From: slontis Date: Wed, 27 Aug 2025 04:24:59 +0000 (+1000) Subject: RSA: Update RSA keygen. X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~205 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f1d03c1aceda8c074e1c89d90831c5e4bf6397f7;p=thirdparty%2Fopenssl.git RSA: Update RSA keygen. The documentation now reference(s) FIPS 186-5 instead of FIPS 186-4, and clarifies the keygen method used. This PR also adds the new FIPS 186-5 2 optional parameters that allow the generated probable primes to be congruent to a value mod 8. Reviewed-by: Neil Horman Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/28349) --- diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_5.c similarity index 82% rename from crypto/bn/bn_rsa_fips186_4.c rename to crypto/bn/bn_rsa_fips186_5.c index e42de63a352..3a03ed9704d 100644 --- a/crypto/bn/bn_rsa_fips186_4.c +++ b/crypto/bn/bn_rsa_fips186_5.c @@ -102,24 +102,29 @@ static int bn_rsa_fips186_5_aux_prime_min_size(int nbits) * (FIPS 186-5 has an entry for >= 4096 bits). * Params: * nbits The key size in bits. + * c If this is non zero then the probable prime is congruent to c mod 8 + * and is 3 bits smaller * Returns: * The maximum length or 0 if nbits is invalid. */ -static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits) +static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits, + uint32_t c) { + int reduce_bits = (c == 0) ? 0 : 3; + if (nbits >= 4096) - return 2030; + return 2030 - reduce_bits; if (nbits >= 3072) - return 1518; + return 1518 - reduce_bits; if (nbits >= 2048) - return 1007; + return 1007 - reduce_bits; return 0; } /* * Find the first odd integer that is a probable prime. * - * See section FIPS 186-4 B.3.6 (Steps 4.2/5.2). + * See section FIPS 186-5 A.1.6 (Steps 4.2/5.2). * * Params: * Xp1 The passed in starting point to find a probably prime. @@ -129,7 +134,7 @@ static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits) * cb An optional BIGNUM callback. * Returns: 1 on success otherwise it returns 0. */ -static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, +static int bn_rsa_fips186_5_find_aux_prob_prime(const BIGNUM *Xp1, BIGNUM *p1, BN_CTX *ctx, int rounds, BN_GENCB *cb) @@ -165,7 +170,7 @@ err: /* * Generate a probable prime (p or q). * - * See FIPS 186-4 B.3.6 (Steps 4 & 5) + * See FIPS 186-5 A.1.6 (Steps 4 & 5) * * Params: * p The returned probable prime. @@ -179,14 +184,17 @@ err: * e The public exponent. * ctx A BN_CTX object. * cb An optional BIGNUM callback. + * c An optional number with a value of 0, 1, 3, 5 or 7 that may be used + * to add the requirement p is congruent to c mod 8. The value is ignored + * if it is zero. * Returns: 1 on success otherwise it returns 0. */ -int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, +int ossl_bn_rsa_fips186_5_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, BIGNUM *p1, BIGNUM *p2, const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, int nlen, const BIGNUM *e, BN_CTX *ctx, - BN_GENCB *cb) + BN_GENCB *cb, uint32_t c) { int ret = 0; BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL; @@ -225,16 +233,16 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, } /* (Steps 4.2/5.2) - find first auxiliary probable primes */ - if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb) - || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb)) + if (!bn_rsa_fips186_5_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb) + || !bn_rsa_fips186_5_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb)) goto err; /* (FIPS 186-5 Table A.1) auxiliary prime Max length check */ - if ((BN_num_bits(p1i) + BN_num_bits(p2i)) > - bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(nlen)) + if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >= + bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(nlen, c)) goto err; /* (Steps 4.3/5.3) - generate prime */ - if (!ossl_bn_rsa_fips186_4_derive_prime(p, Xpout, Xp, p1i, p2i, nlen, e, - ctx, cb)) + if (!ossl_bn_rsa_fips186_5_derive_prime(p, Xpout, Xp, p1i, p2i, nlen, e, + ctx, cb, c)) goto err; ret = 1; err: @@ -251,12 +259,29 @@ err: return ret; } +static ossl_inline +int get_multiple_of_y_congruent_to_cmod8(BIGNUM *y, const BIGNUM *r1r2x2, int c) +{ + int i = 0; + + for (i = 0; i < 3; ++i) { + /* Check for Y = c mod 8 */ + if ((int)(*bn_get_words(y) & 7) == c) + return 1; + /* Y = Y + 2r1r2 */ + if (!BN_add(y, y, r1r2x2)) + return 0; + } + /* Fall through for y = y + 6 * r1r2 */ + return 1; +} + /* * Constructs a probable prime (a candidate for p or q) using 2 auxiliary * prime numbers and the Chinese