Alternative to -rand option for genpkey
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Jan 12 23:56:07 UTC 2024
On Fri, Jan 12, 2024 at 08:49:46PM +0100, Raj via openssl-users wrote:
> Regarding the first point: I tried generating two private RSA keys
> with the "-rand file.dat" option without changing the contents of
> file.dat. I received two different keys. Therefore I think the file
> cannot be the only seed. Otherwise the process should be deterministic
> and the keys should be identical, right?
Correct. The "-rand" option mixes in additional "random" data, it is
not the exclusive source.
Lack of "-rand" support in genpkey is plausibly an oversight. Modulo
the requisite documentation updates, the below patch adds the missing
support:
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -26,3 +26,3 @@ typedef enum OPTION_choice {
OPT_VERBOSE, OPT_QUIET, OPT_CONFIG, OPT_OUTPUBKEY,
- OPT_PROV_ENUM
+ OPT_PROV_ENUM, OPT_R_ENUM
} OPTION_CHOICE;
@@ -52,3 +52,3 @@ const OPTIONS genpkey_options[] = {
- OPT_PROV_OPTIONS,
+ OPT_PROV_OPTIONS, OPT_R_OPTIONS,
@@ -190,2 +190,6 @@ int genpkey_main(int argc, char **argv)
break;
+ case OPT_R_CASES:
+ if (!opt_rand(o))
+ goto end;
+ break;
}
@@ -197,2 +201,5 @@ int genpkey_main(int argc, char **argv)
+ if (!app_RAND_load())
+ goto end;
+
/* Fetch cipher, etc. */
--
Viktor.
More information about the openssl-users
mailing list