Generates ASN.1 encoded key parameters.
Format
#include <gskcms.h>
gsk_status gsk_generate_key_parameters(
x509_algorithm_type key_algorithm,
int key_size,
gsk_buffer * key_params )
Parameters
- key_algorithm
- Specifies the key algorithm.
- key_size
- Specifies the key size in bits.
- key_params
- Specifies the key parameters as an ASN.1-encoded sequence. The
application should call the gsk_free_buffer() routine to release
the key parameters when they are no longer needed.
Results
The function return value will be
0 if no error is detected. Otherwise, it will be one of the return
codes listed in the
gskcms.h include file. These are some
possible errors:
- [CMSERR_ALG_NOT_SUPPORTED]
- The key algorithm is not supported.
- [CMSERR_BAD_KEY_SIZE]
- The key size is not valid.
- [CMSERR_NO_MEMORY]
- Insufficient storage is available.
Usage
The gsk_generate_key_parameters() routine
will generate key parameters that can then be used with the gsk_generate_key_pair() routine
to generate one or more public/private key pairs.
These key
algorithms are supported:
- x509_alg_idDsa - Digital Signature Standard - {1.2.840.10040.4.1}
The
key size can be between 512 and 1024 bits, which will be rounded up
to a multiple of 64 bits, or precisely 2048 bits. Key sizes less than
1024 bits can only be generated in non-FIPS mode and are generated
according to FIPS 186-2. Keys sizes 1024 and 2048 are generated according
to FIPS 186-3. The generated ASN.1 sequence will consist of the prime
P, the subprime Q, and the base G. For 2048-bit key size, the size
of the subprime Q will be 256. See FIPS 186-3: Digital Signature Standard (DSS) for
more information about the generation of the key parameters for 1024-bit
and greater key sizes. See FIPS
186-2: Digital Signature Standard (DSS) for smaller
key sizes.
- x509_alg_dhPublicNumber - Diffie-Hellman Key Exchange - {1.2.840.10046.2.1}
The
key size must be between 512 and 2048 bits if not executing in FIPS
mode, and must be 2048 bits if executing in FIPS mode, and will be
rounded up to a multiple of 64 bits if necessary. In non-FIPS mode,
the generated ASN.1 sequence will consist of the prime P, the base
G, the subprime Q, and the subgroup factor J. In FIPS mode, the generated
ASN.1 sequence will consist of the prime P and the base G. See RFC 2631: Diffie-Hellman
Key Agreement Method for more information about the generation
of the key parameters, and RFC
5280: Internet X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile for more
information about the ASN.1 encoding.
Multiple Digital Signature
Standard keys or Diffie-Hellman Key Exchange keys can share the same
group parameters (P, Q, and G). This is useful when generating multiple
keys of the same type since it is very time-consuming to compute values
for P, Q, and G. In addition, the Diffie-Hellman key agreement algorithm
requires both parties to use the same group parameters when computing
the secret value (an SSL client will generate temporary Diffie-Hellman
values if the group parameters in the client certificate are not the
same as the group parameters in the server certificate).
- x509_alg_ecPublicKey – ECDSA and ECDH Public Key - {1.2.840.10045.2.1}
The
key size must be between 0 and 521 bits. The key size value will be
rounded up to the nearest supported key size, and the default EC named
curve for that key size will be used, as specified in Table 2. In FIPS mode, only NIST recommended
curves are supported.