Remainder Theorem. * - * See FIPS 186-4 C.9 "Compute a Probable Prime Factor Based on Auxiliary - * Primes". Used by FIPS 186-4 B.3.6 Section (4.3) for p and Section (5.3) for q. + * See FIPS 186-5 B.9 "Compute a Probable Prime Factor Based on Auxiliary + * Primes". Used by FIPS 186-5 A.1.6 Section (4.3) for p and Section (5.3) for q. * * Params: * Y The returned prime factor (private_prime_factor) of the modulus n. @@ -268,20 +293,24 @@ err: * e The public exponent. * ctx A BN_CTX object. * cb An optional BIGNUM callback object. + * c An optional parameter from the set {0, 1, 3, 5, 7} that + * may be used to add the further requirement that the computed + * prime is congruent to c mod 8. A value of 0 indicates that the option + * is ignored. * Returns: 1 on success otherwise it returns 0. * Assumptions: * Y, X, r1, r2, e are not NULL. */ -int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, +int ossl_bn_rsa_fips186_5_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, const BIGNUM *r1, const BIGNUM *r2, int nlen, const BIGNUM *e, - BN_CTX *ctx, BN_GENCB *cb) + BN_CTX *ctx, BN_GENCB *cb, uint32_t c) { int ret = 0; int i, imax, rounds; int bits = nlen >> 1; - BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2; - BIGNUM *base, *range; + BIGNUM *tmp, *R, *r1r2x2, *r1r2x8, *y1, *r1x2; + BIGNUM *base, *range, *r1r2x2_step; BN_CTX_start(ctx); @@ -290,6 +319,7 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, R = BN_CTX_get(ctx); tmp = BN_CTX_get(ctx); r1r2x2 = BN_CTX_get(ctx); + r1r2x8 = BN_CTX_get(ctx); y1 = BN_CTX_get(ctx); r1x2 = BN_CTX_get(ctx); if (r1x2 == NULL) @@ -340,6 +370,14 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, if (BN_is_negative(R) && !BN_add(R, R, r1r2x2)) goto err; + if (c == 0) { + r1r2x2_step = r1r2x2; + } else { + if (!BN_lshift(r1r2x8, r1r2x2, 2)) + goto err; + r1r2x2_step = r1r2x8; + } + /* * In FIPS 186-4 imax was set to 5 * nlen/2. * Analysis by Allen Roginsky @@ -362,6 +400,15 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, /* (Step 4) Y = X + ((R - X) mod 2r1r2) */ if (!BN_mod_sub(Y, R, X, r1r2x2, ctx) || !BN_add(Y, Y, X)) goto err; + /* + * (Step 4.1) If there is an optional requirement that the + * computed prime is equal to c mod 8, then chose the value + * Y, Y + 2r1r2, Y + 4r1r2 OR Y + 6r1r2 that satisfies the requirement. + */ + if (c != 0) { + if (!get_multiple_of_y_congruent_to_cmod8(Y, r1r2x2, c)) + goto err; + } /* (Step 5) */ i = 0; for (;;) { @@ -392,7 +439,7 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, ERR_raise(ERR_LIB_BN, BN_R_NO_PRIME_CANDIDATE); goto err; } - if (!BN_add(Y, Y, r1r2x2)) + if (!BN_add(Y, Y, r1r2x2_step)) goto err; } } diff --git a/crypto/bn/build.info b/crypto/bn/build.info index cf30d057ad5..01e98e45443 100644 --- a/crypto/bn/build.info +++ b/crypto/bn/build.info @@ -109,7 +109,7 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \ bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ - bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c + bn_intern.c bn_dh.c bn_rsa_fips186_5.c bn_const.c SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c DEFINE[../../libcrypto]=$BNDEF IF[{- !$disabled{'deprecated-0.9.8'} -}] diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index 0cbcebeced0..064e6757139 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -29,7 +29,8 @@ static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg); static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, - BIGNUM *e_value, BN_GENCB *cb, int pairwise_test); + BIGNUM *e_value, BN_GENCB *cb, int pairwise_test, + uint32_t a, uint32_t b); /* * NB: this wrapper would normally be placed in rsa_lib.c and the static @@ -47,8 +48,9 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) e_value, cb); } -int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, - BIGNUM *e_value, BN_GENCB *cb) +int ossl_rsa_generate_multi_prime_key(RSA *rsa, int bits, int primes, + BIGNUM *e_value, BN_GENCB *cb, + uint32_t a, uint32_t b) { #ifndef FIPS_MODULE /* multi-prime is only supported with the builtin key generation */ @@ -68,7 +70,13 @@ int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, return 0; } #endif /* FIPS_MODULE */ - return rsa_keygen(rsa->libctx, rsa, bits, primes, e_value, cb, 0); + return rsa_keygen(rsa->libctx, rsa, bits, primes, e_value, cb, 0, a, b); +} + +int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, + BIGNUM *e, BN_GENCB *cb) +{ + return ossl_rsa_generate_multi_prime_key(rsa, bits, primes, e, cb, 0, 0); } DEFINE_STACK_OF(BIGNUM) @@ -607,12 +615,13 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, #endif /* FIPS_MODULE */ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, - BIGNUM *e_value, BN_GENCB *cb, int pairwise_test) + BIGNUM *e_value, BN_GENCB *cb, int pairwise_test, + uint32_t a, uint32_t b) { int ok = 0; #ifdef FIPS_MODULE - ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb); + ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb, a, b); pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */ #else /* @@ -622,7 +631,7 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, if (primes == 2 && bits >= 2048 && (e_value == NULL || BN_num_bits(e_value) > 16)) - ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb); + ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb, a, b); else ok = rsa_multiprime_keygen(rsa, bits, primes, e_value, cb); #endif /* FIPS_MODULE */ diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h index bc6bd63996c..8ab2bef3fb6 100644 --- a/crypto/rsa/rsa_local.h +++ b/crypto/rsa/rsa_local.h @@ -184,13 +184,13 @@ int ossl_rsa_sp800_56b_check_private(const RSA *rsa); int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed, int strength, int nbits); int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed, - BN_GENCB *cb); + BN_GENCB *cb, uint32_t a, uint32_t b); int ossl_rsa_sp800_56b_derive_params_from_pq(RSA *rsa, int nbits, const BIGNUM *e, BN_CTX *ctx); -int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test, +int ossl_rsa_fips186_5_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test, int nbits, const BIGNUM *e, BN_CTX *ctx, - BN_GENCB *cb); + BN_GENCB *cb, uint32_t a, uint32_t b); int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to, int tlen, const unsigned char *from, diff --git a/crypto/rsa/rsa_sp800_56b_gen.c b/crypto/rsa/rsa_sp800_56b_gen.c index c741cf3c3b0..940b8c04c02 100644 --- a/crypto/rsa/rsa_sp800_56b_gen.c +++ b/crypto/rsa/rsa_sp800_56b_gen.c @@ -17,11 +17,11 @@ #include "crypto/security_bits.h" #include "rsa_local.h" -#define RSA_FIPS1864_MIN_KEYGEN_KEYSIZE 2048 -#define RSA_FIPS1864_MIN_KEYGEN_STRENGTH 112 +#define RSA_FIPS186_5_MIN_KEYGEN_KEYSIZE 2048 +#define RSA_FIPS186_5_MIN_KEYGEN_STRENGTH 112 /* - * Generate probable primes 'p' & 'q'. See FIPS 186-4 Section B.3.6 + * Generate probable primes 'p' & 'q'. See FIPS 186-5 Section A.1.6 * "Generation of Probable Primes with Conditions Based on Auxiliary Probable * Primes". * @@ -46,15 +46,22 @@ * e The public exponent. * ctx A BN_CTX object. * cb An optional BIGNUM callback. + * a An optional number with a value of 0, 1, 3, 5 or 7 that may be used + * to add the requirement p is congruent to a mod 8. The value is ignored + * if it is zero. + * b An optional number with a value of 0, 1, 3, 5 or 7 that may be used + * to add the requirement q is congruent to b mod 8. The value is ignored + * if it is zero. + * * Returns: 1 if successful, or 0 otherwise. * Notes: * p1, p2, q1, q2 are returned if they are not NULL. * Xp, Xp1, Xp2, Xq, Xq1, Xq2 are optionally passed in. * (Required for CAVS testing). */ -int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test, +int ossl_rsa_fips186_5_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test, int nbits, const BIGNUM *e, BN_CTX *ctx, - BN_GENCB *cb) + BN_GENCB *cb, uint32_t a, uint32_t b) { int ret = 0, ok; /* Temp allocated BIGNUMS */ @@ -81,21 +88,24 @@ int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test, } #endif - /* (Step 1) Check key length + /* + * (Step 1) Check key length * NOTE: SP800-131A Rev1 Disallows key lengths of < 2048 bits for RSA * Signature Generation and Key Agree/Transport. */ - if (nbits < RSA_FIPS1864_MIN_KEYGEN_KEYSIZE) { + if (nbits < RSA_FIPS186_5_MIN_KEYGEN_KEYSIZE) { ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL); return 0; } + /* (Step 2) Check exponent */ if (!ossl_rsa_check_public_exponent(e)) { ERR_raise(ERR_LIB_RSA, RSA_R_PUB_EXPONENT_OUT_OF_RANGE); return 0; } - /* (Step 3) Determine strength and check rand generator strength is ok - + /* + * (Step 3) Determine strength and check rand generator strength is ok - * this step is redundant because the generator always returns a higher * strength than is required. */ @@ -119,13 +129,13 @@ int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test, BN_set_flags(rsa->q, BN_FLG_CONSTTIME); /* (Step 4) Generate p, Xp */ - if (!ossl_bn_rsa_fips186_4_gen_prob_primes(rsa->p, Xpo, p1, p2, Xp, Xp1, Xp2, - nbits, e, ctx, cb)) + if (!ossl_bn_rsa_fips186_5_gen_prob_primes(rsa->p, Xpo, p1, p2, Xp, Xp1, Xp2, + nbits, e, ctx, cb, a)) goto err; for (;;) { /* (Step 5) Generate q, Xq*/ - if (!ossl_bn_rsa_fips186_4_gen_prob_primes(rsa->q, Xqo, q1, q2, Xq, Xq1, - Xq2, nbits, e, ctx, cb)) + if (!ossl_bn_rsa_fips186_5_gen_prob_primes(rsa->q, Xqo, q1, q2, Xq, Xq1, + Xq2, nbits, e, ctx, cb, b)) goto err; /* (Step 6) |Xp - Xq| > 2^(nbitlen/2 - 100) */ @@ -146,7 +156,7 @@ int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test, rsa->dirty_cnt++; ret = 1; err: - /* Zeroize any internally generated values that are not returned */ + /* (Step 7) Zeroize any internally generated values that are not returned */ BN_clear(Xpo); BN_clear(Xqo); BN_clear(tmp); @@ -176,7 +186,7 @@ int ossl_rsa_sp800_56b_validate_strength(int nbits, int strength) int s = (int)ossl_ifc_ffc_compute_security_bits(nbits); #ifdef FIPS_MODULE - if (s < RSA_FIPS1864_MIN_KEYGEN_STRENGTH) { + if (s < RSA_FIPS186_5_MIN_KEYGEN_STRENGTH) { ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MODULUS); return 0; } @@ -351,7 +361,7 @@ err: * 6.3.1.1 rsakpg1 - basic * 6.3.1.3 rsakpg1 - crt * - * See also FIPS 186-4 Section B.3.6 + * See also FIPS 186-5 Section A.1.6 * "Generation of Probable Primes with Conditions Based on Auxiliary * Probable Primes." * @@ -360,10 +370,16 @@ err: * nbits The intended key size in bits. * efixed The public exponent. If NULL a default of 65537 is used. * cb An optional BIGNUM callback. + * a An optional number with a value of 0, 1, 3, 5 or 7 that may be used + * to add the requirement p is congruent to a mod 8. The value is ignored + * if it is zero. + * b An optional number with a value of 0, 1, 3, 5 or 7 that may be used + * to add the requirement q is congruent to b mod 8. The value is ignored + * if it is zero. * Returns: 1 if successfully generated otherwise it returns 0. */ int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed, - BN_GENCB *cb) + BN_GENCB *cb, uint32_t a, uint32_t b) { int ret = 0; int ok; @@ -400,7 +416,7 @@ int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed, for (;;) { /* (Step 2) Generate prime factors */ - if (!ossl_rsa_fips186_4_gen_prob_primes(rsa, info, nbits, e, ctx, cb)) + if (!ossl_rsa_fips186_5_gen_prob_primes(rsa, info, nbits, e, ctx, cb, a, b)) goto err; /* p>q check and skipping in case of acvp test */ diff --git a/doc/man7/EVP_PKEY-RSA.pod b/doc/man7/EVP_PKEY-RSA.pod index 9c4a615b840..8ba48a42d84 100644 --- a/doc/man7/EVP_PKEY-RSA.pod +++ b/doc/man7/EVP_PKEY-RSA.pod @@ -13,6 +13,24 @@ the public exponent I, the private exponent I, and a collection of prime factors, exponents and coefficient for CRT calculations, of which the first few are known as I

and I, I and I, and I. +RSA key generation uses FIPS 186-5 Section A.1.6 "Generation of Probable +Primes with Conditions Based on Auxiliary Probable Primes" for the OpenSSL FIPS +provider. It is also used for the OpenSSL default provider when the generation +parameters satisfy the following conditions: + +=over 4 + +=item There are 2 "primes" (p, q) + +=item The exponent "e" >= 65537 and is odd + +=item The cryptographic length "bits" >= 2048 + +=back + +Otherwise the OpenSSL default provider uses an older general multi-prime key +generator. + =head2 Common RSA parameters In addition to the common parameters that all keytypes should support (see @@ -141,6 +159,20 @@ option requires at least OSSL_PARAM_RSA_FACTOR1, OSSL_PARAM_RSA_FACTOR2, and OSSL_PARAM_RSA_N to be provided. This option is ignored if OSSL_KEYMGMT_SELECT_PRIVATE_KEY is not set in the selection parameter. +=item "rsa-a" (B) + +Setting this value to one of 1, 3, 5 or 7 applies an additional constraint +requiring that the computed prime p is congruent to this value mod 8. +If this value is zero then it is ignored. An error will occur if the value is not +set to one of the above values. + +=item "rsa-b" (B) + +Setting this value to one of 1, 3, 5 or 7 applies an additional constraint +requiring that the computed prime q is congruent to this value mod 8. +If this value is zero then it is ignored. An error will occur if the value is not +set to one of the above values. + =back =head2 RSA key generation parameters for FIPS module testing @@ -215,9 +247,9 @@ OpenSSL default provider allows testing of the validity of multi-primes. =over 4 -=item FIPS186-4 +=item FIPS186-5 -Section B.3.6 Generation of Probable Primes with Conditions Based on +Section A.1.6 Generation of Probable Primes with Conditions Based on Auxiliary Probable Primes =item RFC 8017, excluding RSA-PSS and RSA-OAEP @@ -271,6 +303,10 @@ An B key can be generated with key generation parameters: L, L, L, L +=head1 HISTORY + +The RSA key generation parameters "a" and "b" were added