1Crypt::PK::DSA(3) User Contributed Perl Documentation Crypt::PK::DSA(3)
2
6 Crypt::PK::DSA - Public key cryptography based on DSA
7
9 ### OO interface
10 #Encryption: Alice
12 my $pub = Crypt::PK::DSA->new('Bob_pub_dsa1.der');
13 my $ct = $pub->encrypt("secret message");
14 #
15 #Encryption: Bob (received ciphertext $ct)
16 my $priv = Crypt::PK::DSA->new('Bob_priv_dsa1.der');
17 my $pt = $priv->decrypt($ct);
18 #Signature: Alice
20 my $priv = Crypt::PK::DSA->new('Alice_priv_dsa1.der');
21 my $sig = $priv->sign_message($message);
22 #
23 #Signature: Bob (received $message + $sig)
24 my $pub = Crypt::PK::DSA->new('Alice_pub_dsa1.der');
25 $pub->verify_message($sig, $message) or die "ERROR";
26 #Key generation
28 my $pk = Crypt::PK::DSA->new();
29 $pk->generate_key(30, 256);
30 my $private_der = $pk->export_key_der('private');
31 my $public_der = $pk->export_key_der('public');
32 my $private_pem = $pk->export_key_pem('private');
33 my $public_pem = $pk->export_key_pem('public');
34 ### Functional interface
36 #Encryption: Alice
38 my $ct = dsa_encrypt('Bob_pub_dsa1.der', "secret message");
39 #Encryption: Bob (received ciphertext $ct)
40 my $pt = dsa_decrypt('Bob_priv_dsa1.der', $ct);
41 #Signature: Alice
43 my $sig = dsa_sign_message('Alice_priv_dsa1.der', $message);
44 #Signature: Bob (received $message + $sig)
45 dsa_verify_message('Alice_pub_dsa1.der', $sig, $message) or die "ERROR";
46
48 new
49 my $pk = Crypt::PK::DSA->new();
50 #or
51 my $pk = Crypt::PK::DSA->new($priv_or_pub_key_filename);
52 #or
53 my $pk = Crypt::PK::DSA->new(\$buffer_containing_priv_or_pub_key);
54 Support for password protected PEM keys
56 my $pk = Crypt::PK::DSA->new($priv_pem_key_filename, $password);
58 #or
59 my $pk = Crypt::PK::DSA->new(\$buffer_containing_priv_pem_key, $password);
60 generate_key
62 Uses Yarrow-based cryptographically strong random number generator
63 seeded with random data taken from "/dev/random" (UNIX) or
64 "CryptGenRandom" (Win32).
65 $pk->generate_key($group_size, $modulus_size);
67 # $group_size ... in bytes .. 15 < $group_size < 1024
68 # $modulus_size .. in bytes .. ($modulus_size - $group_size) < 512
69 ### Bits of Security according to libtomcrypt documentation
71 # 80 bits => generate_key(20, 128)
72 # 120 bits => generate_key(30, 256)
73 # 140 bits => generate_key(35, 384)
74 # 160 bits => generate_key(40, 512)
75 ### Sizes according section 4.2 of FIPS 186-4
77 # (L and N are the bit lengths of p and q respectively)
78 # L = 1024, N = 160 => generate_key(20, 128)
79 # L = 2048, N = 224 => generate_key(28, 256)
80 # L = 2048, N = 256 => generate_key(32, 256)
81 # L = 3072, N = 256 => generate_key(32, 384)
82 $pk->generate_key($param_hash)
84 # $param_hash is { d => $d, p => $p, q => $q }
85 # where $d, $p, $q are hex strings
86 $pk->generate_key(\$dsa_param)
