return bad(fail("RSA_generate_key_fips"))
	}

	var n, e, d, p, q, dp, dq, qinv *C.GO_BIGNUM
	C._goboringcrypto_RSA_get0_key(key, &n, &e, &d)
	C._goboringcrypto_RSA_get0_factors(key, &p, &q)
	C._goboringcrypto_RSA_get0_crt_params(key, &dp, &dq, &qinv)
	return bnToBig(n), bnToBig(e), bnToBig(d), bnToBig(p), bnToBig(q), bnToBig(dp), bnToBig(dq), bnToBig(qinv), nil
}

type PublicKeyRSA struct {

			PublicKey: PublicKey{
				N: N,
				E: int(e64),
			},
			D:      D,
			Primes: []*big.Int{P, Q},
			Precomputed: PrecomputedValues{
				Dp:        Dp,
				Dq:        Dq,
				Qinv:      Qinv,
				CRTValues: make([]CRTValue, 0), // non-nil, to match Precompute
				n:         mn,
				p:         mp,
				q:         mq,
			},
		}
		return key, nil
	}

	priv := new(PrivateKey)

a0 27 86 19 79 # q's CRT exponent dQ: 1a 8b 38 f3 98 fa 71 20 49 89 8d 7f b7 9e e0 a7 76 68 79 12 99 cd fa 09 ef c0 e5 07 ac b2 1e d7 43 01 ef 5b fd 48 be 45 5e ae b6 e1 67 82 55 82 75 80 a8 e4 e8 e1 41 51 d1 51 0a 82 a3 f2 e7 29 # CRT coefficient qInv: 27 15 6a ba 41 26 d2 4a 81 f3 a5 28 cb fb 27 f5 68 86 f8 40 a9 f6 e8 6e 17 a4 4b 94 fe 93 19 58 4b 8e 22 fd de 1e 5a 2e 3b d8 aa 5b a8 d8 58 41 94 eb 21 90 ac f8 32 b8 47 f1 3a 3d 24 a7 9f 4d # ---------- # RSASSA-PSS Signature Example 1.1 # ----------...

	one := Element{1, 0, 0, 0, 0}
	var xinv, r Element

	xinv.Invert(&x)
	r.Multiply(&x, &xinv)
	r.reduce()

	if one != r {
		t.Errorf("inversion identity failed, got: %x", r)
	}

	var bytes [32]byte

	_, err := io.ReadFull(rand.Reader, bytes[:])
	if err != nil {
		t.Fatal(err)
	}
	x.SetBytes(bytes[:])

	xinv.Invert(&x)
	r.Multiply(&x, &xinv)
	r.reduce()

	if one != r {

}

func (p *P384Point) bytes(out *[1 + 2*p384ElementLength]byte) []byte {
	if p.z.IsZero() == 1 {
		return append(out[:0], 0)
	}

	zinv := new(fiat.P384Element).Invert(p.z)
	x := new(fiat.P384Element).Mul(p.x, zinv)
	y := new(fiat.P384Element).Mul(p.y, zinv)

	buf := append(out[:0], 4)
	buf = append(buf, x.Bytes()...)
	buf = append(buf, y.Bytes()...)
	return buf
}

}

func (p *P224Point) bytes(out *[1 + 2*p224ElementLength]byte) []byte {
	if p.z.IsZero() == 1 {
		return append(out[:0], 0)
	}

	zinv := new(fiat.P224Element).Invert(p.z)
	x := new(fiat.P224Element).Mul(p.x, zinv)
	y := new(fiat.P224Element).Mul(p.y, zinv)

	buf := append(out[:0], 4)
	buf = append(buf, x.Bytes()...)
	buf = append(buf, y.Bytes()...)
	return buf
}

}

func (p *P521Point) bytes(out *[1 + 2*p521ElementLength]byte) []byte {
	if p.z.IsZero() == 1 {
		return append(out[:0], 0)
	}

	zinv := new(fiat.P521Element).Invert(p.z)
	x := new(fiat.P521Element).Mul(p.x, zinv)
	y := new(fiat.P521Element).Mul(p.y, zinv)

	buf := append(out[:0], 4)
	buf = append(buf, x.Bytes()...)
	buf = append(buf, y.Bytes()...)
	return buf
}

	// SEC 1, Version 2.0, Section 4.1.3

	k, R, err := randomPoint(c, csprng)
	if err != nil {
		return nil, err
	}

	// kInv = k⁻¹
	kInv := bigmod.NewNat()
	inverse(c, kInv, k)

	Rx, err := R.BytesX()
	if err != nil {
		return nil, err
	}
	r, err := bigmod.NewNat().SetOverflowingBytes(Rx, c.N)
	if err != nil {
		return nil, err
	}

}

func (p *P256Point) bytes(out *[1 + 2*p256ElementLength]byte) []byte {
	if p.z.IsZero() == 1 {
		return append(out[:0], 0)
	}

	zinv := new(fiat.P256Element).Invert(p.z)
	x := new(fiat.P256Element).Mul(p.x, zinv)
	y := new(fiat.P256Element).Mul(p.y, zinv)

	buf := append(out[:0], 4)
	buf = append(buf, x.Bytes()...)
	buf = append(buf, y.Bytes()...)
	return buf
}

}

func (p *{{.P}}Point) bytes(out *[1+2*{{.p}}ElementLength]byte) []byte {
	if p.z.IsZero() == 1 {
		return append(out[:0], 0)
	}

	zinv := new({{.Element}}).Invert(p.z)
	x := new({{.Element}}).Mul(p.x, zinv)
	y := new({{.Element}}).Mul(p.y, zinv)

	buf := append(out[:0], 4)
	buf = append(buf, x.Bytes()...)
	buf = append(buf, y.Bytes()...)
	return buf
}