In RSA and RW key generation, if we generate a key that isn't exactly

the requested bitsize, simply repeat instead of failing immediately. The condition could actually occur in practice if a prime that was on the very low end of the specified range was chosen (eg q happened to be chosen as 10000...001).
author: lloyd <[email protected]> 2010-09-22 16:23:56 +0000
committer: lloyd <[email protected]> 2010-09-22 16:23:56 +0000
commit: 21865a92ea3ca717f22a84a946e0d71ad7a020f3 (patch)
tree: fa60ee8797abb9025ac9291a2e1fef89cb12925e /src/pubkey/rsa/rsa.cpp
parent: 2372f282068857b9a20073f3f27f6faf3f6989ca (diff)
1 files changed, 6 insertions, 5 deletions
diff --git a/src/pubkey/rsa/rsa.cpp b/src/pubkey/rsa/rsa.cpp
index 133164c31..84048fa2e 100644
--- a/src/pubkey/rsa/rsa.cpp
+++ b/src/pubkey/rsa/rsa.cpp
@@ -26,12 +26,13 @@ RSA_PrivateKey::RSA_PrivateKey(RandomNumberGenerator& rng,
       throw Invalid_Argument(algo_name() + ": Invalid encryption exponent");
 
    e = exp;
-   p = random_prime(rng, (bits + 1) / 2, e);
-   q = random_prime(rng, bits - p.bits(), e);
-   n = p * q;
 
-   if(n.bits() != bits)
-      throw Self_Test_Failure(algo_name() + " private key generation failed");
+   do
+      {
+      p = random_prime(rng, (bits + 1) / 2, e);
+      q = random_prime(rng, bits - p.bits(), e);
+      n = p * q;
+      } while(n.bits() != bits);
 
    d = inverse_mod(e, lcm(p - 1, q - 1));
    d1 = d % (p - 1);
author	lloyd <[email protected]>	2010-09-22 16:23:56 +0000
committer	lloyd <[email protected]>	2010-09-22 16:23:56 +0000
commit	21865a92ea3ca717f22a84a946e0d71ad7a020f3 (patch)
tree	fa60ee8797abb9025ac9291a2e1fef89cb12925e /src/pubkey/rsa/rsa.cpp
parent	2372f282068857b9a20073f3f27f6faf3f6989ca (diff)