in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/crypto/bn.h b/include/crypto/bn.h index 2acdeacfe89..ee50cd58b08 100644 --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -111,17 +111,17 @@ int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx, const BIGNUM *ossl_bn_get0_small_factors(void); -int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, +int ossl_bn_rsa_fips186_5_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, BIGNUM *p1, BIGNUM *p2, const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, int nlen, const BIGNUM *e, BN_CTX *ctx, - BN_GENCB *cb); + BN_GENCB *cb, uint32_t c); -int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, +int ossl_bn_rsa_fips186_5_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, const BIGNUM *r1, const BIGNUM *r2, int nlen, const BIGNUM *e, BN_CTX *ctx, - BN_GENCB *cb); + BN_GENCB *cb, uint32_t c); OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx); diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index 55cc814ce91..b0d2174bbcd 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -124,6 +124,10 @@ ASN1_STRING *ossl_rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx); int ossl_rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, const X509_ALGOR *sigalg, EVP_PKEY *pkey); +int ossl_rsa_generate_multi_prime_key(RSA *rsa, int bits, int primes, + BIGNUM *e_value, BN_GENCB *cb, + uint32_t a, uint32_t b); + # if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) int ossl_rsa_acvp_test_gen_params_new(OSSL_PARAM **dst, const OSSL_PARAM src[]); void ossl_rsa_acvp_test_gen_params_free(OSSL_PARAM *dst); diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index 0fafcc7872b..31d65586afd 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -439,6 +439,7 @@ struct rsa_gen_ctx { /* ACVP test parameters */ OSSL_PARAM *acvp_test_params; #endif + uint32_t a, b; }; static int rsa_gencb(int p, int n, BN_GENCB *cb) @@ -526,6 +527,25 @@ static int rsa_gen_set_params(void *genctx, const OSSL_PARAM params[]) if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E)) != NULL && !OSSL_PARAM_get_BN(p, &gctx->pub_exp)) return 0; + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_A)) != NULL) { + if (!OSSL_PARAM_get_uint32(p, &gctx->a)) + return 0; + /* a is an optional value that should be one of (0, 1, 3, 5, 7) */ + if (gctx->a != 0 && (gctx->a > 7 || (gctx->a & 1) == 0)) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA); + return 0; + } + } + if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_B)) != NULL) { + if (!OSSL_PARAM_get_uint32(p, &gctx->b)) + return 0; + /* b is an optional value that should be one of (0, 1, 3, 5, 7) */ + if (gctx->b != 0 && (gctx->b > 7 || (gctx->b & 1) == 0)) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA); + return 0; + } + } + /* Only attempt to get PSS parameters when generating an RSA-PSS key */ if (gctx->rsa_type == RSA_FLAG_TYPE_RSASSAPSS && !pss_params_fromdata(&gctx->pss_params, &gctx->pss_defaults_set, params, @@ -542,8 +562,9 @@ static int rsa_gen_set_params(void *genctx, const OSSL_PARAM params[]) #define rsa_gen_basic \ OSSL_PARAM_size_t(OSSL_PKEY_PARAM_RSA_BITS, NULL), \ OSSL_PARAM_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, NULL), \ - OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0) - + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), \ + OSSL_PARAM_uint32(OSSL_PKEY_PARAM_RSA_A, NULL), \ + OSSL_PARAM_uint32(OSSL_PKEY_PARAM_RSA_B, NULL) /* * The following must be kept in sync with ossl_rsa_pss_params_30_fromdata() * in crypto/rsa/rsa_backend.c @@ -620,9 +641,10 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) } #endif - if (!RSA_generate_multi_prime_key(rsa_tmp, - (int)gctx->nbits, (int)gctx->primes, - gctx->pub_exp, gencb)) + if (!ossl_rsa_generate_multi_prime_key(rsa_tmp, + (int)gctx->nbits, (int)gctx->primes, + gctx->pub_exp, gencb, + gctx->a, gctx->b)) goto err; if (!ossl_rsa_pss_params_30_copy(ossl_rsa_get0_pss_params_30(rsa_tmp), diff --git a/test/acvp_test.c b/test/acvp_test.c index 2c3be0f2e88..7d46b7c1789 100644 --- a/test/acvp_test.c +++ b/test/acvp_test.c @@ -1329,6 +1329,10 @@ static int rsa_keygen_test(int id) xq2_bn)) || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_TEST_XQ, xq_bn)) + || !TEST_true(OSSL_PARAM_BLD_push_uint32(bld, OSSL_PKEY_PARAM_RSA_A, + tst->a)) + || !TEST_true(OSSL_PARAM_BLD_push_uint32(bld, OSSL_PKEY_PARAM_RSA_B, + tst->b)) || !TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) goto err; @@ -1357,14 +1361,14 @@ static int rsa_keygen_test(int id) &d, &d_len))) goto err; - if (!TEST_mem_eq(tst->p1, tst->p1_len, p1, p1_len) - || !TEST_mem_eq(tst->p2, tst->p2_len, p2, p2_len) + if ((tst->p1 != NULL && !TEST_mem_eq(tst->p1, tst->p1_len, p1, p1_len)) + || (tst->p2 != NULL && !TEST_mem_eq(tst->p2, tst->p2_len, p2, p2_len)) + || (tst->q1 != NULL && !TEST_mem_eq(tst->q1, tst->q1_len, q1, q1_len)) + || (tst->q2 != NULL && !TEST_mem_eq(tst->q2, tst->q2_len, q2, q2_len)) || !TEST_mem_eq(tst->p, tst->p_len, p, p_len) - || !TEST_mem_eq(tst->q1, tst->q1_len, q1, q1_len) - || !TEST_mem_eq(tst->q2, tst->q2_len, q2, q2_len) || !TEST_mem_eq(tst->q, tst->q_len, q, q_len) || !TEST_mem_eq(tst->n, tst->n_len, n, n_len) - || !TEST_mem_eq(tst->d, tst->d_len, d, d_len)) + || (tst->d != NULL && !TEST_mem_eq(tst->d, tst->d_len, d, d_len))) goto err; test_output_memory("p1", p1, p1_len); diff --git a/test/acvp_test.inc b/test/acvp_test.inc index 9ca15774371..3384742f0af 100644 --- a/test/acvp_test.inc +++ b/test/acvp_test.inc @@ -10,6 +10,7 @@ #define PASS 1 #define FAIL 0 #define ITM(x) x, sizeof(x) +#define ITM_NULL NULL, 0 #ifndef OPENSSL_NO_EC @@ -1193,6 +1194,8 @@ struct rsa_keygen_st { size_t n_len; const unsigned char *d; size_t d_len; + uint32_t a; + uint32_t b; }; static const unsigned char rsa_keygen0_e[] = { @@ -1318,6 +1321,265 @@ static const unsigned char rsa_keygen0_d[] = { 0x61 }; +static const unsigned char rsa_keygen1_e[] = { + 0x6e,0x79,0x10,0x4e,0x3d,0xd3 +}; +static const unsigned char rsa_keygen1_xp1[] = { + 0x02,0x10,0x31,0x3d,0xac,0x51,0x0e,0x45, + 0x22,0x0c,0x35,0xa0,0xe4,0xd7,0xc7,0xf0, + 0xba,0xe7,0xd1,0x17,0x0d,0x35,0xa3,0x84, + 0x04,0xc2,0xf4,0xf6,0x21,0x34,0xe4,0x73, + 0x8a,0xd9,0xec,0x50,0xe2,0x3c,0xee,0x60, + 0x99,0x26,0x9a,0x9b,0x1d,0x68,0xaf,0xb3, + 0x67,0xc9,0x41,0x46,0xdc,0x26,0xf2,0x6a, + 0x60,0x14,0x79,0x9b,0xb2,0xa8,0x6c,0xbc, + 0xa7,0x53,0x08,0x94,0x8a,0x2f,0xba,0xfb, + 0x2d,0xad,0x3f, +}; +static const unsigned char rsa_keygen1_xp2[] = { + 0x48,0x3f,0xbb,0xa5,0xc1,0x8c,0x2c,0xbd, + 0x15,0x9c,0x3b,0xf7,0x18,0x55,0x48,0xad, + 0x85,0x68,0x7b,0xf4,0xb6,0x92,0x53,0xc7, + 0x15,0xa3,0xe7,0xdb,0x12,0xd8,0x3d,0xea, + 0xf4,0x15,0x88,0xf2,0x81,0x07,0x8f,0x82, + 0x18,0x65,0xf7,0x98,0x64,0xec,0xbe,0x71, + 0xa8,0x0c,0x61,0x69,0x9c,0x19, +}; +static const unsigned char rsa_keygen1_xp[] = { + 0xdf,0x44,0xca,0x63,0x57,0xd3,0xb5,0x67, + 0x46,0xa5,0x52,0x99,0xfa,0xa7,0x9e,0x20, + 0x1c,0x45,0xcc,0x38,0x61,0xb2,0xb4,0x92, + 0xca,0xaa,0x6c,0x0e,0x4e,0x59,0x26,0x12, + 0xfd,0x41,0x84,0xcb,0x81,0xfe,0xf8,0xf5, + 0x0f,0xac,0x41,0xf4,0xca,0xbc,0xab,0x97, + 0x86,0xd5,0x55,0x60,0xed,0x8e,0x1a,0x76, + 0x7e,0x22,0xfd,0xea,0x64,0xb1,0x03,0x9a, + 0x7e,0xd7,0x4c,0xdd,0xfe,0x06,0x00,0xfb, + 0x2c,0x1a,0x0a,0xd7,0xb4,0xcf,0x97,0xd0, + 0x11,0x96,0xfc,0x38,0x6d,0xc0,0xfa,0x5a, + 0xe1,0xc7,0xda,0x9b,0x21,0xac,0x95,0x08, + 0x38,0xbd,0x3f,0xf6,0x18,0xcf,0x2e,0x92, + 0xd2,0x2e,0x9e,0xa1,0xf4,0x2e,0xb1,0x72, + 0x3c,0x98,0xf6,0x7c,0x0e,0xbc,0x70,0x71, + 0xf4,0x50,0x0d,0x89,0x9e,0x2a,0x7a,0x5f, + 0xf4,0x6a,0xfd,0x44,0x11,0xa8,0xcc,0x29, + 0x47,0x9e,0x95,0x9c,0x68,0x87,0xba,0x15, + 0xff,0x8f,0xec,0x60,0x1a,0xe1,0xbb,0x75, + 0x2d,0x9f,0x31,0x65,0xb3,0x18,0xb8,0xc4, + 0x74,0xbc,0xf9,0x40,0x41,0xd8,0x85,0x88, + 0x3f,0x54,0x84,0x30,0xee,0x66,0x31,0xc7, + 0xed,0x52,0x55,0xcf,0xb1,0x46,0xe1,0x98, + 0x4e,0x95,0x95,0xc9,0xfc,0x74,0xd8,0x3a, + 0x1e,0x65,0xba,0x6f,0x69,0x6a,0x96,0x87, + 0xd3,0x7d,0x51,0x42,0xf9,0x6b,0x0d,0x5a, + 0x2a,0x51,0x60,0x0f,0x4e,0x8a,0x1e,0xf3, + 0x47,0xe1,0xc9,0x0d,0xcd,0xbd,0x4a,0x55, + 0x38,0x1b,0xd5,0xcd,0xad,0xeb,0x31,0x11, + 0x0c,0xeb,0xe5,0xac,0x26,0xac,0xe3,0x45, + 0x52,0xfe,0x23,0xd2,0x68,0xd3,0x89,0x9f, + 0x41,0xae,0x5d,0x76,0x64,0x38,0xde,0x08, +}; +static const unsigned char rsa_keygen1_xq1[] = { + 0x00,0xc7,0xf2,0x3d,0xa5,0xa7,0x51,0xb0, + 0xcc,0x3b,0x73,0xd1,0x9d,0x71,0x9d,0x4e, + 0x43,0xad,0x77,0xf9,0xdc,0xcb,0x32,0x9f, + 0x4b,0x8f,0xf5,0x36,0x99,0x54,0x09,0x1e, + 0xe3,0xa0,0x29,0xc6,0x6d,0x55,0x21,0x9e, + 0x96,0xec,0xdf,0xad,0x08,0x5d,0x7a,0xef, + 0x03,0xe2,0x35,0x9f,0xd0,0x77,0xdd,0xaa, + 0x8d,0x60,0x92,0xc7,0x46,0xe8,0x9d,0xab, + 0xe9,0x7c,0x2f,0x18,0x60,0xa1,0x31,0x79, + 0x4d,0x48,0x71,0xb9,0x76,0xbf,0xff,0xde, + 0x56,0x3b,0x1f,0x36,0x00,0xf3,0x9b,0x12, + 0xb8,0x8a,0x68,0x9f,0xce,0x6e,0xe7,0x08, + 0xa5,0x55,0x6d,0x08,0x3b,0xd1,0x2b,0x23, + 0x19,0x35,0x93,0x6c,0x89,0x95,0x35,0xf6, + 0xff,0x60,0x36,0x2e,0xf0,0x42,0x01,0x57, + 0x84,0x6a,0xe9,0x8c,0xc5,0x4a,0xae,0xe0, + 0xb5,0xfa,0x4f,0xab,0xb5,0xff,0x3f,0x8d, + 0x6a,0x10,0x79,0x01,0x4a,0x1f,0x7c,0xa2, + 0x16,0x2d,0xea,0x7c,0x4f,0x9c,0x02,0xf5, +}; +static const unsigned char rsa_keygen1_xq2[] = { + 0x17,0x70,0xca,0x10,0xbc,0x02,0x01,0xac, + 