1Crypt::PK::DSA(3) User Contributed Perl Documentation Crypt::PK::DSA(3)
2
3
4
6 Crypt::PK::DSA - Public key cryptography based on DSA
7
9 ### OO interface
10
11 #Encryption: Alice
12 my $pub = Crypt::PK::DSA->new('Bob_pub_dsa1.der');
13 my $ct = $pub->encrypt("secret message");
14 #
15 #Encryption: Bob (received ciphertext $ct)
16 my $priv = Crypt::PK::DSA->new('Bob_priv_dsa1.der');
17 my $pt = $priv->decrypt($ct);
18
19 #Signature: Alice
20 my $priv = Crypt::PK::DSA->new('Alice_priv_dsa1.der');
21 my $sig = $priv->sign_message($message);
22 #
23 #Signature: Bob (received $message + $sig)
24 my $pub = Crypt::PK::DSA->new('Alice_pub_dsa1.der');
25 $pub->verify_message($sig, $message) or die "ERROR";
26
27 #Key generation
28 my $pk = Crypt::PK::DSA->new();
29 $pk->generate_key(30, 256);
30 my $private_der = $pk->export_key_der('private');
31 my $public_der = $pk->export_key_der('public');
32 my $private_pem = $pk->export_key_pem('private');
33 my $public_pem = $pk->export_key_pem('public');
34
35 ### Functional interface
36
37 #Encryption: Alice
38 my $ct = dsa_encrypt('Bob_pub_dsa1.der', "secret message");
39 #Encryption: Bob (received ciphertext $ct)
40 my $pt = dsa_decrypt('Bob_priv_dsa1.der', $ct);
41
42 #Signature: Alice
43 my $sig = dsa_sign_message('Alice_priv_dsa1.der', $message);
44 #Signature: Bob (received $message + $sig)
45 dsa_verify_message('Alice_pub_dsa1.der', $sig, $message) or die "ERROR";
46
48 new
49 my $pk = Crypt::PK::DSA->new();
50 #or
51 my $pk = Crypt::PK::DSA->new($priv_or_pub_key_filename);
52 #or
53 my $pk = Crypt::PK::DSA->new(\$buffer_containing_priv_or_pub_key);
54
55 Support for password protected PEM keys
56
57 my $pk = Crypt::PK::DSA->new($priv_pem_key_filename, $password);
58 #or
59 my $pk = Crypt::PK::DSA->new(\$buffer_containing_priv_pem_key, $password);
60
61 generate_key
62 Uses Yarrow-based cryptographically strong random number generator
63 seeded with random data taken from "/dev/random" (UNIX) or
64 "CryptGenRandom" (Win32).
65
66 $pk->generate_key($group_size, $modulus_size);
67 # $group_size ... in bytes .. 15 < $group_size < 1024
68 # $modulus_size .. in bytes .. ($modulus_size - $group_size) < 512
69
70 ### Bits of Security according to libtomcrypt documentation
71 # 80 bits => generate_key(20, 128)
72 # 120 bits => generate_key(30, 256)
73 # 140 bits => generate_key(35, 384)
74 # 160 bits => generate_key(40, 512)
75
76 ### Sizes according section 4.2 of FIPS 186-4
77 # (L and N are the bit lengths of p and q respectively)
78 # L = 1024, N = 160 => generate_key(20, 128)
79 # L = 2048, N = 224 => generate_key(28, 256)
80 # L = 2048, N = 256 => generate_key(32, 256)
81 # L = 3072, N = 256 => generate_key(32, 384)
82
83 $pk->generate_key($param_hash)
84 # $param_hash is { d => $d, p => $p, q => $q }
85 # where $d, $p, $q are hex strings
86
87 $pk->generate_key(\$dsa_param)
