首页 发现 帮助
登录
OWEALs
/
openssl
镜像自地址 git://git.openssl.org/openssl.git
2
0
派生 0
文件 工单管理 1 Wiki
分支: openssl-3.3
分支列表 标签列表
openssl
/
doc
/
man7
/
EVP_PKEY-RSA.pod

EVP_PKEY-RSA.pod 9.2 KB
永久链接 文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283 
  1. =pod
    2. 

  2. 

  3. =head1 NAME
    4. 

  4. 

  5. EVP_PKEY-RSA, EVP_KEYMGMT-RSA, RSA
    6. 

  6. - EVP_PKEY RSA keytype and algorithm support
    7. 

  7. 

  8. =head1 DESCRIPTION
    9. 

  9. 

  10. The B<RSA> keytype is implemented in OpenSSL's default and FIPS providers.
    11. 

  11. That implementation supports the basic RSA keys, containing the modulus I<n>,
    12. 

  12. the public exponent I<e>, the private exponent I<d>, and a collection of prime
    13. 

  13. factors, exponents and coefficient for CRT calculations, of which the first
    14. 

  14. few are known as I<p> and I<q>, I<dP> and I<dQ>, and I<qInv>.
    15. 

  15. 

  16. =head2 Common RSA parameters
    17. 

  17. 

  18. In addition to the common parameters that all keytypes should support (see
    19. 

  19. L<provider-keymgmt(7)/Common parameters>), the B<RSA> keytype implementation
    20. 

  20. supports the following.
    21. 

  21. 

  22. =over 4
    23. 

  23. 

  24. =item "n" (B<OSSL_PKEY_PARAM_RSA_N>) <unsigned integer>
    25. 

  25. 

  26. The RSA modulus "n" value.
    27. 

  27. 

  28. =item "e" (B<OSSL_PKEY_PARAM_RSA_E>) <unsigned integer>
    29. 

  29. 

  30. The RSA public exponent "e" value.
    31. 

  31. This value must always be set when creating a raw key using L<EVP_PKEY_fromdata(3)>.
    32. 

  32. Note that when a decryption operation is performed, that this value is used for
    33. 

  33. blinding purposes to prevent timing attacks.
    34. 

  34. 

  35. =item "d" (B<OSSL_PKEY_PARAM_RSA_D>) <unsigned integer>
    36. 

  36. 

  37. The RSA private exponent "d" value.
    38. 

  38. 

  39. =item "rsa-factor1" (B<OSSL_PKEY_PARAM_RSA_FACTOR1>) <unsigned integer>
    40. 

  40. 

  41. =item "rsa-factor2" (B<OSSL_PKEY_PARAM_RSA_FACTOR2>) <unsigned integer>
    42. 

  42. 

  43. =item "rsa-factor3" (B<OSSL_PKEY_PARAM_RSA_FACTOR3>) <unsigned integer>
    44. 

  44. 

  45. =item "rsa-factor4" (B<OSSL_PKEY_PARAM_RSA_FACTOR4>) <unsigned integer>
    46. 

  46. 

  47. =item "rsa-factor5" (B<OSSL_PKEY_PARAM_RSA_FACTOR5>) <unsigned integer>
    48. 

  48. 

  49. =item "rsa-factor6" (B<OSSL_PKEY_PARAM_RSA_FACTOR6>) <unsigned integer>
    50. 

  50. 

  51. =item "rsa-factor7" (B<OSSL_PKEY_PARAM_RSA_FACTOR7>) <unsigned integer>
    52. 

  52. 

  53. =item "rsa-factor8" (B<OSSL_PKEY_PARAM_RSA_FACTOR8>) <unsigned integer>
    54. 

  54. 

  55. =item "rsa-factor9" (B<OSSL_PKEY_PARAM_RSA_FACTOR9>) <unsigned integer>
    56. 

  56. 

  57. =item "rsa-factor10" (B<OSSL_PKEY_PARAM_RSA_FACTOR10>) <unsigned integer>
    58. 

  58. 

  59. RSA prime factors. The factors are known as "p", "q" and "r_i" in RFC8017.
    60. 

  60. Up to eight additional "r_i" prime factors are supported.
    61. 

  61. 

