As of version 1.4 OraPGP can create PGP keys with PL/SQL methods. The keys can be based on the RSA asymmetric algorithm, on DH/DSS (Diffie-Hellman for encryption and DSA for signatures), and on Elliptic Curves. Elliptic Curve keys are part of OpenPGP Standard from the year 2016.
The methods for generating keys return a BLOB containing a key-pair. Afterward, the public and private key parts can be exported.
Speed considerations: RSA and DH/DSS keys take a few seconds to complete. Elliptic Curve keys are generated almost immediately.
RSA based keys
DH/DSS based keys
Elliptic Curve based keys
Exporting the public and private key
Creating an RSA key pair
The method for creating an RSA based is ORA_PGP.GENERATE_RSA_KEY_PAIR. The parameters of the method are as follows:
- keySize PL_INTEGER – key size in bits, accepted values: 1024, 2048, 3072, 4096
- user_id VARCHAR2 – user Id of the key owner. Usually in the format ‘name <email>’, e.g.: ‘ABC Corp <office@abc.com>’
- private_key_password – password for the private key part.
- (optional) expiration_days – number of days the key will be usable. If not specified the key won’t have an expiration.
Example PL/SQL code
DECLARE key_pair BLOB; public_key CLOB; private_key CLOB; BEGIN key_pair := ORA_PGP.GENERATE_RSA_KEY_PAIR(2048, 'AB Inc <info@abc.com>', 'pass123'); -- Get the public and private keys from the key pair -- they can be used afterward with ORA_PGP.ENCYPT, ORA_PGP.DECYPT, ORA_PGP.SIGGN, ORA_PGP.VERIFY public_key := ORA_PGP.EXPORT_PUBLIC_KEY_ASCII(key_pair); private_key := ORA_PGP.EXPORT_PRIVATE_KEY_ASCII(key_pair); END; |
Creating a DH/DSS key pair
The method for creating a DH/DSS based is ORA_PGP.GENERATE_DH_KEY_PAIR. The parameters of the method are as follows:
- keySize PL_INTEGER – key size in bits, accepted values : 1024, 2048, 3072, 2048
- user_id VARCHAR2 – user Id of the key owner. Usually in the format ‘name <email>’, e.g.: ‘ABC Corp <office@abc.com>’
- private_key_password – password for the private key part.
- (optional) expiration_days – number of days the key will be usable. If not specified the key won’t have an expiration.
Example PL/SQL code
DECLARE key_pair BLOB; public_key BLOB; private_key BLOB; valid_days PLS_INTEGER; BEGIN valid_days := 365; key_pair := ORA_PGP.GENERATE_DH_KEY_PAIR(2048, 'AB Inc <info@abc.com>', 'pass123', valid_days); -- Get the public and private keys from the key pair -- they can be used afterward with ORA_PGP.ENCYPT, ORA_PGP.DECYPT, ORA_PGP.SIGGN, ORA_PGP.VERIFY public_key := ORA_PGP.EXPORT_PUBLIC_KEY_BINARY(key_pair); private_key := ORA_PGP.EXPORT_PRIVATE_KEY_BINARY(key_pair); END; |
Creating an Elliptic Curve key pair
The method for creating an Elliptic Curve based is ORA_PGP.GENERATE_ECC_KEY_PAIR. The parameters of the method are as follows:
- Elliptic Curve PL_INTEGER – accepted values:
- ORA_PGP.ECC_NIST_P256 – Elliptic Curve NIST-P-256
- ORA_PGP.ECC_NIST_P384 – Elliptic Curve NIST-P-384
- ORA_PGP.ECC_NIST_P521 – Elliptic Curve NIST-P-512
- ORA_PGP.ECC_BRAINPOOL_P256 – Elliptic Curve Brainpool-256
- ORA_PGP.ECC_BRAINPOOL_P384 – Elliptic Curve Brainpool-384
- ORA_PGP.ECC_BRAINPOOL_P512 – Elliptic Curve Brainpool-512
- ORA_PGP.ECC_EDDSA_25519 – EdDSA based on Curve 25519
- ORA_PGP.ECC_CURVE_25519 – Curve-25519
- user_id VARCHAR2 – user Id of the key owner. Usually in the format ‘name <email>’, e.g.: ‘ABC Corp <office@abc.com>’
- private_key_password – password for the private key part.
- (optional) expiration_days – number of days the key will be usable. If not specified the key won’t have an expiration.
Example PL/SQL code
DECLARE key_pair BLOB; public_key CLOB; private_key CLOB; valid_days PLS_INTEGER; BEGIN valid_days := 365; key_pair := ORA_PGP.GENERATE_DH_KEY_PAIR(2048, 'AB Inc <info@abc.com>', 'pass123', valid_days); -- Get the public and private keys from the key pair -- they can be used afterward with ORA_PGP.ENCYPT, ORA_PGP.DECYPT, ORA_PGP.SIGGN, ORA_PGP.VERIFY public_key := ORA_PGP.EXPORT_PUBLIC_KEY_ASCII(key_pair); private_key := ORA_PGP.EXPORT_PRIVATE_KEY_ASCII(key_pair); END; |
Exporting the public and private key
The result from ORA_PGP.GENERATE.. methods is a PGP key pair stored in a BLOB. Now we can divide it into a public key and a private key with ORA_PGP.EXPORT_PUBLIC_KEY_ and ORA_PGP.EXPORT_PRIVATE_KEY_. Depending on whether we want to store the keys in CLOB or BLOB fields we can use the _ASII or _BINARY extension methods:
DECLARE key_pair BLOB; public_key CLOB; private_key CLOB; public_key_b BLOB; private_key_b BLOB; BEGIN key_pair := ORA_PGP.GENERATE_... -- Get the public and private keys from the key pair -- they can be used afterward with ORA_PGP.ENCYPT, ORA_PGP.DECYPT, ORA_PGP.SIGGN, ORA_PGP.VERIFY public_key := ORA_PGP.EXPORT_PUBLIC_KEY_ASCII(key_pair); private_key := ORA_PGP.EXPORT_PRIVATE_KEY_ASCII(key_pair); public_key_b := ORA_PGP.EXPORT_PUBLIC_KEY_BINARY(key_pair); private_key_b := ORA_PGP.EXPORT_PRIVATE_KEY_BINARY(key_pair); END; |
Summary
This chapter illustrated how to create OpenPGP keys inside the Oracle© Database using the PL/SQL addon package OraPGP.