0xe7,0x60,0x58,0xc8,0x06,0x82,0x3a,0xc9, + 0x9e,0xd2,0x2b,0x32,0x81,0xb4,0xa1,0xb7, + 0xc0,0x0a,0xc0,0xb2,0x77,0xd1,0x05,0x62, + 0x17,0xc5,0x65,0x9f,0x49,0x6a,0xac,0x0e, + 0xe9,0x4d,0xe5,0xe8,0x88,0xcd,0xab,0x11, + 0x02,0xb8,0x28,0x1f,0x11,0x73,0x26,0x9d, + 0x0f,0x14,0x7b,0x69,0x11,0xeb,0xf9,0xcc, + 0x49,0xe1,0x96,0xb1,0x94,0x3c,0x81, +}; +static const unsigned char rsa_keygen1_xq[] = { + 0xd7,0x4b,0x7b,0x53,0x8c,0x07,0x03,0x4a, + 0x7c,0xa1,0x09,0x46,0xe4,0x15,0x3e,0x3a, + 0x22,0x81,0x29,0xf8,0xea,0x35,0xd7,0xcb, + 0x9d,0x97,0x92,0xe4,0x7b,0x65,0x86,0xac, + 0x5a,0xf1,0xb8,0x83,0xb0,0x3c,0xfc,0xa9, + 0x69,0x9b,0x82,0x31,0xa9,0x21,0x09,0xe1, + 0xfa,0xdd,0x43,0x63,0x4a,0x26,0xf4,0xa3, + 0x3e,0x03,0x2c,0x21,0x4b,0x59,0xd8,0x0f, + 0xb7,0x6b,0x60,0x23,0xb6,0x19,0x23,0xee, + 0x6a,0xd6,0x65,0x39,0x64,0xb1,0xaf,0xd0, + 0x36,0xa6,0x7b,0x39,0xef,0x5b,0x27,0xca, + 0xd7,0xb3,0xa6,0xec,0x54,0xee,0x03,0xbd, + 0x8a,0xab,0x5e,0xec,0x7e,0x51,0x86,0x85, + 0xdb,0x9e,0x3c,0x2b,0xfc,0xfd,0xc8,0xfe, + 0x6d,0xf8,0x6f,0xd3,0x6b,0xe1,0xd4,0xcb, + 0x7d,0xc7,0xd6,0x98,0xa4,0x54,0xdf,0x3b, + 0x39,0xcd,0x2f,0x0a,0x7e,0xf1,0x2c,0xc7, + 0xac,0x79,0xbb,0x81,0x5a,0x3f,0xa2,0xd3, + 0xfb,0x63,0x68,0xf6,0x37,0x96,0xd3,0xf8, + 0xe1,0x2b,0x71,0x2b,0xd1,0xd6,0x86,0xf3, + 0xc9,0x4c,0x3a,0x31,0xd0,0xea,0xe3,0x36, + 0x35,0xea,0x8f,0xa4,0x97,0x80,0x17,0x90, + 0x2a,0x3b,0x22,0xa4,0x0b,0xff,0x4b,0x1f, + 0xa2,0x57,0x6e,0x96,0xf3,0xcb,0x0b,0xab, + 0x6e,0x33,0xb8,0x45,0xea,0x90,0x3c,0x4f, + 0x7b,0x53,0xa0,0xc9,0x36,0xd6,0x52,0xe8, + 0x83,0x88,0x7b,0x62,0x7d,0xa9,0x1c,0x46, + 0xac,0xa4,0xdf,0x43,0xa8,0xc3,0xce,0x9a, + 0x55,0x64,0xb4,0xbc,0x54,0x28,0x32,0x6a, + 0x47,0xe7,0xd9,0x03,0x33,0x7d,0x2d,0xb0, + 0x4b,0xb0,0xf6,0x4f,0x04,0x23,0x43,0xce, + 0xff,0x50,0x71,0xf7,0xe3,0x1a,0xa1,0xa4, +}; +static const unsigned char rsa_keygen1_p[] = { + 0xdf,0x44,0xca,0x63,0x57,0xd3,0xb5,0x67, + 0x46,0xa5,0x52,0x99,0xfa,0xa7,0x9e,0x20, + 0x1c,0x45,0xcc,0x38,0x61,0xb2,0xb4,0x92, + 0xca,0xaa,0x6c,0x0e,0x4e,0x59,0x26,0x12, + 0xfd,0x41,0x84,0xcb,0x81,0xfe,0xf8,0xf5, + 0x0f,0xac,0x41,0xf4,0xca,0xbc,0xab,0x97, + 0x86,0xd5,0x55,0x60,0xed,0x8e,0x1a,0x76, + 0x7e,0x22,0xfd,0xea,0x64,0xb1,0x03,0x9a, + 0x7e,0xd7,0x4c,0xdd,0xfe,0x06,0x00,0xfb, + 0x2c,0x1a,0x0a,0xd7,0xb4,0xcf,0x97,0xd0, + 0x11,0x96,0xfc,0x38,0x6d,0xc0,0xfa,0x5a, + 0xe1,0xc7,0xda,0x9b,0x21,0xac,0x95,0x08, + 0x38,0xbd,0x3f,0xf6,0x18,0xcf,0x2e,0x92, + 0xd2,0x2e,0x9e,0xa1,0xf4,0x2e,0xb1,0x72, + 0x3c,0x98,0xf6,0x7c,0x0e,0xbc,0x70,0x71, + 0xf4,0x50,0x0d,0x89,0x9e,0x2a,0x7c,0x93, + 0x72,0x90,0x53,0xe0,0x35,0xd6,0x0b,0x36, + 0x9a,0xe2,0x3b,0x09,0xf7,0x06,0xb7,0x36, + 0x1b,0x44,0x18,0x7c,0x6d,0xdb,0xda,0x76, + 0xb1,0x05,0x69,0xc9,0x39,0xf6,0x69,0xc5, + 0x28,0x22,0xbc,0x6e,0xef,0x4e,0x9c,0x6c, + 0x78,0x28,0xe9,0xfa,0x9d,0xfb,0x91,0x56, + 0x10,0x95,0x49,0xa3,0x07,0x1d,0xb9,0xff, + 0xe9,0x7e,0x03,0x59,0x64,0x6d,0x39,0x0b, + 0x3d,0xdb,0xef,0xd0,0xc2,0x62,0x84,0x82, + 0xac,0xb8,0x98,0x2a,0xb5,0xe7,0x93,0x9c, + 0x7e,0x90,0xfd,0xea,0x88,0x4e,0xab,0x1d, + 0xf5,0x36,0x1d,0x23,0x40,0x89,0xa2,0x47, + 0x28,0x50,0x94,0xf1,0xff,0xa1,0xce,0xcc, + 0x0b,0xdb,0xfa,0x88,0x9d,0xdc,0x6a,0xcb, + 0x1d,0x4d,0xd5,0x94,0x21,0x84,0x8c,0xb7, + 0xac,0x82,0x56,0xa5,0xde,0x1d,0x85,0x6b, +}; +static const unsigned char rsa_keygen1_q[] = { + 0xd7,0x4b,0x7b,0x53,0x8c,0x07,0x03,0x4a, + 0x7c,0xa1,0x09,0x46,0xe4,0x15,0x3e,0x3a, + 0x22,0x81,0x29,0xf8,0xea,0x35,0xd7,0xcb, + 0x9d,0x97,0x92,0xe4,0x7b,0x65,0x86,0xac, + 0x5d,0x89,0x0d,0xf3,0x4d,0xcc,0x69,0x74, + 0x96,0xb2,0x07,0x71,0x2e,0xb9,0xde,0x66, + 0x15,0x21,0x01,0xcc,0xde,0x74,0xfb,0xe6, + 0x3e,0xd2,0x29,0x0b,0xd1,0xba,0x59,0x7e, + 0xb0,0xb0,0x09,0x67,0xe7,0xd9,0xfc,0x80, + 0x19,0x76,0x21,0x3d,0xc4,0x14,0xe3,0xfc, + 0xa4,0x44,0xf0,0x8c,0xbe,0x06,0x0c,0x75, + 0x5e,0xd0,0x77,0x08,0x90,0x93,0x5d,0x5f, + 0x47,0x99,0x4f,0x8f,0xf8,0xba,0x5d,0xde, + 0x32,0x4f,0xa9,0x4c,0xf4,0x29,0x84,0x6d, + 0xed,0x60,0xfe,0x74,0xf7,0xbb,0x04,0xfc, + 0x1f,0xa8,0x86,0x5d,0x56,0x14,0x11,0xc3, + 0xe2,0xef,0x3b,0x30,0x6b,0x81,0xe5,0x5f, + 0xa1,0x6b,0xd2,0x55,0x03,0xce,0xa7,0xbc, + 0x3a,0xaf,0xe6,0xa2,0xa0,0x94,0xb5,0x3d, + 0xf5,0x1c,0x40,0xd5,0xd4,0x18,0x4b,0xfa, + 0xc0,0xf4,0x2f,0x8b,0xa0,0x79,0x3a,0x91, + 0x0a,0x32,0xd4,0xa4,0xf3,0x8d,0x13,0xa7, + 0x20,0x8e,0x06,0x43,0xc3,0xaf,0xca,0xa8, + 0xee,0xd2,0xc5,0x2a,0xef,0x69,0xc1,0xef, + 0x95,0x16,0xb4,0x3b,0x18,0x8e,0x19,0xba, + 0xf8,0xc1,0x6f,0x5c,0xa0,0xdb,0xdd,0x5a, + 0xe9,0x97,0x3b,0xf4,0x84,0x27,0x51,0xa7, + 0x56,0x44,0xe3,0x68,0x10,0xb2,0x88,0x0b, + 0xff,0x03,0x4a,0x91,0x7f,0x52,0x18,0x65, + 0x78,0x1a,0x2b,0x09,0xa5,0xba,0x3d,0x60, + 