diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2020-06-17 11:33:16 +1000 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2020-06-17 11:33:16 +1000 |
| commit | 4f2271d58a36b2aee125062ffb9626c6208fa394 (patch) | |
| tree | 122e6de930647c37a35b5f457448a031e51969b8 /doc/man7/EVP_PKEY-RSA.pod | |
| parent | 5a147abd790075cdc97b36ff5084e2eb1d779b95 (diff) | |
Add ACVP fips module tests
For FIPS validation purposes - Automated Cryptographic Validation Protocol (ACVP) tests need to be
performed. (See https://github.com/usnistgov/ACVP). These tests are very similiar to the old CAVS tests.
This PR uses a hardwired subset of these test vectors to perform similiar operations,
to show the usage and prove that the API's are able to perform the required operations.
It may also help with communication with the lab (i.e- The lab could add a test here to show
a unworking use case - which we can then address).
The EVP layer performs these tests instead of calling lower level API's
as was done in the old FOM.
Some of these tests require access to internals that are not normally allowed/required.
The config option 'acvp_tests' (enabled by default) has been added so that this
access may be removed.
The mechanism has been implemented as additional OSSL_PARAM values that can be set and get.
A callback mechanism did not seem to add any additional benefit.
These params will not be added to the gettables lists.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11572)
Diffstat (limited to 'doc/man7/EVP_PKEY-RSA.pod')
| -rw-r--r-- | doc/man7/EVP_PKEY-RSA.pod | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/doc/man7/EVP_PKEY-RSA.pod b/doc/man7/EVP_PKEY-RSA.pod index 28f61e4066..428aa613a2 100644 --- a/doc/man7/EVP_PKEY-RSA.pod +++ b/doc/man7/EVP_PKEY-RSA.pod @@ -131,10 +131,63 @@ For legacy reasons a value of 3 is currently accepted but is deprecated. =back +=head2 RSA key generation parameters for FIPS module testing + +When generating RSA keys, the following additional key generation parameters may +be used for algorithm testing purposes only. Do not use these to generate +RSA keys for a production environment. + +=over 4 + +=item "xp" (B<OSSL_PKEY_PARAM_RSA_TEST_XP>) <unsigned integer> + +=item "xq" (B<OSSL_PKEY_PARAM_RSA_TEST_XQ>) <unsigned integer> + +These 2 fields are normally randomly generated and are used to generate "p" and +"q". + +=item "xp1" (B<OSSL_PKEY_PARAM_RSA_TEST_XP1>) <unsigned integer> + +=item "xp2" (B<OSSL_PKEY_PARAM_RSA_TEST_XP2>) <unsigned integer> + +=item "xq1" (B<OSSL_PKEY_PARAM_RSA_TEST_XQ1>) <unsigned integer> + +=item "xq2" (B<OSSL_PKEY_PARAM_RSA_TEST_XQ2>) <unsigned integer> + +These 4 fields are normally randomly generated. The prime factors "p1", "p2", +"q1" and "q2" are determined from these values. + +=back + +=head2 RSA key parameters for FIPS module testing + +The following intermediate values can be retrieved only if the values +specified in L</"RSA key generation parameters for FIPS module testing"> are set. +These should not be accessed in a production environment. + +=over 4 + +=item "p1" (B<OSSL_PKEY_PARAM_RSA_TEST_P1>) <unsigned integer> + +=item "p2" (B<OSSL_PKEY_PARAM_RSA_TEST_P2>) <unsigned integer> + +=item "q1" (B<OSSL_PKEY_PARAM_RSA_TEST_Q1>) <unsigned integer> + +=item "q2" (B<OSSL_PKEY_PARAM_RSA_TEST_Q2>) <unsigned integer> + +The auxiliary probable primes. + +=back + =head1 CONFORMING TO =over 4 +=item FIPS186-4 + +Section B.3.6 Generation of Probable Primes with Conditions Based on +Auxiliary Probable Primes + =item RFC 8017, excluding RSA-PSS and RSA-OAEP =for comment RSA-PSS, and probably also RSA-OAEP, need separate keytypes, |