EVP_PKEY-DSA, EVP_KEYMGMT-DSA - EVP_PKEY DSA keytype and algorithm support
| Use Case | Command | Description |
|---|---|---|
| đ ī¸ Get a DSA context | EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL) | Create an EVP_PKEY_CTX for DSA operations. |
| âī¸ Generate domain parameters | EVP_PKEY_paramgen_init(ctx); | Generate DSA domain parameters (p, q, g) with specified pbits, qbits, digest, and gindex. |
| đ Generate key from parameters | EVP_PKEY_keygen_init(ctx); | Generate a DSA keypair using previously generated domain parameters. |
| đ Print parameters | EVP_PKEY_print_params(bio_out, pkey, 0, NULL) | Print DSA domain parameters to a BIO output. |
For DSA the FIPS186-4 standard specifies that the values used for FFC parameter generation are also required for parameter validation. This means that optional FFC domain parameter values for seed, pcounter and gindex may need to be stored for validation purposes. For DSA these fields are not stored in the ASN1 data so they need to be stored externally if validation is required.
The DSA key type supports the FFC parameters (see "FFC parameters" in EVP_PKEY-FFC(7)).
The DSA key type supports the FFC key generation parameters (see "FFC key generation parameters" in EVP_PKEY-FFC(7)).
The following restrictions apply to the "pbits" field:
An EVP_PKEY context can be obtained by calling:
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
The DSA domain parameters can be generated by calling:
unsigned int pbits = 2048;
unsigned int qbits = 256;
int gindex = 1;
OSSL_PARAM params[5];
EVP_PKEY *param_key = NULL;
EVP_PKEY_CTX *pctx = NULL;
pctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
EVP_PKEY_paramgen_init(pctx);
params[0] = OSSL_PARAM_construct_uint("pbits", &pbits);
params[1] = OSSL_PARAM_construct_uint("qbits", &qbits);
params[2] = OSSL_PARAM_construct_int("gindex", &gindex);
params[3] = OSSL_PARAM_construct_utf8_string("digest", "SHA384", 0);
params[4] = OSSL_PARAM_construct_end();
EVP_PKEY_CTX_set_params(pctx, params);
EVP_PKEY_generate(pctx, ¶m_key);
EVP_PKEY_CTX_free(pctx);
EVP_PKEY_print_params(bio_out, param_key, 0, NULL);
A DSA key can be generated using domain parameters by calling:
EVP_PKEY *key = NULL;
EVP_PKEY_CTX *gctx = NULL;
gctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL);
EVP_PKEY_keygen_init(gctx);
EVP_PKEY_generate(gctx, &key);
EVP_PKEY_CTX_free(gctx);
EVP_PKEY_print_private(bio_out, key, 0, NULL);
The following sections of FIPS 186-4:
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>.
Generated by phpman v4.9.22-1-g1b0fcb4 · Markdown · JSON · MCP Author: Che Dong Under GNU General Public License
2026-07-05 09:01 @216.73.216.52
CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
Enhanced by LLM: deepseek-v4-pro / taotoken.net / www.chedong.com - original format