What do the dots and pluses mean when OpenSSL generates keys?
When computing DHPARAM you will get these as the output while computing Diffie Hellman parameters:
. : A potential prime number was generated.
+ : Number is being tested for primality.
* : A prime number was found.
References:
- source code:
dh_cbfunction indhparam.c - man page:
dhparam
In the context of Diffie-Helman parameter generation, . means a potential prime has been generated. + means one iteration of the Miller-Rabin primality test have been passed. * means a prime has been found that satisfies one iteration of the Miller-Rabin primality test.
Under default conditions, for generating a prime with at least 1300 bits, two iterations of the Miller-Rabin primality test are done. That's why you see ++*++* at the end. The first + means the prime p itself has passed one iteration of the Miller-Rabin primality test. The second + means the (p-1)/2 also has passed one iteration of the Miller-Rabin primality test. The first * indicates both p and (p-1)/2 has passed an iteration of the Miller-Rabin primality test.
Then both are retested again (since BN_prime_checks_for_size(2048) == 2 for two iterations), so you see ++* again.
Since p and (p-1)/2 passed both iterations of primality tests, the process stops and returns p.
So if you see one +, it means a candidate prime generated passed one iteration of the primality test but (p-1)/2 didn't. If you see ++* but not ++*++* it means both p and (p-1)/2 passed the first iteration of primality tests but one of them failed the second iteration (which in all likelihood, would never happen for 2048 bit keys and longer -- a cosmic ray flipping a bit during the calculation is more likely).
References:
- man page:
BN_GENCB_call - man page:
BN_is_prime_fasttest_ex - source code:
BN_generate_prime_ex - source code:
BN_prime_checks_for_size