On 19 March 2013 10:37, azhar jodatti <azhar...@gmail.com> wrote:
>
>
> On Tue, Mar 19, 2013 at 2:58 PM, Matt Caswell <fr...@baggins.org> wrote:
>>
>> On 19 March 2013 09:01, azhar jodatti <azhar...@gmail.com> wrote:
>>
>> > And possibly relevant here, the standard Suncle JCE provider actually
>> > uses DSA paramgen for DH and thus imposes the DSA size restrictions
>> > on DH -- 512 to 1024 in steps of 64 -- although they aren't required
>> > by any standard I know of. I don't recall if JCE also restricts
>> > *existing* (received) params; I'll test when I have some time.
>> > I do recall you can get around this by using BouncyCastle instead.
>> > But just using 1024 is easy and fine.
>> > -->
>> >
>> > sometime I get below error "Prime size must be multiple of 64, and can
>> > only range from 512 to 1024 (inclusive)"
>> > when i use small prime numbers.It means JCE uses DSA paramateres for DH
>> > algorithm. what is openSSL equalent to this?
>> >
>> > KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH");
>> > kpg.initialize(1024);
>> > keyPair = kpg.generateKeyPair();
>> >
>> > DHParameterSpec dhSpec = ((DHPublicKey)
>> > keyPair.getPublic()).getParams();
>> > baseGenerator = dhSpec.getG();
>> > prime = dhSpec.getP();
>> > sizeInBits = dhSpec.getL();
>> > is this java code equalent to below c code?
>> > DH_generate_parameters_ex(client,1024,DH_GENERATOR_5,NULL);
>> >
>> > see, with openSSL I have to pass DH_GENERATOR which only allowes (2 and
>> > 5) but that is not required in JAVA version.It generates it own base
>> > generator.
>>
>> It appears to be equivalent, although I am not familiar with the JCE
>> API. What I do not understand though is why you have code to generate
>> parameters on *both* sides of your communication. If you are going to
>> generate params every time (which both Dave and myself have advised
>> against - it is an expensive operation), you still only need to do it
>> on one side of the communication. So, after a bit of googling, I
>> would expect to see something like this on the Java side (if the C
>> side generates the params):
>
>
> Well, above both the code snaps are at client side, not at server. I
> understand I don't have to generate keys at both the end. I just wanted to
> give you an idea how I am doing it in JAVA and C to generate the keys. As
> you said both code appears to be equivalent but practically it won't seems
> like . at-least in my scenario. because parameters generated with above java
> code works with my server but that's not the case with parameters generated
> with above C code.
>
>>
>>
>> KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH");
>> kpg.initialize(new DHParameterSpec(/* p value passed from C */, /* g
>> value passed from C */));
>> keyPair = kpg.generateKeyPair();
>>
> yes, I m doing this at server. after generating keyPair I am generating
> keyAgreent as well
> . below is the code for this
>
> KeyAgreement keyAgree = KeyAgreement.getInstance("DH");
> keyAgree.init(keyPair.getPrivate());
> //this generates public key at server
> byte[] serverPubKeyEnc = keyPair.getPublic().getEncoded();
> //I really don't know how exactly it does this. but its mandatory
> keyAgree.doPhase(clientPubllicKey, true);
> //this generates secret key at server
> byte[] sharedSecret = keyAgree.generateSecret();
>
Can you share the code where you load the parameters from the C into
JCE? Also how you set up clientPublicKey. Finally would be useful if
you can dump out the parameters after they have been read, and compare
to the JSON sent.
Matt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