88 # $dsa_param is the content of DER or PEM file with DSA params
89 # e.g. openssl dsaparam 2048
90 import_key
92 Loads private or public key in DER or PEM format.
93 $pk->import_key($filename);
95 #or
96 $pk->import_key(\$buffer_containing_key);
97 Support for password protected PEM keys
99 $pk->import_key($pem_filename, $password);
101 #or
102 $pk->import_key(\$buffer_containing_pem_key, $password);
103 Loading private or public keys form perl hash:
105 $pk->import_key($hashref);
107 # where $hashref is a key exported via key2hash
109 $pk->import_key({
110 p => "AAF839A764E04D80824B79FA1F0496C093...", #prime modulus
111 q => "D05C4CB45F29D353442F1FEC43A6BE2BE8...", #prime divisor
112 g => "847E8896D12C9BF18FE283AE7AD58ED7F3...", #generator of a subgroup of order q in GF(p)
113 x => "6C801901AC74E2DC714D75A9F6969483CF...", #private key, random 0 < x < q
114 y => "8F7604D77FA62C7539562458A63C7611B7...", #public key, where y = g^x mod p
115 });
116 Supported key formats:
118 • DSA public keys
120 -----BEGIN PUBLIC KEY-----
122 MIIBtjCCASsGByqGSM44BAEwggEeAoGBAJKyu+puNMGLpGIhbD1IatnwlI79ePr4
123 YHe2KBhRkheKxWUZRpN1Vd/+usS2IHSJ9op5cSWETiP05d7PMtJaitklw7jhudq3
124 GxNvV/GRdCQm3H6d76FHP88dms4vcDYc6ry6wKERGfNEtZ+4BAKrMZK+gDYsF4Aw
125 U6WVR969kYZhAhUA6w25FgSRmJ8W4XkvC60n8Wv3DpMCgYA4ZFE+3tLOM24PZj9Z
126 rxuqUzZZdR+kIzrsIYpWN9ustbmdKLKwsqIaUIxc5zxHEhbAjAIf8toPD+VEQIpY
127 7vgJgDhXuPq45BgN19iLTzOJwIhAFXPZvnAdIo9D/AnMw688gT6g6U8QCZwX2XYg
128 ICiVcriYVNcjVKHSFY/X0Oi7CgOBhAACgYB4ZTn4OYT/pjUd6tNhGPtOS3CE1oaj
129 5ScbetXg4ZDpceEyQi8VG+/ZTbs8var8X77JdEdeQA686cAxpOaVgW8V4odvcmfA
130 BfueiGnPXjqGfppiHAyL1Ngyd+EsXKmKVXZYAVFVI0WuJKiZBSVURU7+ByxOfpGa
131 fZhibr0SggWixQ==
132 -----END PUBLIC KEY-----
133 • DSA private keys
135 -----BEGIN DSA PRIVATE KEY-----
137 MIIBuwIBAAKBgQCSsrvqbjTBi6RiIWw9SGrZ8JSO/Xj6+GB3tigYUZIXisVlGUaT
138 dVXf/rrEtiB0ifaKeXElhE4j9OXezzLSWorZJcO44bnatxsTb1fxkXQkJtx+ne+h
139 Rz/PHZrOL3A2HOq8usChERnzRLWfuAQCqzGSvoA2LBeAMFOllUfevZGGYQIVAOsN
140 uRYEkZifFuF5LwutJ/Fr9w6TAoGAOGRRPt7SzjNuD2Y/Wa8bqlM2WXUfpCM67CGK
141 VjfbrLW5nSiysLKiGlCMXOc8RxIWwIwCH/LaDw/lRECKWO74CYA4V7j6uOQYDdfY
142 i08zicCIQBVz2b5wHSKPQ/wJzMOvPIE+oOlPEAmcF9l2ICAolXK4mFTXI1Sh0hWP
143 19DouwoCgYB4ZTn4OYT/pjUd6tNhGPtOS3CE1oaj5ScbetXg4ZDpceEyQi8VG+/Z
144 Tbs8var8X77JdEdeQA686cAxpOaVgW8V4odvcmfABfueiGnPXjqGfppiHAyL1Ngy
145 d+EsXKmKVXZYAVFVI0WuJKiZBSVURU7+ByxOfpGafZhibr0SggWixQIVAL7Sia03
146 8bvANjjL9Sitk8slrM6P
147 -----END DSA PRIVATE KEY-----
148 • DSA private keys in password protected PEM format:
150 -----BEGIN DSA PRIVATE KEY-----
152 Proc-Type: 4,ENCRYPTED
153 DEK-Info: DES-CBC,227ADC3AA0299491
154 UISxBYAxPQMl2eK9LMAeHsssF6IxO+4G2ta2Jn8VE+boJrrH3iSTKeMXGjGaXl0z