  62. =item "rsa-exponent1" (B<OSSL_PKEY_PARAM_RSA_EXPONENT1>) <unsigned integer>
    63. 

  63. 

  64. =item "rsa-exponent2" (B<OSSL_PKEY_PARAM_RSA_EXPONENT2>) <unsigned integer>
    65. 

  65. 

  66. =item "rsa-exponent3" (B<OSSL_PKEY_PARAM_RSA_EXPONENT3>) <unsigned integer>
    67. 

  67. 

  68. =item "rsa-exponent4" (B<OSSL_PKEY_PARAM_RSA_EXPONENT4>) <unsigned integer>
    69. 

  69. 

  70. =item "rsa-exponent5" (B<OSSL_PKEY_PARAM_RSA_EXPONENT5>) <unsigned integer>
    71. 

  71. 

  72. =item "rsa-exponent6" (B<OSSL_PKEY_PARAM_RSA_EXPONENT6>) <unsigned integer>
    73. 

  73. 

  74. =item "rsa-exponent7" (B<OSSL_PKEY_PARAM_RSA_EXPONENT7>) <unsigned integer>
    75. 

  75. 

  76. =item "rsa-exponent8" (B<OSSL_PKEY_PARAM_RSA_EXPONENT8>) <unsigned integer>
    77. 

  77. 

  78. =item "rsa-exponent9" (B<OSSL_PKEY_PARAM_RSA_EXPONENT9>) <unsigned integer>
    79. 

  79. 

  80. =item "rsa-exponent10" (B<OSSL_PKEY_PARAM_RSA_EXPONENT10>) <unsigned integer>
    81. 

  81. 

  82. RSA CRT (Chinese Remainder Theorem) exponents. The exponents are known
    83. 

  83. as "dP", "dQ" and "d_i" in RFC8017.
    84. 

  84. Up to eight additional "d_i" exponents are supported.
    85. 

  85. 

  86. =item "rsa-coefficient1" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT1>) <unsigned integer>
    87. 

  87. 

  88. =item "rsa-coefficient2" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT2>) <unsigned integer>
    89. 

  89. 

  90. =item "rsa-coefficient3" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT3>) <unsigned integer>
    91. 

  91. 

  92. =item "rsa-coefficient4" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT4>) <unsigned integer>
    93. 

  93. 

  94. =item "rsa-coefficient5" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT5>) <unsigned integer>
    95. 

  95. 

  96. =item "rsa-coefficient6" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT6>) <unsigned integer>
    97. 

  97. 

  98. =item "rsa-coefficient7" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT7>) <unsigned integer>
    99. 

  99. 

  100. =item "rsa-coefficient8" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT8>) <unsigned integer>
    101. 

  101. 

  102. =item "rsa-coefficient9" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT9>) <unsigned integer>
    103. 

  103. 

  104. RSA CRT (Chinese Remainder Theorem) coefficients. The coefficients are known as
    105. 

  105. "qInv" and "t_i".
    106. 

  106. Up to eight additional "t_i" exponents are supported.
    107. 

  107. 

  108. =back
    109. 

  109. 

  110. =head2 RSA key generation parameters
    111. 

  111. 

  112. When generating RSA keys, the following key generation parameters may be used.
    113. 

  113. 

  114. =over 4
    115. 

  115. 

  116. =item "bits" (B<OSSL_PKEY_PARAM_RSA_BITS>) <unsigned integer>
    117. 

  117. 

  118. The value should be the cryptographic length for the B<RSA> cryptosystem, in
    119. 

  119. bits.
    120. 

  120. 

  121. =item "primes" (B<OSSL_PKEY_PARAM_RSA_PRIMES>) <unsigned integer>
    122. 

  122. 

  123. The value should be the number of primes for the generated B<RSA> key.  The
    124. 

  124. default is 2.  It isn't permitted to specify a larger number of primes than
    125. 

  125. 10.  Additionally, the number of primes is limited by the length of the key
    126. 

  126. being generated so the maximum number could be less.
    127. 

  127. Some providers may only support a value of 2.
    128. 

  128. 