88 # $dsa_param is the content of DER or PEM file with DSA params
89 # e.g. openssl dsaparam 2048
90
91 import_key
92 Loads private or public key in DER or PEM format.
93
94 $pk->import_key($filename);
95 #or
96 $pk->import_key(\$buffer_containing_key);
97
98 Support for password protected PEM keys
99
100 $pk->import_key($pem_filename, $password);
101 #or
102 $pk->import_key(\$buffer_containing_pem_key, $password);
103
104 Loading private or public keys form perl hash:
105
106 $pk->import_key($hashref);
107
108 # where $hashref is a key exported via key2hash
109 $pk->import_key({
110 p => "AAF839A764E04D80824B79FA1F0496C093...", #prime modulus
111 q => "D05C4CB45F29D353442F1FEC43A6BE2BE8...", #prime divisor
112 g => "847E8896D12C9BF18FE283AE7AD58ED7F3...", #generator of a subgroup of order q in GF(p)
113 x => "6C801901AC74E2DC714D75A9F6969483CF...", #private key, random 0 < x < q
114 y => "8F7604D77FA62C7539562458A63C7611B7...", #public key, where y = g^x mod p
115 });
116
117 Supported key formats:
118
119 · DSA public keys
120
121 -----BEGIN PUBLIC KEY-----
122 MIIBtjCCASsGByqGSM44BAEwggEeAoGBAJKyu+puNMGLpGIhbD1IatnwlI79ePr4
123 YHe2KBhRkheKxWUZRpN1Vd/+usS2IHSJ9op5cSWETiP05d7PMtJaitklw7jhudq3
124 GxNvV/GRdCQm3H6d76FHP88dms4vcDYc6ry6wKERGfNEtZ+4BAKrMZK+gDYsF4Aw
125 U6WVR969kYZhAhUA6w25FgSRmJ8W4XkvC60n8Wv3DpMCgYA4ZFE+3tLOM24PZj9Z
126 rxuqUzZZdR+kIzrsIYpWN9ustbmdKLKwsqIaUIxc5zxHEhbAjAIf8toPD+VEQIpY
127 7vgJgDhXuPq45BgN19iLTzOJwIhAFXPZvnAdIo9D/AnMw688gT6g6U8QCZwX2XYg
128 ICiVcriYVNcjVKHSFY/X0Oi7CgOBhAACgYB4ZTn4OYT/pjUd6tNhGPtOS3CE1oaj
129 5ScbetXg4ZDpceEyQi8VG+/ZTbs8var8X77JdEdeQA686cAxpOaVgW8V4odvcmfA
130 BfueiGnPXjqGfppiHAyL1Ngyd+EsXKmKVXZYAVFVI0WuJKiZBSVURU7+ByxOfpGa
131 fZhibr0SggWixQ==
132 -----END PUBLIC KEY-----
133
134 · DSA private keys
135
136 -----BEGIN DSA PRIVATE KEY-----
137 MIIBuwIBAAKBgQCSsrvqbjTBi6RiIWw9SGrZ8JSO/Xj6+GB3tigYUZIXisVlGUaT
138 dVXf/rrEtiB0ifaKeXElhE4j9OXezzLSWorZJcO44bnatxsTb1fxkXQkJtx+ne+h
139 Rz/PHZrOL3A2HOq8usChERnzRLWfuAQCqzGSvoA2LBeAMFOllUfevZGGYQIVAOsN
140 uRYEkZifFuF5LwutJ/Fr9w6TAoGAOGRRPt7SzjNuD2Y/Wa8bqlM2WXUfpCM67CGK
141 VjfbrLW5nSiysLKiGlCMXOc8RxIWwIwCH/LaDw/lRECKWO74CYA4V7j6uOQYDdfY
142 i08zicCIQBVz2b5wHSKPQ/wJzMOvPIE+oOlPEAmcF9l2ICAolXK4mFTXI1Sh0hWP
143 19DouwoCgYB4ZTn4OYT/pjUd6tNhGPtOS3CE1oaj5ScbetXg4ZDpceEyQi8VG+/Z
144 Tbs8var8X77JdEdeQA686cAxpOaVgW8V4odvcmfABfueiGnPXjqGfppiHAyL1Ngy
145 d+EsXKmKVXZYAVFVI0WuJKiZBSVURU7+ByxOfpGafZhibr0SggWixQIVAL7Sia03
146 8bvANjjL9Sitk8slrM6P
147 -----END DSA PRIVATE KEY-----
148
149 · DSA private keys in password protected PEM format:
150
151 -----BEGIN DSA PRIVATE KEY-----
152 Proc-Type: 4,ENCRYPTED
153 DEK-Info: DES-CBC,227ADC3AA0299491
154
155 UISxBYAxPQMl2eK9LMAeHsssF6IxO+4G2ta2Jn8VE+boJrrH3iSTKeMXGjGaXl0z
156 DwcLGV+KMR70y+cxtTb34rFy+uSpBy10dOQJhxALDbe1XfCDQIUfaXRfMNA3um2I
157 JdZixUD/zcxBOUzao+MCr0V9XlJDgqBhJ5EEr53XHH07Eo5fhiBfbbR9NzdUPFrQ
158 p2ASyZtFh7RXoIBUCQgg21oeLddcNWV7gd/Y46kghO9s0JbJ8C+IsuWEPRSq502h
159 tSoDN6B0sxbVvOUICLLbQaxt7yduTAhRxVIJZ1PWATTVD7CZBVz9uIDZ7LOv+er2
160 1q3vkwb8E9spPsA240+BnfD571XEop4jrawxC0VKQZ+3cPVLc6jhIsxvzzFQUt67
