CryptoSys PKI Toolkit Manual

RSA_MakeKeys

Generates an RSA public/private key pair and saves as a public key file and PKCS-8 encrypted private key file.

VB6/VBA Syntax

Public Declare Function RSA_MakeKeys Lib "diCrPKI.dll" (ByVal strPubKeyFile As String, ByVal strPvkKeyFile As String, ByVal nBits As Long, ByVal nExpFermat As Long, ByVal nTests As Long, ByVal nCount As Long, ByVal strPassword As String, ByVal strSeed As String, ByVal nSeedLen As Long, ByVal nOptionFlags As Long) As Long

nRet = RSA_MakeKeys(strPublicKeyFile, strPrivateKeyFile, nBits, nExpFermat, nTests, nCount, strPassword, strSeed, nSeedLen, nOptionFlags)

Parameters

strPublicKeyFile
[in] String with name of public key file to be created.
strPrivateKeyFile
[in] String with name of encrypted private key file to be created.
nBits
[in] Long containing the required key size in bits (minimum 96).
nExpFermat
[in] Long specifying the exponent to be used. Select from:
PKI_RSAEXP_EQ_3 for 3
PKI_RSAEXP_EQ_5 for 5
PKI_RSAEXP_EQ_17 for 17 (0x11)
PKI_RSAEXP_EQ_257 for 257 (0x101)
PKI_RSAEXP_EQ_65537 for 65537 (0x10001) (default)
nTests
[in] Long specifying the number of Rabin-Miller tests to be performed (recommended at least 50).
nCount
[in] Long specifying the iteration count to be used when encrypting the private key (default = 1; recommended at least 1000).
strPassword
[in] String containing the password to be used to encrypt the private key file.
strSeed
[in] String containing a user-specified seed to be used by the random number generator (specify "" or NULL to ignore).
nSeedLen
[in] Long containing the length of the seed in bytes.
nOptionFlags
[in] Long containing a flag to indicate the algorithm to be used to encrypt the private key file. Select from:
PKI_PBE_SHA_3DES (0) for "pbeWithSHAAnd3-KeyTripleDES-CBC" (default)
PKI_PBE_MD5_DES for "pbeWithMD5AndDES-CBC" (not recommended)
PKI_PBE_MD2_DES for "pbeWithMD2AndDES-CBC" (not recommended)
PKI_PBE_SHA_DES for "pbeWithSHA1AndDES-CBC" (not recommended)
or PKI_PBE_PBES2 for "pkcs5PBES2" plus one of
(see security options for encrypted private keys)
and optionally add
PKI_KEYGEN_INDICATE to indicate progress in a console window (see remarks below),
plus
PKI_KEY_FORMAT_PEM or
PKI_KEY_FORMAT_SSL to save the key files in base64-PEM format (default is binary BER-encoded format).

C/C++ Syntax

long _stdcall RSA_MakeKeys(const char *szPubKeyFile, const char *szPVKFile, long nBits, long nExpFermat, long nTests, long nCount, const char *szPassword, const char *sSeed, long nSeedLen, long nOptions);

Returns (VB6/C)

Long: If successful, the return value is zero; otherwise it returns a nonzero error code.

.NET Equivalent

Rsa.MakeKeys Method
Rsa.MakeKeys Method
Rsa.MakeKeys Method

Remarks

The RSA key is stored by default as a pair of DER-encoded binary files. The public and private keys are encoded into ASN.1 values of type RSAPublicKey and RSAPrivateKey respectively (defined in PKCS #1). The private key is then encrypted and encoded into a PKCS #8 EncryptedPrivateKeyInfo type. Any existing files of the same names will be overwritten without warning. The key length must be greater than 96 bits. The value of the exponent is limited to the five values listed. The password and iteration count are used to encrypt the private key according to the specified PBE algorithm specified in nOptionFlags. The password should be a string of ASCII characters and must not contain any NUL characters (i.e. Chr(0)). The seed is optional and is used to supplement the seeding of the random number generator. The seed is passed as an ANSI string and may contain any 8-bit value including the NUL (zero) value. The length of the seed must be specified. The user may use the seed to provide some additional value that is unique when the keys are being generated. See Random Number Generator and Seeds for more information.