  129. =item "e" (B<OSSL_PKEY_PARAM_RSA_E>) <unsigned integer>
    130. 

  130. 

  131. The RSA "e" value. The value may be any odd number greater than or equal to
    132. 

  132. 65537. The default value is 65537.
    133. 

  133. For legacy reasons a value of 3 is currently accepted but is deprecated.
    134. 

  134. 

  135. =item "rsa-derive-from-pq"  (B<OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ>) <unsigned integer>
    136. 

  136. 

  137. Indicate that missing parameters not passed in the parameter list should be
    138. 

  138. derived if not provided.  Setting a nonzero value will cause all
    139. 

  139. needed exponents and coefficients to be derived if not available.  Setting this
    140. 

  140. option requires at least OSSL_PARAM_RSA_FACTOR1, OSSL_PARAM_RSA_FACTOR2,
    141. 

  141. and OSSL_PARAM_RSA_N to be provided.  This option is ignored if
    142. 

  142. OSSL_KEYMGMT_SELECT_PRIVATE_KEY is not set in the selection parameter.
    143. 

  143. 

  144. =back
    145. 

  145. 

  146. =head2 RSA key generation parameters for FIPS module testing
    147. 

  147. 

  148. When generating RSA keys, the following additional key generation parameters may
    149. 

  149. be used for algorithm testing purposes only. Do not use these to generate
    150. 

  150. RSA keys for a production environment.
    151. 

  151. 

  152. =over 4
    153. 

  153. 

  154. =item "xp" (B<OSSL_PKEY_PARAM_RSA_TEST_XP>) <unsigned integer>
    155. 

  155. 

  156. =item "xq" (B<OSSL_PKEY_PARAM_RSA_TEST_XQ>) <unsigned integer>
    157. 

  157. 

  158. These 2 fields are normally randomly generated and are used to generate "p" and
    159. 

  159. "q".
    160. 

  160. 

  161. =item "xp1" (B<OSSL_PKEY_PARAM_RSA_TEST_XP1>) <unsigned integer>
    162. 

  162. 

  163. =item "xp2" (B<OSSL_PKEY_PARAM_RSA_TEST_XP2>) <unsigned integer>
    164. 

  164. 

  165. =item "xq1" (B<OSSL_PKEY_PARAM_RSA_TEST_XQ1>) <unsigned integer>
    166. 

  166. 

  167. =item "xq2" (B<OSSL_PKEY_PARAM_RSA_TEST_XQ2>) <unsigned integer>
    168. 

  168. 

  169. These 4 fields are normally randomly generated. The prime factors "p1", "p2",
    170. 

  170. "q1" and "q2" are determined from these values.
    171. 

  171. 

  172. =back
    173. 

  173. 

  174. =head2 RSA key parameters for FIPS module testing
    175. 

  175. 

  176. The following intermediate values can be retrieved only if the values
    177. 

  177. specified in L</"RSA key generation parameters for FIPS module testing"> are set.
    178. 

  178. These should not be accessed in a production environment.
    179. 

  179. 

  180. =over 4
    181. 

  181. 

  182. =item "p1" (B<OSSL_PKEY_PARAM_RSA_TEST_P1>) <unsigned integer>
    183. 

  183. 

  184. =item "p2" (B<OSSL_PKEY_PARAM_RSA_TEST_P2>) <unsigned integer>
    185. 

  185. 

  186. =item "q1" (B<OSSL_PKEY_PARAM_RSA_TEST_Q1>) <unsigned integer>
    187. 

  187. 

  188. =item "q2" (B<OSSL_PKEY_PARAM_RSA_TEST_Q2>) <unsigned integer>
    189. 

  189. 

  190. The auxiliary probable primes.
    191. 

  191. 

  192. =back
    193. 

  193. 

  194. =head2 RSA key validation
    195. 

  195. 

  196. For RSA keys, L<EVP_PKEY_param_check(3)> and L<EVP_PKEY_param_check_quick(3)>
    197. 

  197. both return 1 unconditionally.
    198. 

  198. 

  199. For RSA keys, L<EVP_PKEY_public_check(3)> conforms to the SP800-56Br1 I<public key
    200. 

  200. check> when the OpenSSL FIPS provider is used. The OpenSSL default provider
    201. 

