AW: EVP_KEY_cmp and -_parameters issues
Now I've got it. Thank you very much. -Ursprüngliche Nachricht- Von: Thulasi Goriparthi Gesendet: Mittwoch, 7. August 2019 09:42 An: Heinz, Johannes Cc: openssl-users@openssl.org Betreff: Re: EVP_KEY_cmp and -_parameters issues RSA keys wouldn't have parameters that are separated from key components. So, EVP_PKEY_cmp() is applicable, but not EVP_PKEY_cmp_parameters(). DH keys, which are generally used for key exchange, are short lived, though the group parameters can be comparatively valid for longer duration (let's say for a whole session) and can be used to generate multiple DH keys. So, EVP_PKEY_cmp_parameters() is useful to validate peer's public key parameters during key exchange to confirm that both peers are working in the same group. Though EVP_PKEY_cmp() function can be extended to compare both parameters and key components for DH keys, it wouldn't be of much use as DH keys are ephemeral and we never need to compare two of them for their key components. Thanks, Thulasi. On Wed, 7 Aug 2019 at 12:27, wrote: > > I have a question to following situation with RSA and DH structures: > > I’m testing these in separated unit tests. > > Both test cases (each one for RSA and DH) are doing the same: > > > > I’m creating a new DH or RSA structure, filling it with my params (pqg > …) and convert it to an EVP_PKEY (for example: EVP_PKEY_assign_DH => > pkey1) > > Next step, I’m writing and reading this structure with these functions: > > PEM_write_bio_PrivateKey() (not PEM_write_bio_PrivateKey_traditional() > ) (with password) > > EVP_PKEY* pkey2 = PEM_read_bio_PrivateKey() (with same password) > > (or even without a password) > > > > Now I want to compare these two EVP_PKEY* variables (pkey1 and pkey2) and for > that I can use these two functions: > > EVP_PKEY_cmp(pkey1, pkey2) (compares components and params) > > EVP_PKEY_cmp_parameters(pkey1, pkey2) (compares params) > > > > Now the Problem: > > Even the tests work the same way, the one with RSA only accept the > compare-function “EVP_PKEY_cmp” and not the other one. > > The one with DH is only with the “EVP_PKEY_cmp_parameters” successful. > > > > Question: > > Why can the first compare function find the components and params of the RSA > structure (and even after the PEM_write_bio…) and not of the DH? > > Also, why it’s with the second compare function (only params) the other way > around (keys match in DH unit test and not in RSA unit test)? > > > > Thanks
Re: EVP_KEY_cmp and -_parameters issues
RSA keys wouldn't have parameters that are separated from key components. So, EVP_PKEY_cmp() is applicable, but not EVP_PKEY_cmp_parameters(). DH keys, which are generally used for key exchange, are short lived, though the group parameters can be comparatively valid for longer duration (let's say for a whole session) and can be used to generate multiple DH keys. So, EVP_PKEY_cmp_parameters() is useful to validate peer's public key parameters during key exchange to confirm that both peers are working in the same group. Though EVP_PKEY_cmp() function can be extended to compare both parameters and key components for DH keys, it wouldn't be of much use as DH keys are ephemeral and we never need to compare two of them for their key components. Thanks, Thulasi. On Wed, 7 Aug 2019 at 12:27, wrote: > > I have a question to following situation with RSA and DH structures: > > I’m testing these in separated unit tests. > > Both test cases (each one for RSA and DH) are doing the same: > > > > I’m creating a new DH or RSA structure, filling it with my params (pqg …) and > convert it to an EVP_PKEY (for example: EVP_PKEY_assign_DH => pkey1) > > Next step, I’m writing and reading this structure with these functions: > > PEM_write_bio_PrivateKey() (not PEM_write_bio_PrivateKey_traditional() ) > (with password) > > EVP_PKEY* pkey2 = PEM_read_bio_PrivateKey() (with same password) > > (or even without a password) > > > > Now I want to compare these two EVP_PKEY* variables (pkey1 and pkey2) and for > that I can use these two functions: > > EVP_PKEY_cmp(pkey1, pkey2) (compares components and params) > > EVP_PKEY_cmp_parameters(pkey1, pkey2) (compares params) > > > > Now the Problem: > > Even the tests work the same way, the one with RSA only accept the > compare-function “EVP_PKEY_cmp” and not the other one. > > The one with DH is only with the “EVP_PKEY_cmp_parameters” successful. > > > > Question: > > Why can the first compare function find the components and params of the RSA > structure (and even after the PEM_write_bio…) and not of the DH? > > Also, why it’s with the second compare function (only params) the other way > around (keys match in DH unit test and not in RSA unit test)? > > > > Thanks
EVP_KEY_cmp and -_parameters issues
I have a question to following situation with RSA and DH structures: I'm testing these in separated unit tests. Both test cases (each one for RSA and DH) are doing the same: I'm creating a new DH or RSA structure, filling it with my params (pqg ...) and convert it to an EVP_PKEY (for example: EVP_PKEY_assign_DH => pkey1) Next step, I'm writing and reading this structure with these functions: PEM_write_bio_PrivateKey() (not PEM_write_bio_PrivateKey_traditional() ) (with password) EVP_PKEY* pkey2 = PEM_read_bio_PrivateKey() (with same password) (or even without a password) Now I want to compare these two EVP_PKEY* variables (pkey1 and pkey2) and for that I can use these two functions: EVP_PKEY_cmp(pkey1, pkey2) (compares components and params) EVP_PKEY_cmp_parameters(pkey1, pkey2) (compares params) Now the Problem: Even the tests work the same way, the one with RSA only accept the compare-function "EVP_PKEY_cmp" and not the other one. The one with DH is only with the "EVP_PKEY_cmp_parameters" successful. Question: Why can the first compare function find the components and params of the RSA structure (and even after the PEM_write_bio...) and not of the DH? Also, why it's with the second compare function (only params) the other way around (keys match in DH unit test and not in RSA unit test)? Thanks
EVP_KEY_cmp and -_parameters issues
I have a question to following situation with RSA and DH structures: I'm testing these in separated unit tests. Both test cases (each one for RSA and DH) are doing the same: I'm creating a new DH or RSA structure, filling it with my params (pqg ...) and convert it to an EVP_PKEY (for example: EVP_PKEY_assign_DH => pkey1) Next step, I'm writing and reading this structure with these functions: PEM_write_bio_PrivateKey() (not PEM_write_bio_PrivateKey_traditional() ) (with password) EVP_PKEY* pkey2 = PEM_read_bio_PrivateKey() (with same password) (or even without a password) Now I want to compare these two EVP_PKEY* variables (pkey1 and pkey2) and for that I can use these two functions: EVP_PKEY_cmp(pkey1, pkey2) (compares components and params) EVP_PKEY_cmp_parameters(pkey1, pkey2) (compares params) Now the Problem: Even the tests work the same way, the one with RSA only accept the compare-function "EVP_PKEY_cmp" and not the other one. The one with DH is only with the "EVP_PKEY_cmp_parameters" successful. Question: Why can the first compare function find the components and params of the RSA structure (and even after the PEM_write_bio...) and not of the DH? Also, why it's with the second compare function (only params) the other way around (keys match in DH unit test and not in RSA unit test)? Greetings Johannes
