Usage notes for the IBMCA provider
For IBMCA provider operations using RSA keys, ECC keys, or DH keys you need to consider the listed usage notes and restrictions.
- Using RSA keys:
Multi-prime RSA keys are not supported. That is, parameter primes must be 2 when generating an RSA key. Furthermore, parameters rsa-factor3 through rsa-factor10, parameters rsa-exponent3 through rsa-exponent10, and parameters rsa-coefficient2 through rsa-coefficient9 are not supported. For details about these parameters, refer to:
https://www.openssl.org/docs/manmaster/man7/EVP_PKEY-RSA.html - The IBMCA provider supports
implicit rejection with RSA PKCS#1 v1.5. Implicit rejection returns a pseudo random message when
decrypting, if the RSA PKCS#1 v1.5 padding is incorrect, but it does not return any error. The
pseudo random message is based on static secret data (the private exponent) and the provided
ciphertext. Therefore, an attacker cannot determine that the returned value is randomly generated
instead of being the result of decryption and de-padding.
Implicit rejection is enabled by default, when IBMCA is compiled against an OpenSSL version that supports the implicit rejection parameter rsa_pkcs1_implicit_rejection, but can be disabled via setting the rsa_pkcs1_implicit_rejection parameter to zero on an operation context. This is the same behavior as with plain OpenSSL.
-
Using EC keys:
- Only named curves are supported. You must set parameter encoding to
named_curvewhen generating or importing an EC key (encoding=explicitis not supported). Furthermore, the following explicit curve domain parameters are not supported:field-typepabgeneratorordercofactorseedmbasis-typetpk1k2k3decoded-from-explicit
https://www.openssl.org/docs/manmaster/man7/EVP_PKEY-EC.html - Parameter group-check is not supported and is ignored if specified. For details about this
parameter, refer to:
https://www.openssl.org/docs/manmaster/man7/EVP_PKEY-EC.html - Cofactor mode is not supported. That is, parameter
use-cofactor-flag must be 0 when generating or importing an EC key. For details
about this parameter, refer to:
https://www.openssl.org/docs/manmaster/man7/EVP_PKEY-EC.html - DH-based KEM (DHKEM) is supported since a combination of OpenSSL 3.2.0 or later with IBMCA provider version 2.5.0 or later, but it is always performed by the fallback provider. If using an older OpenSSL/IBMCA provider combination, the parameter dhkem-ikm is not supported and is rejected if specified.
- Deterministic signatures are supported since a combination of OpenSSL 3.2.0 or later with IBMCA provider version 2.5.0 or later, but they are always performed by the fallback provider. If using an older OpenSSL/IBMCA provider combination, the parameter nonce-type can only be 0. Any other value is rejected, because this would enable deterministic signatures.
- Only named curves are supported. You must set parameter encoding to
-
Using DH keys:
Parameter generation is always handled by the software fallback. The libica library does not support any DH parameter generation mechanisms. It only supports the modular exponentiation operation for RSA which is also used by the DH key generation and key derive operation of the IBMCA provider.