  201. performs similar tests but relaxes the keysize restrictions for backwards
    202. 

  202. compatibility.
    203. 

  203. 

  204. For RSA keys, L<EVP_PKEY_public_check_quick(3)> is the same as
    205. 

  205. L<EVP_PKEY_public_check(3)>.
    206. 

  206. 

  207. For RSA keys, L<EVP_PKEY_private_check(3)> conforms to the SP800-56Br1
    208. 

  208. I<private key test>.
    209. 

  209. 

  210. For RSA keys, L<EVP_PKEY_pairwise_check(3)> conforms to the
    211. 

  211. SP800-56Br1 I<KeyPair Validation check> for the OpenSSL FIPS provider. The
    212. 

  212. OpenSSL default provider allows testing of the validity of multi-primes.
    213. 

  213. 

  214. =head1 CONFORMING TO
    215. 

  215. 

  216. =over 4
    217. 

  217. 

  218. =item FIPS186-4
    219. 

  219. 

  220. Section B.3.6  Generation of Probable Primes with Conditions Based on
    221. 

  221. Auxiliary Probable Primes
    222. 

  222. 

  223. =item RFC 8017, excluding RSA-PSS and RSA-OAEP
    224. 

  224. 

  225. =for comment RSA-PSS, and probably also RSA-OAEP, need separate keytypes,
    226. 

  226. and will be described in separate pages for those RSA keytypes.
    227. 

  227. 

  228. =back
    229. 

  229. 

  230. =head1 EXAMPLES
    231. 

  231. 

  232. An B<EVP_PKEY> context can be obtained by calling:
    233. 

  233. 

  234.     EVP_PKEY_CTX *pctx =
    235. 

  235.         EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
    236. 

  236. 

  237. An B<RSA> key can be generated simply like this:
    238. 

  238. 

  239.     pkey = EVP_RSA_gen(4096);
    240. 

  240. 

  241. or like this:
    242. 

  242. 

  243.     EVP_PKEY *pkey = NULL;
    244. 

  244.     EVP_PKEY_CTX *pctx =
    245. 

  245.         EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
    246. 

  246. 

  247.     EVP_PKEY_keygen_init(pctx);
    248. 

  248.     EVP_PKEY_generate(pctx, &pkey);
    249. 

  249.     EVP_PKEY_CTX_free(pctx);
    250. 

  250. 

  251. An B<RSA> key can be generated with key generation parameters:
    252. 

  252. 

  253.     unsigned int primes = 3;
    254. 

  254.     unsigned int bits = 4096;
    255. 

  255.     OSSL_PARAM params[3];
    256. 

  256.     EVP_PKEY *pkey = NULL;
    257. 

  257.     EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
    258. 

  258. 

  259.     EVP_PKEY_keygen_init(pctx);
    260. 

  260. 

  261.     params[0] = OSSL_PARAM_construct_uint("bits", &bits);
    262. 

  262.     params[1] = OSSL_PARAM_construct_uint("primes", &primes);
    263. 

  263.     params[2] = OSSL_PARAM_construct_end();
    264. 

  264.     EVP_PKEY_CTX_set_params(pctx, params);
    265. 

  265. 

  266.     EVP_PKEY_generate(pctx, &pkey);
    267. 

  267.     EVP_PKEY_print_private(bio_out, pkey, 0, NULL);
    268. 

  268.     EVP_PKEY_CTX_free(pctx);
    269. 

  269. 

  270. =head1 SEE ALSO
    271. 

  271. 

  272. L<EVP_RSA_gen(3)>, L<EVP_KEYMGMT(3)>, L<EVP_PKEY(3)>, L<provider-keymgmt(7)>
    273. 

  273. 

  274. =head1 COPYRIGHT
    275. 

  275. 

  276. Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
    277. 

  277. 

  278. Licensed under the Apache License 2.0 (the "License").  You may not use
    279. 

  279. this file except in compliance with the License.  You can obtain a copy
    280. 

  280. in the file LICENSE in the source distribution or at
    281. 

  281. L<https://www.openssl.org/source/license.html>.
    282. 

  282. 

  283. =cut
    284.