Closed jldodds closed 9 years ago
I have taken care of this for BouncyCastle by digging into its source code and extracting/replicating the two private methods it uses to do this generation. In OpenSSL, the test harness appears to do the right thing - even though their sample vectors are outdated, the ones the test harness actually generates (for DSA, at least) seem fine.
It is likely that it generates only probable primes (Appendix A.1.1.2 of FIPS 186-4) instead of guaranteed primes (A.1.2.1), although it's possible it can do both.
Generator method also matters: The generator g must be generated using either the method of Appendix A.2.1 of FIPS 186-4, for an unverifiable generation, or the method of A.2.3 for a verifiable canonical generation of the value. An implementation may support one or both of these methods for generating g.
It is not clear what OpenSSL uses either, because this isn't a requirement for the old tests. This also means that the OpenSSL vectors are outdated.