The following restrictions apply to the ``pbits'' field:
For ``fips186_4'' this must be either 2048 or 3072. For ``fips186_2'' this must be 1024. For ``group'' this can be any one of 2048, 3072, 4096, 6144 or 8192.
For DSA keys, EVP_PKEY_param_check_quick(3) behaves in the following way: A simple check of L and N and partial g is performed. The default provider also supports validation of legacy ``fips186_2'' keys.
For DSA keys, EVP_PKEY_public_check(3), EVP_PKEY_private_check(3) and EVP_PKEY_pairwise_check(3) the OpenSSL default and FIPS providers conform to the rules within SP800-56Ar3 for public, private and pairwise tests respectively.
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
The DSA domain parameters can be generated by calling:
unsigned int pbits = 2048; unsigned int qbits = 256; int gindex = 1; OSSL_PARAM params[5]; EVP_PKEY *param_key = NULL; EVP_PKEY_CTX *pctx = NULL; pctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL); EVP_PKEY_paramgen_init(pctx); params[0] = OSSL_PARAM_construct_uint("pbits", &pbits); params[1] = OSSL_PARAM_construct_uint("qbits", &qbits); params[2] = OSSL_PARAM_construct_int("gindex", &gindex); params[3] = OSSL_PARAM_construct_utf8_string("digest", "SHA384", 0); params[4] = OSSL_PARAM_construct_end(); EVP_PKEY_CTX_set_params(pctx, params); EVP_PKEY_generate(pctx, ¶m_key); EVP_PKEY_CTX_free(pctx); EVP_PKEY_print_params(bio_out, param_key, 0, NULL);
A DSA key can be generated using domain parameters by calling:
EVP_PKEY *key = NULL; EVP_PKEY_CTX *gctx = NULL; gctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL); EVP_PKEY_keygen_init(gctx); EVP_PKEY_generate(gctx, &key); EVP_PKEY_CTX_free(gctx); EVP_PKEY_print_private(bio_out, key, 0, NULL);
Licensed under the Apache License 2.0 (the ``License''). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>.