Add an option to specify number of bits in the subprime (q) when generating DSA keys

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19898)

diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index 54b4cd848b95c96ee5eaf0678e7eecc96a91cd46..adeeb095a0caec370e07d4f042d9bcb699e40d71 100644 (file)
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -58,6 +58,7 @@ const OPTIONS dsaparam_options[] = {
 
     OPT_PARAMETERS(),
     {"numbits", 0, 0, "Number of bits if generating parameters (optional)"},
+    {"numqbits", 0, 0, "Number of bits in the subprime parameter q if generating parameters (optional)"},
     {NULL}
 };
 
@@ -67,7 +68,7 @@ int dsaparam_main(int argc, char **argv)
     BIO *out = NULL;
     EVP_PKEY *params = NULL, *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
-    int numbits = -1, num = 0, genkey = 0;
+    int numbits = -1, numqbits = -1, num = 0, genkey = 0;
     int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, noout = 0;
     int ret = 1, i, text = 0, private = 0;
     char *infile = NULL, *outfile = NULL, *prog;
@@ -128,10 +129,15 @@ int dsaparam_main(int argc, char **argv)
         }
     }
 
-    /* Optional arg is bitsize. */
+    /* Optional args are bitsize and q bitsize. */
     argc = opt_num_rest();
     argv = opt_rest();
-    if (argc == 1) {
+    if (argc == 2) {
+        if (!opt_int(argv[0], &num) || num < 0)
+            goto opthelp;
+        if (!opt_int(argv[1], &numqbits) || numqbits < 0)
+            goto opthelp;
+    } else if (argc == 1) {
         if (!opt_int(argv[0], &num) || num < 0)
             goto opthelp;
     } else if (!opt_check_rest_arg(NULL)) {
@@ -178,6 +184,13 @@ int dsaparam_main(int argc, char **argv)
                        "Error, DSA key generation setting bit length failed\n");
             goto end;
         }
+        if (numqbits > 0) {
+            if (EVP_PKEY_CTX_set_dsa_paramgen_q_bits(ctx, numqbits) <= 0) {
+                BIO_printf(bio_err,
+                        "Error, DSA key generation setting subprime bit length failed\n");
+                goto end;
+            }
+        }
         params = app_paramgen(ctx, "DSA");
     } else {
         params = load_keyparams(infile, informat, 1, "DSA", "DSA parameters");

diff --git a/doc/man1/openssl-dsaparam.pod.in b/doc/man1/openssl-dsaparam.pod.in
index 88ba90299d0b482952cacc69b4dc41e7e12434c6..87fc97ff5f28e4aea8eac40fc7bb284c96f91889 100644 (file)
--- a/doc/man1/openssl-dsaparam.pod.in
+++ b/doc/man1/openssl-dsaparam.pod.in
@@ -21,6 +21,7 @@ B<openssl dsaparam>
 {- $OpenSSL::safe::opt_r_synopsis -}
 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
 [I<numbits>]
+[I<numqbits>]
 
 =head1 DESCRIPTION
 
@@ -91,9 +92,15 @@ be handy during batch scripts and pipelines.
 
 =item I<numbits>
 
-This option specifies that a parameter set should be generated of size
-I<numbits>. It must be the last option. If this option is included then
-the input file (if any) is ignored.
+This optional argument specifies that a parameter set should be generated of 
+size I<numbits>. If this argument is included then the input file (if any) is
+ignored.
+
+=item I<numqbits>
+
+This optional argument specifies that a parameter set should be generated with 
+a subprime parameter q of size I<numqbits>. It must be the last argument. If
+this argument is included then the input file (if any) is ignored.
 
 {- $OpenSSL::safe::opt_provider_item -}