On 19 March 2013 09:01, azhar jodatti <azhar...@gmail.com> wrote: > And possibly relevant here, the standard Suncle JCE provider actually > uses DSA paramgen for DH and thus imposes the DSA size restrictions > on DH -- 512 to 1024 in steps of 64 -- although they aren't required > by any standard I know of. I don't recall if JCE also restricts > *existing* (received) params; I'll test when I have some time. > I do recall you can get around this by using BouncyCastle instead. > But just using 1024 is easy and fine. > --> > > sometime I get below error "Prime size must be multiple of 64, and can only > range from 512 to 1024 (inclusive)" > when i use small prime numbers.It means JCE uses DSA paramateres for DH > algorithm. what is openSSL equalent to this? > > KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH"); > kpg.initialize(1024); > keyPair = kpg.generateKeyPair(); > > DHParameterSpec dhSpec = ((DHPublicKey) > keyPair.getPublic()).getParams(); > baseGenerator = dhSpec.getG(); > prime = dhSpec.getP(); > sizeInBits = dhSpec.getL(); > is this java code equalent to below c code? > DH_generate_parameters_ex(client,1024,DH_GENERATOR_5,NULL); > > see, with openSSL I have to pass DH_GENERATOR which only allowes (2 and 5) > but that is not required in JAVA version.It generates it own base generator.
It appears to be equivalent, although I am not familiar with the JCE API. What I do not understand though is why you have code to generate parameters on *both* sides of your communication. If you are going to generate params every time (which both Dave and myself have advised against - it is an expensive operation), you still only need to do it on one side of the communication. So, after a bit of googling, I would expect to see something like this on the Java side (if the C side generates the params): KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH"); kpg.initialize(new DHParameterSpec(/* p value passed from C */, /* g value passed from C */)); keyPair = kpg.generateKeyPair(); Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org