What do the dots and pluses mean when OpenSSL generates keys?
When computing DHPARAM you will get these as the output while computing Diffie Hellman parameters:
. : A potential prime number was generated.
+ : Number is being tested for primality.
* : A prime number was found.
References:
- source code:
dh_cb
function indhparam.c
- man page:
dhparam
In the context of Diffie-Helman parameter generation, .
means a potential prime has been generated. +
means one iteration of the Miller-Rabin primality test have been passed. *
means a prime has been found that satisfies one iteration of the Miller-Rabin primality test.
Under default conditions, for generating a prime with at least 1300 bits, two iterations of the Miller-Rabin primality test are done. That's why you see ++*++*
at the end. The first +
means the prime p itself has passed one iteration of the Miller-Rabin primality test. The second +
means the (p-1)/2 also has passed one iteration of the Miller-Rabin primality test. The first *
indicates both p and (p-1)/2 has passed an iteration of the Miller-Rabin primality test.
Then both are retested again (since BN_prime_checks_for_size(2048) == 2
for two iterations), so you see ++*
again.
Since p and (p-1)/2 passed both iterations of primality tests, the process stops and returns p.
So if you see one +
, it means a candidate prime generated passed one iteration of the primality test but (p-1)/2 didn't. If you see ++*
but not ++*++*
it means both p and (p-1)/2 passed the first iteration of primality tests but one of them failed the second iteration (which in all likelihood, would never happen for 2048 bit keys and longer -- a cosmic ray flipping a bit during the calculation is more likely).
References:
- man page:
BN_GENCB_call
- man page:
BN_is_prime_fasttest_ex
- source code:
BN_generate_prime_ex
- source code:
BN_prime_checks_for_size