain parameter counter value that is output during generation of p. This value must be saved if domain parameter validation is required. For unverifiable generation of the generator g this value is output during generation of g. Its value is the first integer larger than one that satisfies g = h^j mod p (where g != 1 and "j" is the cofactor). An optional informational cofactor parameter that should equal (p - 1) / q. The following Key Generation types are available for the built-in FFC algorithms: Sets the type of parameter generation. For DH Valid values are: The current standard. This is the default value. This is an alias to use the latest implemented standard. It is currently set to "fips186_4". This specifies that a named safe prime name will be chosen using the "pbits" type. The old standard that should only be used for legacy purposes. A safe prime generator. See the "safeprime-generator" type. For DSA valid values are one of "default", "fips186_4" or "fips186_2" as described above. Sets the size (in bits) of the prime 'p'. For "fips186_4" this must be 2048 for DH, and either of 2048 or 3072 for DSA. For "fips186_2" this must be 1024. For "group" this can be any one of 2048, 3072, 4096, 6144 or 8192. Sets the size (in bits) of the prime 'q'. For "fips186_4" this can be either 224 or 256. For "fips186_2" this has a size of 160. Sets the Digest algorithm to be used as part of the Key Generation Function associated with the given Key Generation ctx. This must also be set for key validation. Sets properties to be used upon look up of the implementation for the selected Digest algorithm for the Key Generation Function associated with the given key generation ctx. This may also be set for key validation. For "fips186_4" or "fips186_2" generation this sets the seed data to use instead of generating a random seed internally. This should be used for testing purposes only. This will either produce fixed values for the generated parameters OR it will fail if the seed did not generate valid primes. These types are described above. The following sections of SP800-56Ar3: The following sections of FIPS 186-4: EVP_PKEY(3), OSSL_PROVIDER-default(7), EVP_SIGNATURE-DSA(7), COPYRIGHT
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.DSA / DH key generation (FFC) parameters
CONFORMING TO
SEE ALSO