The default format for the files is binary DER-encoded format. Use either the PKI_KEY_FORMAT_PEM or the PKI_KEY_FORMAT_SSL flag to save in base64 "PEM" format. Files saved with the PKI_KEY_FORMAT_SSL flag should be compatible with OpenSSL. For more details on the formats, see RSA_SavePublicKey and RSA_SaveEncPrivateKey.

Generating RSA key pairs can take some time. On a 1GHz P3 test machine, the following times were typical:

Key sizeTime
512< 1 second
10245 seconds
20481 minute
40966 minutes
81921 hour

Some programs like Office Access will get bored waiting for the longer processes to finish and may hang. Setting the PKI_KEYGEN_INDICATE flag will show progress in a separate console window (actually two, one for p and one for q). Having a console window show progress will keep the parent application happy. A dot "." indicates a new candidate is being tested, and an asterisk "*" indicates that a Rabin-Miller test has been carried out (that is the expensive part of the process). The program will close these console windows down automatically. Do not use the PKI_KEYGEN_INDICATE option in a multi-threaded environment. For console-based programs, this option just shows the progress in the standard output.

Caution: pressing Ctrl-C or Ctrl-Break in the console window will kill your entire process altogether; that is, abort your whole application, which may not be what you want.

There is a very, very small possibility that the generator may fail to find a suitable prime number candidate within the number of iterations it carries out. If this happens (we've never seen it, but it could in theory), the function will return a KEYGEN_FAILED_ERROR error code 24. This in itself does not indicate a systemic problem with the Toolkit, just an incredibly unlucky event. Let us know if it happens more than once.

Example

Dim nRet As Long
Dim sPublicKeyFile As String
Dim sPrivateKeyFile As String
Dim sPassword As String

sPublicKeyFile = "C:\Test\mykey.pub"
sPrivateKeyFile = "C:\Test\mykey.epk"
sPassword = "password"

' Create a new pair of RSA keys saved as BER-encoded files
Debug.Print "About to create a new RSA key pair..."

nRet = RSA_MakeKeys(sPublicKeyFile, sPrivateKeyFile, 512, _
    PKI_RSAEXP_EQ_3, 50, 1000, sPassword, "", 0, PKI_PBE_MD5_DES)
    
Debug.Print "RSA_MakeKeys returns " & nRet & " (expected 0)"

The example above will generate a 512-bit RSA key pair and store in two files, a public key file C:\Test\mykey.pub and an encrypted private key file C:\Test\mykey.epk. The exponent will be 3. Rabin-Miller tests will be carried out 50 times to verify that the values of p and q are prime. The private key will be encrypted using the default "pbeWithSHAAnd3-KeyTripleDES-CBC" algorithm using the password "password" and an iteration count of 1000. 

strSeed = "yyyseed345"
nRet = RSA_MakeKeys(sPublicKeyFile, sPrivateKeyFile, 2048, 
    PKI_RSAEXP_EQ_65537, 64, 3000, "94tMhvTr7gvVy48q", strSeed, Len(strSeed), 
    PKI_PBE_PBES2+PKI_BC_AES128)

The second example generates a 2048-bit RSA key pair with the exponent 65537 (0x10001). Sixty-four Rabin-Miller tests are used to test for primality. The private key will be encrypted using the PBES2 algorithm with AES-128 as the encryption scheme, the password "94tMhvTr7gvVy48q", and an iteration count of 3000. The string "yyyseed345" will be added to the RNG seeding process.

See Also

RSA_ReadEncPrivateKey RSA_ReadPublicKey RSA_SaveEncPrivateKey RSA_SavePublicKey

[Contents] [Index]

[HOME]   [NEXT: RSA_RawPrivate...]
Copyright © 2004-10 D.I. Management Services Pty Ltd. All rights reserved.