5 EVP_PKEY-RSA, EVP_KEYMGMT-RSA, RSA
6 - EVP_PKEY RSA keytype and algorithm support
10 The B<RSA> keytype is implemented in OpenSSL's default and FIPS providers.
11 That implementation supports the basic RSA keys, containing the modulus I<n>,
12 the public exponent I<e>, the private exponent I<d>, and a collection of prime
13 factors, exponents and coefficient for CRT calculations, of which the first
14 few are known as I<p> and I<q>, I<dP> and I<dQ>, and I<qInv>.
16 =head2 Common RSA parameters
18 In addition to the common parameters that all keytypes should support (see
19 L<provider-keymgmt(7)/Common parameters>), the B<RSA> keytype implementation
20 supports the following.
24 =item "n" (B<OSSL_PKEY_PARAM_RSA_N>) <unsigned integer>
28 =item "e" (B<OSSL_PKEY_PARAM_RSA_E>) <unsigned integer>
32 =item "d" (B<OSSL_PKEY_PARAM_RSA_D>) <unsigned integer>
36 =item "rsa-factor1" (B<OSSL_PKEY_PARAM_RSA_FACTOR1>) <unsigned integer>
38 =item "rsa-factor2" (B<OSSL_PKEY_PARAM_RSA_FACTOR2>) <unsigned integer>
40 =item "rsa-factor3" (B<OSSL_PKEY_PARAM_RSA_FACTOR3>) <unsigned integer>
42 =item "rsa-factor4" (B<OSSL_PKEY_PARAM_RSA_FACTOR4>) <unsigned integer>
44 =item "rsa-factor5" (B<OSSL_PKEY_PARAM_RSA_FACTOR5>) <unsigned integer>
46 =item "rsa-factor6" (B<OSSL_PKEY_PARAM_RSA_FACTOR6>) <unsigned integer>
48 =item "rsa-factor7" (B<OSSL_PKEY_PARAM_RSA_FACTOR7>) <unsigned integer>
50 =item "rsa-factor8" (B<OSSL_PKEY_PARAM_RSA_FACTOR8>) <unsigned integer>
52 =item "rsa-factor9" (B<OSSL_PKEY_PARAM_RSA_FACTOR9>) <unsigned integer>
54 =item "rsa-factor10" (B<OSSL_PKEY_PARAM_RSA_FACTOR10>) <unsigned integer>
56 RSA prime factors. The factors are known as "p", "q" and "r_i" in RFC8017.
57 Up to eight additional "r_i" prime factors are supported.
59 =item "rsa-exponent1" (B<OSSL_PKEY_PARAM_RSA_EXPONENT1>) <unsigned integer>
61 =item "rsa-exponent2" (B<OSSL_PKEY_PARAM_RSA_EXPONENT2>) <unsigned integer>
63 =item "rsa-exponent3" (B<OSSL_PKEY_PARAM_RSA_EXPONENT3>) <unsigned integer>
65 =item "rsa-exponent4" (B<OSSL_PKEY_PARAM_RSA_EXPONENT4>) <unsigned integer>
67 =item "rsa-exponent5" (B<OSSL_PKEY_PARAM_RSA_EXPONENT5>) <unsigned integer>
69 =item "rsa-exponent6" (B<OSSL_PKEY_PARAM_RSA_EXPONENT6>) <unsigned integer>
71 =item "rsa-exponent7" (B<OSSL_PKEY_PARAM_RSA_EXPONENT7>) <unsigned integer>
73 =item "rsa-exponent8" (B<OSSL_PKEY_PARAM_RSA_EXPONENT8>) <unsigned integer>
75 =item "rsa-exponent9" (B<OSSL_PKEY_PARAM_RSA_EXPONENT9>) <unsigned integer>
77 =item "rsa-exponent10" (B<OSSL_PKEY_PARAM_RSA_EXPONENT10>) <unsigned integer>
79 RSA CRT (Chinese Remainder Theorem) exponents. The exponents are known
80 as "dP", "dQ" and "d_i in RFC8017".
81 Up to eight additional "d_i" exponents are supported.
83 =item "rsa-coefficient1" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT1>) <unsigned integer>
85 =item "rsa-coefficient2" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT2>) <unsigned integer>
87 =item "rsa-coefficient3" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT3>) <unsigned integer>
89 =item "rsa-coefficient4" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT4>) <unsigned integer>
91 =item "rsa-coefficient5" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT5>) <unsigned integer>
93 =item "rsa-coefficient6" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT6>) <unsigned integer>
95 =item "rsa-coefficient7" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT7>) <unsigned integer>
97 =item "rsa-coefficient8" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT8>) <unsigned integer>
99 =item "rsa-coefficient9" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT9>) <unsigned integer>
101 RSA CRT (Chinese Remainder Theorem) coefficients. The coefficients are known as
103 Up to eight additional "t_i" exponents are supported.
107 =head2 RSA key generation parameters
109 When generating RSA keys, the following key generation parameters may be used.
113 =item "bits" (B<OSSL_PKEY_PARAM_RSA_BITS>) <unsigned integer>
115 The value should be the cryptographic length for the B<RSA> cryptosystem, in
118 =item "primes" (B<OSSL_PKEY_PARAM_RSA_PRIMES>) <unsigned integer>
120 The value should be the number of primes for the generated B<RSA> key. The
121 default is 2. It isn't permitted to specify a larger number of primes than
122 10. Additionally, the number of primes is limited by the length of the key
123 being generated so the maximum number could be less.
