=pod =head1 NAME EVP_PKEY-RSA, EVP_KEYMGMT-RSA, RSA - EVP_PKEY RSA keytype and algorithm support =head1 DESCRIPTION The B keytype is implemented in OpenSSL's default and FIPS providers. That implementation supports the basic RSA keys, containing the modulus I, the public exponent I, the private exponent I, and a collection of prime factors, exponents and coefficient for CRT calculations, of which the first few are known as I

and I, I and I, and I. =head2 Common RSA parameters In addition to the common parameters that all keytypes should support (see L), the B keytype implementation supports the following. =over 4 =item "n" (B) The RSA modulus "n" value. =item "e" (B) The RSA public exponent "e" value. This value must always be set when creating a raw key using L. Note that when a decryption operation is performed, that this value is used for blinding purposes to prevent timing attacks. =item "d" (B) The RSA private exponent "d" value. =item "rsa-factor1" (B) =item "rsa-factor2" (B) =item "rsa-factor3" (B) =item "rsa-factor4" (B) =item "rsa-factor5" (B) =item "rsa-factor6" (B) =item "rsa-factor7" (B) =item "rsa-factor8" (B) =item "rsa-factor9" (B) =item "rsa-factor10" (B) RSA prime factors. The factors are known as "p", "q" and "r_i" in RFC8017. Up to eight additional "r_i" prime factors are supported. =item "rsa-exponent1" (B) =item "rsa-exponent2" (B) =item "rsa-exponent3" (B) =item "rsa-exponent4" (B) =item "rsa-exponent5" (B) =item "rsa-exponent6" (B) =item "rsa-exponent7" (B) =item "rsa-exponent8" (B) =item "rsa-exponent9" (B) =item "rsa-exponent10" (B) RSA CRT (Chinese Remainder Theorem) exponents. The exponents are known as "dP", "dQ" and "d_i in RFC8017". Up to eight additional "d_i" exponents are supported. =item "rsa-coefficient1" (B) =item "rsa-coefficient2" (B) =item "rsa-coefficient3" (B) =item "rsa-coefficient4" (B) =item "rsa-coefficient5" (B) =item "rsa-coefficient6" (B) =item "rsa-coefficient7" (B) =item "rsa-coefficient8" (B) =item "rsa-coefficient9" (B) RSA CRT (Chinese Remainder Theorem) coefficients. The coefficients are known as "qInv" and "t_i". Up to eight additional "t_i" exponents are supported. =back =head2 RSA key generation parameters When generating RSA keys, the following key generation parameters may be used. =over 4 =item "bits" (B) The value should be the cryptographic length for the B cryptosystem, in bits. =item "primes" (B) The value should be the number of primes for the generated B key. The default is 2. It isn't permitted to specify a larger number of primes than 10. Additionally, the number of primes is limited by the length of the key being generated so the maximum number could be less. Some providers may only support a value of 2. =item "e" (B) The RSA "e" value. The value may be any odd number greater than or equal to 65537. The default value is 65537. For legacy reasons a value of 3 is currently accepted but is deprecated. =back =head2 RSA key generation parameters for FIPS module testing When generating RSA keys, the following additional key generation parameters may be used for algorithm testing purposes only. Do not use these to generate RSA keys for a production environment. =over 4 =item "xp" (B) =item "xq" (B) These 2 fields are normally randomly generated and are used to generate "p" and "q". =item "xp1" (B) =item "xp2" (B) =item "xq1" (B) =item "xq2" (B) These 4 fields are normally randomly generated. The prime factors "p1", "p2", "q1" and "q2" are determined from these values. =back =head2 RSA key parameters for FIPS module testing The following intermediate values can be retrieved only if the values specified in L are set. These should not be accessed in a production environment. =over 4 =item "p1" (B) =item "p2" (B) =item "q1" (B) =item "q2" (B) The auxiliary probable primes. =back =head2 RSA key validation For RSA keys, L and L both return 1 unconditionally. For RSA keys, L conforms to the SP800-56Br1 I when the OpenSSL FIPS provider is used. The OpenSSL default provider performs similiar tests but relaxes the keysize restrictions for backwards compatibility. For RSA keys, L is the same as L. For RSA keys, L conforms to the SP800-56Br1 I. For RSA keys, L conforms to the SP800-56Br1 I for the OpenSSL FIPS provider. The OpenSSL default provider allows testing of the validity of multi-primes. =head1 CONFORMING TO =over 4 =item FIPS186-4 Section B.3.6 Generation of Probable Primes with Conditions Based on Auxiliary Probable Primes =item RFC 8017, excluding RSA-PSS and RSA-OAEP =for comment RSA-PSS, and probably also RSA-OAEP, need separate keytypes, and will be described in separate pages for those RSA keytypes. =back =head1 EXAMPLES An B context can be obtained by calling: EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); An B key can be generated simply like this: pkey = EVP_RSA_gen(4096); or like this: EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); EVP_PKEY_keygen_init(pctx); EVP_PKEY_generate(pctx, &pkey); EVP_PKEY_CTX_free(pctx); An B key can be generated with key generation parameters: unsigned int primes = 3; unsigned int bits = 4096; OSSL_PARAM params[3]; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); EVP_PKEY_keygen_init(pctx); params[0] = OSSL_PARAM_construct_uint("bits", &bits); params[1] = OSSL_PARAM_construct_uint("primes", &primes); params[2] = OSSL_PARAM_construct_end(); EVP_PKEY_CTX_set_params(pctx, params); EVP_PKEY_generate(pctx, &pkey); EVP_PKEY_print_private(bio_out, pkey, 0, NULL); EVP_PKEY_CTX_free(pctx); =head1 SEE ALSO L, L, L, L =head1 COPYRIGHT Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. =cut