0xf4,0x5b,0x99,0x7c,0xb8,0x7b,0xfc,0xf7, + 0x18,0x2e,0x03,0x3d,0x2c,0x98,0xc4,0x8d, +}; +static const unsigned char rsa_keygen1_n[] = { + 0xbb,0xc4,0x9a,0xaf,0xa4,0x88,0x9e,0x36, + 0xb5,0x15,0x97,0x5b,0xcf,0x8e,0x5e,0x10, + 0xee,0x03,0xff,0x06,0x2a,0xa8,0x32,0x83, + 0xb2,0x72,0x4f,0x1d,0xe4,0x23,0x05,0xa2, + 0x2c,0x4e,0xc9,0xb3,0xd5,0x60,0x8f,0x49, + 0x8b,0xbf,0x8d,0x4a,0x9c,0x99,0x5b,0xbf, + 0xce,0x2b,0xd1,0x24,0x60,0x9c,0x52,0x7c, + 0xbc,0xd6,0x4c,0x78,0x7c,0x4a,0x26,0xe4, + 0x17,0xf9,0x2f,0xeb,0x20,0x0a,0x8c,0x69, + 0x0a,0xd1,0x93,0x9a,0xc3,0xf5,0x2e,0xf5, + 0x50,0x90,0xcc,0xe4,0xec,0x87,0xb1,0x2f, + 0x34,0x9a,0x6d,0x2b,0x4b,0x73,0x41,0x12, + 0xe6,0x1d,0x26,0x80,0xf9,0x5e,0x71,0x70, + 0xaa,0xa1,0x25,0x6c,0x61,0xcd,0x91,0xb2, + 0x47,0x66,0x79,0x1f,0x90,0x4c,0x2e,0x56, + 0x2c,0x5f,0xe0,0x50,0xe5,0x89,0x52,0xe9, + 0xe6,0x17,0xfa,0xab,0x7e,0x67,0xa1,0x67, + 0x16,0x1b,0xee,0x18,0xd6,0xd0,0x0a,0xec, + 0xf6,0x9b,0x5d,0x6f,0xe1,0x2e,0xad,0x1a, + 0x09,0x14,0xab,0xd5,0x78,0x52,0x00,0x74, + 0xec,0x66,0xbb,0x49,0xad,0xcb,0xd0,0x77, + 0xe2,0x3e,0x45,0x4f,0x89,0xf4,0x04,0x47, + 0x5b,0xe2,0xc5,0xd2,0x3e,0xaf,0x65,0x8e, + 0x0c,0xfc,0x80,0x6d,0x71,0xab,0x3d,0x81, + 0x6f,0xfe,0xce,0x9d,0xa3,0x40,0x24,0x18, + 0x15,0x2b,0x7f,0xd5,0xfe,0xe0,0x09,0xe3, + 0xbb,0xb8,0xf4,0x5b,0x8a,0x5f,0x37,0xeb, + 0x33,0xff,0x07,0x4b,0x4b,0x0d,0xcf,0x6d, + 0x2b,0x56,0xf1,0xa3,0x25,0xd7,0x4c,0xfa, + 0x64,0x77,0x2c,0x54,0x76,0xa2,0xdc,0x56, + 0x81,0x0a,0xc1,0x0f,0xc7,0x6f,0xf6,0xe4, + 0xe7,0x12,0xb0,0x24,0x33,0x77,0x26,0x6c, + 0x84,0x2a,0xe4,0x4e,0x73,0x8b,0xe6,0xaf, + 0x6e,0x39,0x6f,0x6e,0x4c,0xb1,0x24,0x6d, + 0x4c,0x55,0x67,0xaf,0x37,0xf8,0x65,0x0a, + 0x68,0x27,0x01,0xb0,0x59,0x8d,0xc9,0x30, + 0x21,0x3b,0x5d,0x03,0x4e,0xbe,0x1d,0xae, + 0xa5,0xd1,0x07,0x61,0xa9,0x3c,0xe9,0x79, + 0x34,0xb1,0x6c,0x3a,0x95,0xd6,0x64,0xa0, + 0xc7,0x58,0xe6,0x3c,0x19,0x67,0x12,0x63, + 0x63,0x9e,0xe8,0x1d,0x80,0xba,0xc6,0x57, + 0x4c,0x90,0x06,0xb3,0xe5,0x4f,0xfe,0xf6, + 0x7c,0x68,0x4e,0x3e,0xd8,0x4c,0x8c,0x19, + 0xab,0x36,0x50,0x07,0x40,0xff,0x78,0x90, + 0x33,0xd8,0x1c,0xe4,0x29,0xcb,0x50,0x79, + 0xa6,0xa2,0x62,0xaa,0x4b,0x7c,0x7e,0x8a, + 0x6c,0xe3,0x9b,0xf3,0x0a,0x85,0xb7,0xe7, + 0x5d,0xef,0x0f,0x26,0x6c,0x6e,0xb8,0xb2, + 0xd6,0xc8,0xf0,0x78,0x55,0x15,0xf5,0xc6, + 0x50,0x4d,0xef,0x75,0x3c,0xe8,0xb2,0x17, + 0x08,0x70,0x6b,0xc5,0x05,0x14,0xa6,0x00, + 0x83,0x95,0x03,0x6c,0xe2,0x49,0xfd,0x51, + 0x6c,0xc4,0xea,0xc4,0xce,0x4e,0x33,0xbf, + 0x37,0x3d,0xe8,0x8d,0x0c,0x3c,0x49,0xf7, + 0x06,0xca,0x77,0x09,0x12,0x4f,0x5e,0xdb, + 0xd0,0xad,0x40,0xf0,0x36,0x54,0xc3,0x5b, + 0x39,0x37,0xca,0x80,0x96,0x86,0x62,0xb8, + 0x1a,0x8b,0xc1,0x60,0xaf,0xf8,0xbe,0xc5, + 0x04,0xcd,0x2d,0xb6,0x38,0x8c,0x95,0x15, + 0x35,0xf0,0x74,0xae,0x89,0x9f,0x90,0x95, + 0x28,0x04,0x25,0xbc,0xac,0x23,0x64,0x54, + 0x38,0x5f,0x6c,0x25,0x34,0x72,0x0b,0xbc, + 0x48,0xfa,0x05,0x0e,0x31,0x60,0x48,0xb3, + 0x09,0x9c,0xb7,0x5e,0x8b,0xf0,0x67,0xef, +}; + static const struct rsa_keygen_st rsa_keygen_data[] = { { 2048, @@ -1339,6 +1601,25 @@ static const struct rsa_keygen_st rsa_keygen_data[] = { ITM(rsa_keygen0_n), ITM(rsa_keygen0_d), }, + { + 4096, + ITM(rsa_keygen1_e), + ITM(rsa_keygen1_xp1), + ITM(rsa_keygen1_xp2), + ITM(rsa_keygen1_xp), + ITM(rsa_keygen1_xq1), + ITM(rsa_keygen1_xq2), + ITM(rsa_keygen1_xq), + ITM_NULL, + ITM_NULL, + ITM_NULL, + ITM_NULL, + ITM(rsa_keygen1_p), + ITM(rsa_keygen1_q), + ITM(rsa_keygen1_n), + ITM_NULL, + 3, 5 + } }; #define NO_PSS_SALT_LEN -1 diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c index f009bf61724..0efebb389ed 100644 --- a/test/rsa_sp800_56b_test.c +++ b/test/rsa_sp800_56b_test.c @@ -491,7 +491,7 @@ static int test_sp80056b_keygen(int id) int sz = keygen_size[id]; ret = TEST_ptr(key = RSA_new()) - && TEST_true(ossl_rsa_sp800_56b_generate_key(key, sz, NULL, NULL)) + && TEST_true(ossl_rsa_sp800_56b_generate_key(key, sz, NULL, NULL, 0, 0)) && TEST_true(ossl_rsa_sp800_56b_check_public(key)) && TEST_true(ossl_rsa_sp800_56b_check_private(key)) && TEST_true(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, sz)); diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm index b9c53b0047f..eed78467df3 100644 --- a/util/perl/OpenSSL/paramnames.pm +++ b/util/perl/OpenSSL/paramnames.pm @@ -421,6 +421,8 @@ my %params = ( 'OSSL_PKEY_PARAM_RSA_MGF1_DIGEST' => '*OSSL_PKEY_PARAM_MGF1_DIGEST', 'OSSL_PKEY_PARAM_RSA_PSS_SALTLEN' => "saltlen", 'OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ' => "rsa-derive-from-pq", + 'OSSL_PKEY_PARAM_RSA_A' => "rsa-a", + 'OSSL_PKEY_PARAM_RSA_B' => "rsa-b", # EC, X25519 and X448 Key generation parameters 'OSSL_PKEY_PARAM_DHKEM_IKM' => "dhkem-ikm",