124 Some providers may only support a value of 2.
126 =item "e" (B<OSSL_PKEY_PARAM_RSA_E>) <unsigned integer>
128 The RSA "e" value. The value may be any odd number greater than or equal to
129 65537. The default value is 65537.
130 For legacy reasons a value of 3 is currently accepted but is deprecated.
134 =head2 RSA key generation parameters for FIPS module testing
136 When generating RSA keys, the following additional key generation parameters may
137 be used for algorithm testing purposes only. Do not use these to generate
138 RSA keys for a production environment.
142 =item "xp" (B<OSSL_PKEY_PARAM_RSA_TEST_XP>) <unsigned integer>
144 =item "xq" (B<OSSL_PKEY_PARAM_RSA_TEST_XQ>) <unsigned integer>
146 These 2 fields are normally randomly generated and are used to generate "p" and
149 =item "xp1" (B<OSSL_PKEY_PARAM_RSA_TEST_XP1>) <unsigned integer>
151 =item "xp2" (B<OSSL_PKEY_PARAM_RSA_TEST_XP2>) <unsigned integer>
153 =item "xq1" (B<OSSL_PKEY_PARAM_RSA_TEST_XQ1>) <unsigned integer>
155 =item "xq2" (B<OSSL_PKEY_PARAM_RSA_TEST_XQ2>) <unsigned integer>
157 These 4 fields are normally randomly generated. The prime factors "p1", "p2",
158 "q1" and "q2" are determined from these values.
162 =head2 RSA key parameters for FIPS module testing
164 The following intermediate values can be retrieved only if the values
165 specified in L</"RSA key generation parameters for FIPS module testing"> are set.
166 These should not be accessed in a production environment.
170 =item "p1" (B<OSSL_PKEY_PARAM_RSA_TEST_P1>) <unsigned integer>
172 =item "p2" (B<OSSL_PKEY_PARAM_RSA_TEST_P2>) <unsigned integer>
174 =item "q1" (B<OSSL_PKEY_PARAM_RSA_TEST_Q1>) <unsigned integer>
176 =item "q2" (B<OSSL_PKEY_PARAM_RSA_TEST_Q2>) <unsigned integer>
178 The auxiliary probable primes.
182 =head2 RSA key validation
184 For RSA keys, L<EVP_PKEY_param_check(3)> and L<EVP_PKEY_param_check_quick(3)>
185 both return 1 unconditionally.
187 For RSA keys, L<EVP_PKEY_public_check(3)> conforms to the SP800-56Br1 I<public key
188 check> when the OpenSSL FIPS provider is used. The OpenSSL default provider
189 performs similiar tests but relaxes the keysize restrictions for backwards
192 For RSA keys, L<EVP_PKEY_public_check_quick(3)> is the same as
193 L<EVP_PKEY_public_check(3)>.
195 For RSA keys, L<EVP_PKEY_private_check(3)> conforms to the SP800-56Br1
198 For RSA keys, L<EVP_PKEY_pairwise_check(3)> conforms to the
199 SP800-56Br1 I<KeyPair Validation check> for the OpenSSL FIPS provider. The
200 OpenSSL default provider allows testing of the validity of multi-primes.
208 Section B.3.6 Generation of Probable Primes with Conditions Based on
209 Auxiliary Probable Primes
211 =item RFC 8017, excluding RSA-PSS and RSA-OAEP
213 =for comment RSA-PSS, and probably also RSA-OAEP, need separate keytypes,
214 and will be described in separate pages for those RSA keytypes.
220 An B<EVP_PKEY> context can be obtained by calling:
223 EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
225 An B<RSA> key can be generated simply like this:
227 pkey = EVP_RSA_gen(4096);
231 EVP_PKEY *pkey = NULL;
233 EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
235 EVP_PKEY_keygen_init(pctx);
236 EVP_PKEY_generate(pctx, &pkey);
237 EVP_PKEY_CTX_free(pctx);
239 An B<RSA> key can be generated with key generation parameters:
241 unsigned int primes = 3;
242 unsigned int bits = 4096;
243 OSSL_PARAM params[3];
244 EVP_PKEY *pkey = NULL;
245 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
247 EVP_PKEY_keygen_init(pctx);
249 params[0] = OSSL_PARAM_construct_uint("bits", &bits);
250 params[1] = OSSL_PARAM_construct_uint("primes", &primes);
251 params[2] = OSSL_PARAM_construct_end();
252 EVP_PKEY_CTX_set_params(pctx, params);
254 EVP_PKEY_generate(pctx, &pkey);
255 EVP_PKEY_print_private(bio_out, pkey, 0, NULL);
256 EVP_PKEY_CTX_free(pctx);
260 L<EVP_RSA_gen(3)>, L<EVP_KEYMGMT(3)>, L<EVP_PKEY(3)>, L<provider-keymgmt(7)>
264 Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
266 Licensed under the Apache License 2.0 (the "License"). You may not use
267 this file except in compliance with the License. You can obtain a copy
268 in the file LICENSE in the source distribution or at
269 L<https://www.openssl.org/source/license.html>.