xref: /freebsd/crypto/openssl/doc/man3/EVP_PKEY_keygen.pod (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1=pod
2
3=head1 NAME
4
5EVP_PKEY_Q_keygen,
6EVP_PKEY_keygen_init, EVP_PKEY_paramgen_init, EVP_PKEY_generate,
7EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb,
8EVP_PKEY_CTX_get_keygen_info, EVP_PKEY_CTX_set_app_data,
9EVP_PKEY_CTX_get_app_data,
10EVP_PKEY_gen_cb,
11EVP_PKEY_paramgen, EVP_PKEY_keygen
12- key and parameter generation and check functions
13
14=head1 SYNOPSIS
15
16 #include <openssl/evp.h>
17
18 EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq,
19                             const char *type, ...);
20
21 int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
22 int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx);
23 int EVP_PKEY_generate(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
24 int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
25 int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
26
27 typedef int EVP_PKEY_gen_cb(EVP_PKEY_CTX *ctx);
28
29 void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb);
30 EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx);
31
32 int EVP_PKEY_CTX_get_keygen_info(EVP_PKEY_CTX *ctx, int idx);
33
34 void EVP_PKEY_CTX_set_app_data(EVP_PKEY_CTX *ctx, void *data);
35 void *EVP_PKEY_CTX_get_app_data(EVP_PKEY_CTX *ctx);
36
37=head1 DESCRIPTION
38
39Generating keys is sometimes straight forward, just generate the key's
40numbers and be done with it.  However, there are certain key types that need
41key parameters, often called domain parameters but not necessarily limited
42to that, that also need to be generated.  In addition to this, the caller
43may want to set user provided generation parameters that further affect key
44parameter or key generation, such as the desired key size.
45
46To flexibly allow all that's just been described, key parameter and key
47generation is divided into an initialization of a key algorithm context,
48functions to set user provided parameters, and finally the key parameter or
49key generation function itself.
50
51The key algorithm context must be created using L<EVP_PKEY_CTX_new(3)> or
52variants thereof, see that manual for details.
53
54EVP_PKEY_keygen_init() initializes a public key algorithm context I<ctx>
55for a key generation operation.
56
57EVP_PKEY_paramgen_init() is similar to EVP_PKEY_keygen_init() except key
58parameters are generated.
59
60After initialization, generation parameters may be provided with
61L<EVP_PKEY_CTX_ctrl(3)> or L<EVP_PKEY_CTX_set_params(3)>, or any other
62function described in those manuals.
63
64EVP_PKEY_generate() performs the generation operation, the resulting key
65parameters or key are written to I<*ppkey>.  If I<*ppkey> is NULL when this
66function is called, it will be allocated, and should be freed by the caller
67when no longer useful, using L<EVP_PKEY_free(3)>.
68
69EVP_PKEY_paramgen() and EVP_PKEY_keygen() do exactly the same thing as
70EVP_PKEY_generate(), after checking that the corresponding EVP_PKEY_paramgen_init()
71or EVP_PKEY_keygen_init() was used to initialize I<ctx>.
72These are older functions that are kept for backward compatibility.
73It is safe to use EVP_PKEY_generate() instead.
74
75The function EVP_PKEY_set_cb() sets the key or parameter generation callback
76to I<cb>. The function EVP_PKEY_CTX_get_cb() returns the key or parameter
77generation callback.
78
79The function EVP_PKEY_CTX_get_keygen_info() returns parameters associated
80with the generation operation. If I<idx> is -1 the total number of
81parameters available is returned. Any non negative value returns the value of
82that parameter. EVP_PKEY_CTX_gen_keygen_info() with a nonnegative value for
83I<idx> should only be called within the generation callback.
84
85If the callback returns 0 then the key generation operation is aborted and an
86error occurs. This might occur during a time consuming operation where
87a user clicks on a "cancel" button.
88
89The functions EVP_PKEY_CTX_set_app_data() and EVP_PKEY_CTX_get_app_data() set
90and retrieve an opaque pointer. This can be used to set some application
91defined value which can be retrieved in the callback: for example a handle
92which is used to update a "progress dialog".
93
94EVP_PKEY_Q_keygen() abstracts from the explicit use of B<EVP_PKEY_CTX> while
95providing a 'quick' but limited way of generating a new asymmetric key pair.
96It provides shorthands for simple and common cases of key generation.
97As usual, the library context I<libctx> and property query I<propq>
98can be given for fetching algorithms from providers.
99If I<type> is C<RSA>,
100a B<size_t> parameter must be given to specify the size of the RSA key.
101If I<type> is C<EC>,
102a string parameter must be given to specify the name of the EC curve.
103If I<type> is C<X25519>, C<X448>, C<ED25519>, C<ED448>, or C<SM2>
104no further parameter is needed.
