1=pod 2 3=head1 NAME 4 5EVP_PKEY_Q_keygen, 6EVP_PKEY_keygen_init, EVP_PKEY_paramgen_init, EVP_PKEY_generate, 7EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb, 8EVP_PKEY_CTX_get_keygen_info, EVP_PKEY_CTX_set_app_data, 9EVP_PKEY_CTX_get_app_data, 10EVP_PKEY_gen_cb, 11EVP_PKEY_paramgen, EVP_PKEY_keygen 12- key and parameter generation and check functions 13 14=head1 SYNOPSIS 15 16 #include <openssl/evp.h> 17 18 EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq, 19 const char *type, ...); 20 21 int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx); 22 int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx); 23 int EVP_PKEY_generate(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); 24 int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); 25 int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey); 26 27 typedef int EVP_PKEY_gen_cb(EVP_PKEY_CTX *ctx); 28 29 void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb); 30 EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx); 31 32 int EVP_PKEY_CTX_get_keygen_info(EVP_PKEY_CTX *ctx, int idx); 33 34 void EVP_PKEY_CTX_set_app_data(EVP_PKEY_CTX *ctx, void *data); 35 void *EVP_PKEY_CTX_get_app_data(EVP_PKEY_CTX *ctx); 36 37=head1 DESCRIPTION 38 39Generating keys is sometimes straight forward, just generate the key's 40numbers and be done with it. However, there are certain key types that need 41key parameters, often called domain parameters but not necessarily limited 42to that, that also need to be generated. In addition to this, the caller 43may want to set user provided generation parameters that further affect key 44parameter or key generation, such as the desired key size. 45 46To flexibly allow all that's just been described, key parameter and key 47generation is divided into an initialization of a key algorithm context, 48functions to set user provided parameters, and finally the key parameter or 49key generation function itself. 50 51The key algorithm context must be created using L<EVP_PKEY_CTX_new(3)> or 52variants thereof, see that manual for details. 53 54EVP_PKEY_keygen_init() initializes a public key algorithm context I<ctx> 55for a key generation operation. 56 57EVP_PKEY_paramgen_init() is similar to EVP_PKEY_keygen_init() except key 58parameters are generated. 59 60After initialization, generation parameters may be provided with 61L<EVP_PKEY_CTX_ctrl(3)> or L<EVP_PKEY_CTX_set_params(3)>, or any other 62function described in those manuals. 63 64EVP_PKEY_generate() performs the generation operation, the resulting key 65parameters or key are written to I<*ppkey>. If I<*ppkey> is NULL when this 66function is called, it will be allocated, and should be freed by the caller 67when no longer useful, using L<EVP_PKEY_free(3)>. 68 69EVP_PKEY_paramgen() and EVP_PKEY_keygen() do exactly the same thing as 70EVP_PKEY_generate(), after checking that the corresponding EVP_PKEY_paramgen_init() 71or EVP_PKEY_keygen_init() was used to initialize I<ctx>. 72These are older functions that are kept for backward compatibility. 73It is safe to use EVP_PKEY_generate() instead. 74 75The function EVP_PKEY_set_cb() sets the key or parameter generation callback 76to I<cb>. The function EVP_PKEY_CTX_get_cb() returns the key or parameter 77generation callback. 78 79The function EVP_PKEY_CTX_get_keygen_info() returns parameters associated 80with the generation operation. If I<idx> is -1 the total number of 81parameters available is returned. Any non negative value returns the value of 82that parameter. EVP_PKEY_CTX_gen_keygen_info() with a nonnegative value for 83I<idx> should only be called within the generation callback. 84 85If the callback returns 0 then the key generation operation is aborted and an 86error occurs. This might occur during a time consuming operation where 87a user clicks on a "cancel" button. 88 89The functions EVP_PKEY_CTX_set_app_data() and EVP_PKEY_CTX_get_app_data() set 90and retrieve an opaque pointer. This can be used to set some application 91defined value which can be retrieved in the callback: for example a handle 92which is used to update a "progress dialog". 93 94EVP_PKEY_Q_keygen() abstracts from the explicit use of B<EVP_PKEY_CTX> while 95providing a 'quick' but limited way of generating a new asymmetric key pair. 96It provides shorthands for simple and common cases of key generation. 97As usual, the library context I<libctx> and property query I<propq> 98can be given for fetching algorithms from providers. 99If I<type> is C<RSA>, 100a B<size_t> parameter must be given to specify the size of the RSA key. 101If I<type> is C<EC>, 102a string parameter must be given to specify the name of the EC curve. 