Standard preamble:
========================================================================
..
.... Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.
If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.
Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================
Title "EVP_PKEY-DH 7ossl"
way too many mistakes in technical documents.
See \s-1EVP_PKEY-FFC\s0\|(7) for more information about \s-1FFC\s0 keys.
The \s-1DH\s0 key type uses PKCS#3 format which saves p and g, but not the \fIq value. The \s-1DHX\s0 key type uses X9.42 format which saves the value of q and this must be used for \s-1FIPS186-4.\s0 If key validation is required, users should be aware of the nuances associated with \s-1FIPS186-4\s0 style parameters as discussed in \*(L"\s-1DH\s0 key validation\*(R".
Item "fips186_4"
0 Item "default" Item "fips186_2"
These are described in \*(L"\s-1FFC\s0 key generation parameters\*(R" in \s-1EVP_PKEY-FFC\s0\|(7) Item "group" This specifies that a named safe prime name will be chosen using the \*(L"pbits\*(R" type. Item "generator" A safe prime generator. See the \*(L"safeprime-generator\*(R" type above. This is only valid for \s-1DH\s0 keys.
For \s-1DH\s0 keys, EVP_PKEY_param_check\|(3) behaves in the following way: The OpenSSL \s-1FIPS\s0 provider tests if the parameters are either an approved safe prime group \s-1OR\s0 that the \s-1FFC\s0 parameters conform to \s-1FIPS186-4\s0 as defined in SP800-56Ar3 Assurances of Domain-Parameter Validity. The OpenSSL default provider uses simpler checks that allows there to be no q value for backwards compatibility.
For \s-1DH\s0 keys, EVP_PKEY_param_check_quick\|(3) is equivalent to \fBEVP_PKEY_param_check\|(3).
For \s-1DH\s0 keys, EVP_PKEY_public_check\|(3) conforms to SP800-56Ar3 \s-1FFC\s0 Full Public-Key Validation.
For \s-1DH\s0 keys, EVP_PKEY_public_check_quick\|(3) conforms to SP800-56Ar3 \s-1FFC\s0 Partial Public-Key Validation when the \s-1DH\s0 key is an approved named safe prime group, otherwise it is the same as \fBEVP_PKEY_public_check\|(3).
For \s-1DH\s0 Keys, EVP_PKEY_private_check\|(3) tests that the private key is in the correct range according to SP800-56Ar3. The OpenSSL \s-1FIPS\s0 provider requires the value of q to be set (note that this is set for named safe prime groups). For backwards compatibility the OpenSSL default provider only requires p to be set.
For \s-1DH\s0 keys, EVP_PKEY_pairwise_check\|(3) conforms to SP800-56Ar3 Owner Assurance of Pair-wise Consistency.
.Vb 1 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); .Ve
A \s-1DH\s0 key can be generated with a named safe prime group by calling:
.Vb 4 int priv_len = 2 * 112; OSSL_PARAM params[3]; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); \& params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0); /* "priv_len" is optional */ params[1] = OSSL_PARAM_construct_int("priv_len", &priv_len); params[2] = OSSL_PARAM_construct_end(); \& EVP_PKEY_keygen_init(pctx); EVP_PKEY_CTX_set_params(pctx, params); EVP_PKEY_generate(pctx, &pkey); ... EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(pctx); .Ve
\fB\s-1DHX\s0 domain parameters can be generated according to \s-1FIPS186-4\s0 by calling:
.Vb 6 int gindex = 2; unsigned int pbits = 2048; unsigned int qbits = 256; OSSL_PARAM params[6]; EVP_PKEY *param_key = NULL; EVP_PKEY_CTX *pctx = NULL; \& pctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL); EVP_PKEY_paramgen_init(pctx); \& params[0] = OSSL_PARAM_construct_uint("pbits", &pbits); params[1] = OSSL_PARAM_construct_uint("qbits", &qbits); params[2] = OSSL_PARAM_construct_int("gindex", &gindex); params[3] = OSSL_PARAM_construct_utf8_string("type", "fips186_4", 0); params[4] = OSSL_PARAM_construct_utf8_string("digest", "SHA256", 0); params[5] = OSSL_PARAM_construct_end(); EVP_PKEY_CTX_set_params(pctx, params); \& EVP_PKEY_generate(pctx, ¶m_key); \& EVP_PKEY_print_params(bio_out, param_key, 0, NULL); ... EVP_PKEY_free(param_key); EVP_PKEY_CTX_free(pctx); .Ve
A \s-1DH\s0 key can be generated using domain parameters by calling:
.Vb 2 EVP_PKEY *key = NULL; EVP_PKEY_CTX *gctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL); \& EVP_PKEY_keygen_init(gctx); EVP_PKEY_generate(gctx, &key); EVP_PKEY_print_private(bio_out, key, 0, NULL); ... EVP_PKEY_free(key); EVP_PKEY_CTX_free(gctx); .Ve
To validate \s-1FIPS186-4\s0 \s-1DHX\s0 domain parameters decoded from \s-1PEM\s0 or \fB\s-1DER\s0 data, additional values used during generation may be required to be set into the key.
\fBEVP_PKEY_todata(), OSSL_PARAM_merge(), and EVP_PKEY_fromdata() are useful to add these parameters to the original key or domain parameters before the actual validation. In production code the return values should be checked.
.Vb 11 EVP_PKEY *received_domp = ...; /* parameters received and decoded */ unsigned char *seed = ...; /* and additional parameters received */ size_t seedlen = ...; /* by other means, required */ int gindex = ...; /* for the validation */ int pcounter = ...; int hindex = ...; OSSL_PARAM extra_params[4]; OSSL_PARAM *domain_params = NULL; OSSL_PARAM *merged_params = NULL; EVP_PKEY_CTX *ctx = NULL, *validate_ctx = NULL; EVP_PKEY *complete_domp = NULL; \& EVP_PKEY_todata(received_domp, OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, &domain_params); extra_params[0] = OSSL_PARAM_construct_octet_string("seed", seed, seedlen); /* * NOTE: For unverifiable g use "hindex" instead of "gindex" * extra_params[1] = OSSL_PARAM_construct_int("hindex", &hindex); */ extra_params[1] = OSSL_PARAM_construct_int("gindex", &gindex); extra_params[2] = OSSL_PARAM_construct_int("pcounter", &pcounter); extra_params[3] = OSSL_PARAM_construct_end(); merged_params = OSSL_PARAM_merge(domain_params, extra_params); \& ctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL); EVP_PKEY_fromdata_init(ctx); EVP_PKEY_fromdata(ctx, &complete_domp, OSSL_KEYMGMT_SELECT_ALL, merged_params); \& validate_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, complete_domp, NULL); if (EVP_PKEY_param_check(validate_ctx) > 0) /* validation_passed(); */ else /* validation_failed(); */ \& OSSL_PARAM_free(domain_params); OSSL_PARAM_free(merged_params); EVP_PKEY_CTX_free(ctx); EVP_PKEY_CTX_free(validate_ctx); EVP_PKEY_free(complete_domp); .Ve
0
The following sections of SP800-56Ar3:
0
The following sections of \s-1FIPS186-4:\s0
0
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.