105
106=head1 RETURN VALUES
107
108EVP_PKEY_keygen_init(), EVP_PKEY_paramgen_init(), EVP_PKEY_keygen() and
109EVP_PKEY_paramgen() return 1 for success and 0 or a negative value for failure.
110In particular a return value of -2 indicates the operation is not supported by
111the public key algorithm.
112
113EVP_PKEY_Q_keygen() returns an B<EVP_PKEY>, or NULL on failure.
114
115=head1 NOTES
116
117After the call to EVP_PKEY_keygen_init() or EVP_PKEY_paramgen_init() algorithm
118specific control operations can be performed to set any appropriate parameters
119for the operation.
120
121The functions EVP_PKEY_keygen() and EVP_PKEY_paramgen() can be called more than
122once on the same context if several operations are performed using the same
123parameters.
124
125The meaning of the parameters passed to the callback will depend on the
126algorithm and the specific implementation of the algorithm. Some might not
127give any useful information at all during key or parameter generation. Others
128might not even call the callback.
129
130The operation performed by key or parameter generation depends on the algorithm
131used. In some cases (e.g. EC with a supplied named curve) the "generation"
132option merely sets the appropriate fields in an EVP_PKEY structure.
133
134In OpenSSL an EVP_PKEY structure containing a private key also contains the
135public key components and parameters (if any). An OpenSSL private key is
136equivalent to what some libraries call a "key pair". A private key can be used
137in functions which require the use of a public key or parameters.
138
139=head1 EXAMPLES
140
141Generate a 2048 bit RSA key:
142
143 #include <openssl/evp.h>
144 #include <openssl/rsa.h>
145
146 EVP_PKEY_CTX *ctx;
147 EVP_PKEY *pkey = NULL;
148
149 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
150 if (!ctx)
151     /* Error occurred */
152 if (EVP_PKEY_keygen_init(ctx) <= 0)
153     /* Error */
154 if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0)
155     /* Error */
156
157 /* Generate key */
158 if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
159     /* Error */
160
161Generate a key from a set of parameters:
162
163 #include <openssl/evp.h>
164 #include <openssl/rsa.h>
165
166 EVP_PKEY_CTX *ctx;
167 ENGINE *eng;
168 EVP_PKEY *pkey = NULL, *param;
169
170 /* Assumed param, eng are set up already */
171 ctx = EVP_PKEY_CTX_new(param, eng);
172 if (!ctx)
173     /* Error occurred */
174 if (EVP_PKEY_keygen_init(ctx) <= 0)
175     /* Error */
176
177 /* Generate key */
178 if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
179     /* Error */
180
181Example of generation callback for OpenSSL public key implementations:
182
183 /* Application data is a BIO to output status to */
184
185 EVP_PKEY_CTX_set_app_data(ctx, status_bio);
186
187 static int genpkey_cb(EVP_PKEY_CTX *ctx)
188 {
189     char c = '*';
190     BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
191     int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
192
193     if (p == 0)
194         c = '.';
195     if (p == 1)
196         c = '+';
197     if (p == 2)
198         c = '*';
199     if (p == 3)
200         c = '\n';
201     BIO_write(b, &c, 1);
202     (void)BIO_flush(b);
203     return 1;
204 }
205
206=head1 SEE ALSO
207
208L<EVP_RSA_gen(3)>, L<EVP_EC_gen(3)>,
209L<EVP_PKEY_CTX_new(3)>,
210L<EVP_PKEY_encrypt(3)>,
211L<EVP_PKEY_decrypt(3)>,
212L<EVP_PKEY_sign(3)>,
213L<EVP_PKEY_verify(3)>,
214L<EVP_PKEY_verify_recover(3)>,
215L<EVP_PKEY_derive(3)>
216
217=head1 HISTORY
218
219EVP_PKEY_keygen_init(), int EVP_PKEY_paramgen_init(), EVP_PKEY_keygen(),
220EVP_PKEY_paramgen(), EVP_PKEY_gen_cb(), EVP_PKEY_CTX_set_cb(),
221EVP_PKEY_CTX_get_cb(), EVP_PKEY_CTX_get_keygen_info(),
222EVP_PKEY_CTX_set_app_data() and EVP_PKEY_CTX_get_app_data() were added in
223OpenSSL 1.0.0.
224
225EVP_PKEY_Q_keygen() and EVP_PKEY_generate() were added in OpenSSL 3.0.
226
227=head1 COPYRIGHT
228
229Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
230
231Licensed under the Apache License 2.0 (the "License").  You may not use
232this file except in compliance with the License.  You can obtain a copy
233in the file LICENSE in the source distribution or at
234L<https://www.openssl.org/source/license.html>.
235
236=cut
237