161 g66v8GUgt7KF3KhVV7qEtntybQWDWb+K/uTIH9Ra8nP820d3Rnl61pPXDPlluteT
162 WSLOvEMN2zRmkaxQNv/tLdT0SYpQtdjw74G3A6T7+KnvinKrjtp1a/AXkCF9hNEx
163 DGbxOYo1UOmk8qdxWCrab34nO+Q8oQc9wjXHG+ZtRYIMoGMKREK8DeL4H1RPNkMf
164 rwXWk8scd8QFmJAb8De1VQ==
165 -----END DSA PRIVATE KEY-----
166
167 · SSH public DSA keys
168
169 ssh-dss AAAAB3NzaC1kc3MAAACBAKU8/avmk...4XOwuEssAVhmwA==
170
171 · SSH public DSA keys (RFC-4716 format)
172
173 ---- BEGIN SSH2 PUBLIC KEY ----
174 Comment: "1024-bit DSA, converted from OpenSSH"
175 AAAAB3NzaC1kc3MAAACBAKU8/avmkFeGnSqwYG7dZnQlG+01QNaxu3F5v0NcL/SRUW7Idp
176 Uq8t14siK0mA6yjphLhOf5t8gugTEVBllP86ANSbFigH7WN3v6ydJWqm60pNhNHN//50cn
177 NtIsXbxeq3VtsI64pkH1OJqeZDHLmu73k4T0EKOzsylSfF/wtVBJAAAAFQChpubLHViwPB
178 +jSvUb8e4THS7PBQAAAIAJD1PMCiTCQa1xyD/NCWOajCufTOIzKAhm6l+nlBVPiKI+262X
179 pYt127Ke4mPL8XJBizoTjSQN08uHMg/8L6W/cdO2aZ+mhkBnS1xAm83DAwqLrDraR1w/4Q
180 RFxr5Vbyy8qnejrPjTJobBN1BGsv84wHkjmoCn6pFIfkGYeATlJgAAAIAHYPU1zMVBTDWr
181 u7SNC4G2UyWGWYYLjLytBVHfQmBa51CmqrSs2kCfGLGA1ynfYENsxcJq9nsXrb4i17H5BH
182 JFkH0g7BUDpeBeLr8gsK3WgfqWwtZsDkltObw9chUD/siK6q/dk/fSIB2Ho0inev7k68Z5
183 ZkNI4XOwuEssAVhmwA==
184 ---- END SSH2 PUBLIC KEY ----
185
186 export_key_der
187 my $private_der = $pk->export_key_der('private');
188 #or
189 my $public_der = $pk->export_key_der('public');
190
191 export_key_pem
192 my $private_pem = $pk->export_key_pem('private');
193 #or
194 my $public_pem = $pk->export_key_pem('public');
195 #or
196 my $public_pem = $pk->export_key_pem('public_x509');
197
198 With parameter 'public' uses header and footer lines:
199
200 -----BEGIN DSA PUBLIC KEY------
201 -----END DSA PUBLIC KEY------
202
203 With parameter 'public_x509' uses header and footer lines:
204
205 -----BEGIN PUBLIC KEY------
206 -----END PUBLIC KEY------
207
208 Support for password protected PEM keys
209
210 my $private_pem = $pk->export_key_pem('private', $password);
211 #or
212 my $private_pem = $pk->export_key_pem('private', $password, $cipher);
213
214 # supported ciphers: 'DES-CBC'
215 # 'DES-EDE3-CBC'
216 # 'SEED-CBC'
217 # 'CAMELLIA-128-CBC'
218 # 'CAMELLIA-192-CBC'
219 # 'CAMELLIA-256-CBC'
220 # 'AES-128-CBC'
221 # 'AES-192-CBC'
222 # 'AES-256-CBC' (DEFAULT)
223
224 encrypt
225 my $pk = Crypt::PK::DSA->new($pub_key_filename);
226 my $ct = $pk->encrypt($message);
227 #or
228 my $ct = $pk->encrypt($message, $hash_name);
229
230 #NOTE: $hash_name can be 'SHA1' (DEFAULT), 'SHA256' or any other hash supported by Crypt::Digest
231
232 decrypt
233 my $pk = Crypt::PK::DSA->new($priv_key_filename);
234 my $pt = $pk->decrypt($ciphertext);
235
236 sign_message
237 my $pk = Crypt::PK::DSA->new($priv_key_filename);
238 my $signature = $priv->sign_message($message);
239 #or
240 my $signature = $priv->sign_message($message, $hash_name);
241
242 #NOTE: $hash_name can be 'SHA1' (DEFAULT), 'SHA256' or any other hash supported by Crypt::Digest
243
244 verify_message
245 my $pk = Crypt::PK::DSA->new($pub_key_filename);
246 my $valid = $pub->verify_message($signature, $message)
247 #or
