AW: EVP_KEY_cmp and -_parameters issues

Johannes.Heinz at telekom.de Johannes.Heinz at telekom.de
Wed Aug 7 08:19:15 UTC 2019 

Now I've got it.
Thank you very much.

-----Ursprüngliche Nachricht-----
Von: Thulasi Goriparthi <thulasi.goriparthi at gmail.com> 
Gesendet: Mittwoch, 7. August 2019 09:42
An: Heinz, Johannes <Johannes.Heinz at telekom.de>
Cc: openssl-users at openssl.org
Betreff: Re: EVP_KEY_cmp and -_parameters issues

RSA keys wouldn't have parameters that are separated from key components. So, EVP_PKEY_cmp() is applicable, but not EVP_PKEY_cmp_parameters().

DH keys, which are generally used for key exchange, are short lived, though the group parameters can be comparatively valid for longer duration (let's say for a whole session) and can be used to generate multiple DH keys. So, EVP_PKEY_cmp_parameters() is useful to validate peer's public key parameters during key exchange to confirm that both peers are working in the same group.

Though EVP_PKEY_cmp() function can be extended to compare both parameters and key components for DH keys,  it wouldn't be of much use as DH keys are ephemeral and we never need to compare two of them for their key components.

Thanks,
Thulasi.

On Wed, 7 Aug 2019 at 12:27, <Johannes.Heinz at telekom.de> wrote:
>
> I have a question to following situation with RSA and DH structures:
>
> I’m testing these in separated unit tests.
>
> Both test cases (each one for RSA and DH) are doing the same:
>
>
>
> I’m creating a new DH or RSA structure, filling it with my params (pqg 
> …) and convert it to an EVP_PKEY (for example: EVP_PKEY_assign_DH => 
> pkey1)
>
> Next step, I’m writing and reading this structure with these functions:
>
> PEM_write_bio_PrivateKey() (not PEM_write_bio_PrivateKey_traditional() 
> ) (with password)
>
> EVP_PKEY* pkey2 = PEM_read_bio_PrivateKey() (with same password)
>
> (or even without a password)
>
>
>
> Now I want to compare these two EVP_PKEY* variables (pkey1 and pkey2) and for that I can use these two functions:
>
> EVP_PKEY_cmp(pkey1, pkey2) (compares components and params)
>
> EVP_PKEY_cmp_parameters(pkey1, pkey2) (compares params)
>
>
>
> Now the Problem:
>
> Even the tests work the same way, the one with RSA only accept the compare-function “EVP_PKEY_cmp” and not the other one.
>
> The one with DH is only with the “EVP_PKEY_cmp_parameters” successful.
>
>
>
> Question:
>
> Why can the first compare function find the components and params of the RSA structure (and even after the PEM_write_bio…) and not of the DH?
>
> Also, why it’s with the second compare function (only params) the other way around (keys match in DH unit test and not in RSA unit test)?
>
>
>
> Thanks

More information about the openssl-users mailing list