103If I<type> is: 104C<ED25519>, 105C<ED448>, 106C<SM2>, 107C<X25519>, 108C<X448>, 109C<ML-DSA-44>, 110C<ML-DSA-65>, 111C<ML-DSA-87>, 112C<ML-KEM-512>, 113C<ML-KEM-768>, or 114C<ML-KEM-1024> 115no further parameters are needed. Other key types may be possible if they are 116supplied by the loaded providers. EVP_PKEY_Q_keygen() may be usable with such 117key types as long as they do not require further parameters. 118 119=head1 RETURN VALUES 120 121EVP_PKEY_keygen_init(), EVP_PKEY_paramgen_init(), EVP_PKEY_keygen() and 122EVP_PKEY_paramgen() return 1 for success and 0 or a negative value for failure. 123In particular a return value of -2 indicates the operation is not supported by 124the public key algorithm. 125 126EVP_PKEY_Q_keygen() returns an B<EVP_PKEY>, or NULL on failure. 127 128=head1 NOTES 129 130After the call to EVP_PKEY_keygen_init() or EVP_PKEY_paramgen_init() algorithm 131specific control operations can be performed to set any appropriate parameters 132for the operation. 133 134The functions EVP_PKEY_keygen() and EVP_PKEY_paramgen() can be called more than 135once on the same context if several operations are performed using the same 136parameters. 137 138The meaning of the parameters passed to the callback will depend on the 139algorithm and the specific implementation of the algorithm. Some might not 140give any useful information at all during key or parameter generation. Others 141might not even call the callback. 142 143The operation performed by key or parameter generation depends on the algorithm 144used. In some cases (e.g. EC with a supplied named curve) the "generation" 145option merely sets the appropriate fields in an EVP_PKEY structure. 146 147In OpenSSL an EVP_PKEY structure containing a private key also contains the 148public key components and parameters (if any). An OpenSSL private key is 149equivalent to what some libraries call a "key pair". A private key can be used 150in functions which require the use of a public key or parameters. 151 152=head1 EXAMPLES 153 154Generate a 2048 bit RSA key: 155 156 #include <openssl/evp.h> 157 #include <openssl/rsa.h> 158 159 EVP_PKEY_CTX *ctx; 160 EVP_PKEY *pkey = NULL; 161 162 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); 163 if (!ctx) 164 /* Error occurred */ 165 if (EVP_PKEY_keygen_init(ctx) <= 0) 166 /* Error */ 167 if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0) 168 /* Error */ 169 170 /* Generate key */ 171 if (EVP_PKEY_keygen(ctx, &pkey) <= 0) 172 /* Error */ 173 174Generate a key from a set of parameters: 175 176 #include <openssl/evp.h> 177 #include <openssl/rsa.h> 178 179 EVP_PKEY_CTX *ctx; 180 ENGINE *eng; 181 EVP_PKEY *pkey = NULL, *param; 182 183 /* Assumed param, eng are set up already */ 184 ctx = EVP_PKEY_CTX_new(param, eng); 185 if (!ctx) 186 /* Error occurred */ 187 if (EVP_PKEY_keygen_init(ctx) <= 0) 188 /* Error */ 189 190 /* Generate key */ 191 if (EVP_PKEY_keygen(ctx, &pkey) <= 0) 192 /* Error */ 193 194Example of generation callback for OpenSSL public key implementations: 195 196 /* Application data is a BIO to output status to */ 197 198 EVP_PKEY_CTX_set_app_data(ctx, status_bio); 199 200 static int genpkey_cb(EVP_PKEY_CTX *ctx) 201 { 202 char c = '*'; 203 BIO *b = EVP_PKEY_CTX_get_app_data(ctx); 204 int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); 205 206 if (p == 0) 207 c = '.'; 208 if (p == 1) 209 c = '+'; 210 if (p == 2) 211 c = '*'; 212 if (p == 3) 213 c = '\n'; 214 BIO_write(b, &c, 1); 215 (void)BIO_flush(b); 216 return 1; 217 } 218 219=head1 SEE ALSO 220 221L<EVP_RSA_gen(3)>, L<EVP_EC_gen(3)>, 222L<EVP_PKEY_CTX_new(3)>, 223L<EVP_PKEY_encrypt(3)>, 224L<EVP_PKEY_decrypt(3)>, 225L<EVP_PKEY_sign(3)>, 226L<EVP_PKEY_verify(3)>, 227L<EVP_PKEY_verify_recover(3)>, 228L<EVP_PKEY_derive(3)> 229 230=head1 HISTORY 231 232EVP_PKEY_keygen_init(), int EVP_PKEY_paramgen_init(), EVP_PKEY_keygen(), 233EVP_PKEY_paramgen(), EVP_PKEY_gen_cb(), EVP_PKEY_CTX_set_cb(), 234EVP_PKEY_CTX_get_cb(), EVP_PKEY_CTX_get_keygen_info(), 235EVP_PKEY_CTX_set_app_data() and EVP_PKEY_CTX_get_app_data() were added in 236OpenSSL 1.0.0. 237 238EVP_PKEY_Q_keygen() and EVP_PKEY_generate() were added in OpenSSL 3.0. 239 240=head1 COPYRIGHT 241 242Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved. 243 244Licensed under the Apache License 2.0 (the "License"). You may not use 245this file except in compliance with the License. You can obtain a copy 246in the file LICENSE in the source distribution or at 247L<https://www.openssl.org/source/license.html>. 248 249=cut 250