248 my $valid = $pub->verify_message($signature, $message, $hash_name);
249
250 #NOTE: $hash_name can be 'SHA1' (DEFAULT), 'SHA256' or any other hash supported by Crypt::Digest
251
252 sign_hash
253 my $pk = Crypt::PK::DSA->new($priv_key_filename);
254 my $signature = $priv->sign_hash($message_hash);
255
256 verify_hash
257 my $pk = Crypt::PK::DSA->new($pub_key_filename);
258 my $valid = $pub->verify_hash($signature, $message_hash);
259
260 is_private
261 my $rv = $pk->is_private;
262 # 1 .. private key loaded
263 # 0 .. public key loaded
264 # undef .. no key loaded
265
266 size
267 my $size = $pk->size;
268 # returns key size in bytes or undef if no key loaded
269
270 key2hash
271 my $hash = $pk->key2hash;
272
273 # returns hash like this (or undef if no key loaded):
274 {
275 type => 1, # integer: 1 .. private, 0 .. public
276 size => 256, # integer: key size in bytes
277 # all the rest are hex strings
278 p => "AAF839A764E04D80824B79FA1F0496C093...", #prime modulus
279 q => "D05C4CB45F29D353442F1FEC43A6BE2BE8...", #prime divisor
280 g => "847E8896D12C9BF18FE283AE7AD58ED7F3...", #generator of a subgroup of order q in GF(p)
281 x => "6C801901AC74E2DC714D75A9F6969483CF...", #private key, random 0 < x < q
282 y => "8F7604D77FA62C7539562458A63C7611B7...", #public key, where y = g^x mod p
283 }
284
286 dsa_encrypt
287 DSA based encryption as implemented by libtomcrypt. See method
288 "encrypt" below.
289
290 my $ct = dsa_encrypt($pub_key_filename, $message);
291 #or
292 my $ct = dsa_encrypt(\$buffer_containing_pub_key, $message);
293 #or
294 my $ct = dsa_encrypt($pub_key_filename, $message, $hash_name);
295
296 #NOTE: $hash_name can be 'SHA1' (DEFAULT), 'SHA256' or any other hash supported by Crypt::Digest
297
298 Encryption works similar to the Crypt::PK::ECC encryption whereas
299 shared DSA key is computed, and the hash of the shared key XOR'ed
300 against the plaintext forms the ciphertext.
301
302 dsa_decrypt
303 DSA based decryption as implemented by libtomcrypt. See method
304 "decrypt" below.
305
306 my $pt = dsa_decrypt($priv_key_filename, $ciphertext);
307 #or
308 my $pt = dsa_decrypt(\$buffer_containing_priv_key, $ciphertext);
309
310 dsa_sign_message
311 Generate DSA signature. See method "sign_message" below.
312
313 my $sig = dsa_sign_message($priv_key_filename, $message);
314 #or
315 my $sig = dsa_sign_message(\$buffer_containing_priv_key, $message);
316 #or
317 my $sig = dsa_sign_message($priv_key, $message, $hash_name);
318
319 dsa_verify_message
320 Verify DSA signature. See method "verify_message" below.
321
322 dsa_verify_message($pub_key_filename, $signature, $message) or die "ERROR";
323 #or
324 dsa_verify_message(\$buffer_containing_pub_key, $signature, $message) or die "ERROR";
325 #or
326 dsa_verify_message($pub_key, $signature, $message, $hash_name) or die "ERROR";
327
328 dsa_sign_hash
329 Generate DSA signature. See method "sign_hash" below.
330
331 my $sig = dsa_sign_hash($priv_key_filename, $message_hash);
332 #or
333 my $sig = dsa_sign_hash(\$buffer_containing_priv_key, $message_hash);
334
335 dsa_verify_hash
336 Verify DSA signature. See method "verify_hash" below.
337
338 dsa_verify_hash($pub_key_filename, $signature, $message_hash) or die "ERROR";
339 #or
340 dsa_verify_hash(\$buffer_containing_pub_key, $signature, $message_hash) or die "ERROR";
341
343 ### let's have:
344 # DSA private key in PEM format - dsakey.priv.pem
345 # DSA public key in PEM format - dsakey.pub.pem
346 # data file to be signed - input.data
347
348 Sign by OpenSSL, verify by Crypt::PK::DSA
349 Create signature (from commandline):
350
351 openssl dgst -sha1 -sign dsakey.priv.pem -out input.sha1-dsa.sig input.data
352
353 Verify signature (Perl code):
354
355 use Crypt::PK::DSA;
356 use Crypt::Digest 'digest_file';
357 use File::Slurp 'read_file';
358
359 my $pkdsa = Crypt::PK::DSA->new("dsakey.pub.pem");
360 my $signature = read_file("input.sha1-dsa.sig", binmode=>':raw');
361 my $valid = $pkdsa->verify_hash($signature, digest_file("SHA1", "input.data"), "SHA1", "v1.5");
362 print $valid ? "SUCCESS" : "FAILURE";
363
364 Sign by Crypt::PK::DSA, verify by OpenSSL
365 Create signature (Perl code):
366
367 use Crypt::PK::DSA;
368 use Crypt::Digest 'digest_file';
369 use File::Slurp 'write_file';
370
371 my $pkdsa = Crypt::PK::DSA->new("dsakey.priv.pem");
372 my $signature = $pkdsa->sign_hash(digest_file("SHA1", "input.data"), "SHA1", "v1.5");
373 write_file("input.sha1-dsa.sig", {binmode=>':raw'}, $signature);
374
375 Verify signature (from commandline):
376
377 openssl dgst -sha1 -verify dsakey.pub.pem -signature input.sha1-dsa.sig input.data
378
379 Keys generated by Crypt::PK::DSA
380 Generate keys (Perl code):
381
382 use Crypt::PK::DSA;
383 use File::Slurp 'write_file';
384
385 my $pkdsa = Crypt::PK::DSA->new;
386 $pkdsa->generate_key(20, 128);
387 write_file("dsakey.pub.der", {binmode=>':raw'}, $pkdsa->export_key_der('public'));
388 write_file("dsakey.priv.der", {binmode=>':raw'}, $pkdsa->export_key_der('private'));
389 write_file("dsakey.pub.pem", $pkdsa->export_key_pem('public_x509'));
390 write_file("dsakey.priv.pem", $pkdsa->export_key_pem('private'));
391 write_file("dsakey-passwd.priv.pem", $pkdsa->export_key_pem('private', 'secret'));
392
393 Use keys by OpenSSL:
394
395 openssl dsa -in dsakey.priv.der -text -inform der
396 openssl dsa -in dsakey.priv.pem -text
397 openssl dsa -in dsakey-passwd.priv.pem -text -inform pem -passin pass:secret
398 openssl dsa -in dsakey.pub.der -pubin -text -inform der
399 openssl dsa -in dsakey.pub.pem -pubin -text
400
401 Keys generated by OpenSSL
402 Generate keys:
403
404 openssl dsaparam -genkey -out dsakey.priv.pem 1024
405 openssl dsa -in dsakey.priv.pem -out dsakey.priv.der -outform der
406 openssl dsa -in dsakey.priv.pem -out dsakey.pub.pem -pubout
407 openssl dsa -in dsakey.priv.pem -out dsakey.pub.der -outform der -pubout
408 openssl dsa -in dsakey.priv.pem -passout pass:secret -des3 -out dsakey-passwd.priv.pem
409
410 Load keys (Perl code):
411
412 use Crypt::PK::DSA;
413 use File::Slurp 'write_file';
414
415 my $pkdsa = Crypt::PK::DSA->new;
416 $pkdsa->import_key("dsakey.pub.der");
417 $pkdsa->import_key("dsakey.priv.der");
418 $pkdsa->import_key("dsakey.pub.pem");
419 $pkdsa->import_key("dsakey.priv.pem");
420 $pkdsa->import_key("dsakey-passwd.priv.pem", "secret");
421
423 · <https://en.wikipedia.org/wiki/Digital_Signature_Algorithm>
424
425
426
427perl v5.28.1 2017-09-15 Crypt::PK::DSA(3)