156 DwcLGV+KMR70y+cxtTb34rFy+uSpBy10dOQJhxALDbe1XfCDQIUfaXRfMNA3um2I
157 JdZixUD/zcxBOUzao+MCr0V9XlJDgqBhJ5EEr53XHH07Eo5fhiBfbbR9NzdUPFrQ
158 p2ASyZtFh7RXoIBUCQgg21oeLddcNWV7gd/Y46kghO9s0JbJ8C+IsuWEPRSq502h
159 tSoDN6B0sxbVvOUICLLbQaxt7yduTAhRxVIJZ1PWATTVD7CZBVz9uIDZ7LOv+er2
160 1q3vkwb8E9spPsA240+BnfD571XEop4jrawxC0VKQZ+3cPVLc6jhIsxvzzFQUt67
161 g66v8GUgt7KF3KhVV7qEtntybQWDWb+K/uTIH9Ra8nP820d3Rnl61pPXDPlluteT
162 WSLOvEMN2zRmkaxQNv/tLdT0SYpQtdjw74G3A6T7+KnvinKrjtp1a/AXkCF9hNEx
163 DGbxOYo1UOmk8qdxWCrab34nO+Q8oQc9wjXHG+ZtRYIMoGMKREK8DeL4H1RPNkMf
164 rwXWk8scd8QFmJAb8De1VQ==
165 -----END DSA PRIVATE KEY-----
166 • SSH public DSA keys
168 ssh-dss AAAAB3NzaC1kc3MAAACBAKU8/avmk...4XOwuEssAVhmwA==
170 • SSH public DSA keys (RFC-4716 format)
172 ---- BEGIN SSH2 PUBLIC KEY ----
174 Comment: "1024-bit DSA, converted from OpenSSH"
175 AAAAB3NzaC1kc3MAAACBAKU8/avmkFeGnSqwYG7dZnQlG+01QNaxu3F5v0NcL/SRUW7Idp
176 Uq8t14siK0mA6yjphLhOf5t8gugTEVBllP86ANSbFigH7WN3v6ydJWqm60pNhNHN//50cn
177 NtIsXbxeq3VtsI64pkH1OJqeZDHLmu73k4T0EKOzsylSfF/wtVBJAAAAFQChpubLHViwPB
178 +jSvUb8e4THS7PBQAAAIAJD1PMCiTCQa1xyD/NCWOajCufTOIzKAhm6l+nlBVPiKI+262X
179 pYt127Ke4mPL8XJBizoTjSQN08uHMg/8L6W/cdO2aZ+mhkBnS1xAm83DAwqLrDraR1w/4Q
180 RFxr5Vbyy8qnejrPjTJobBN1BGsv84wHkjmoCn6pFIfkGYeATlJgAAAIAHYPU1zMVBTDWr
181 u7SNC4G2UyWGWYYLjLytBVHfQmBa51CmqrSs2kCfGLGA1ynfYENsxcJq9nsXrb4i17H5BH
182 JFkH0g7BUDpeBeLr8gsK3WgfqWwtZsDkltObw9chUD/siK6q/dk/fSIB2Ho0inev7k68Z5
183 ZkNI4XOwuEssAVhmwA==
184 ---- END SSH2 PUBLIC KEY ----
185 export_key_der
187 my $private_der = $pk->export_key_der('private');
188 #or
189 my $public_der = $pk->export_key_der('public');
190 export_key_pem
192 my $private_pem = $pk->export_key_pem('private');
193 #or
194 my $public_pem = $pk->export_key_pem('public');
195 #or
196 my $public_pem = $pk->export_key_pem('public_x509');
197 With parameter 'public' uses header and footer lines:
199 -----BEGIN DSA PUBLIC KEY------
201 -----END DSA PUBLIC KEY------
202 With parameter 'public_x509' uses header and footer lines:
204 -----BEGIN PUBLIC KEY------
206 -----END PUBLIC KEY------
207 Support for password protected PEM keys
209 my $private_pem = $pk->export_key_pem('private', $password);
211 #or
212 my $private_pem = $pk->export_key_pem('private', $password, $cipher);
213 # supported ciphers: 'DES-CBC'
215 # 'DES-EDE3-CBC'
216 # 'SEED-CBC'
217 # 'CAMELLIA-128-CBC'
218 # 'CAMELLIA-192-CBC'
219 # 'CAMELLIA-256-CBC'
220 # 'AES-128-CBC'
221 # 'AES-192-CBC'
222 # 'AES-256-CBC' (DEFAULT)
223 encrypt
225 my $pk = Crypt::PK::DSA->new($pub_key_filename);
226 my $ct = $pk->encrypt($message);
227 #or
228 my $ct = $pk->encrypt($message, $hash_name);
229 #NOTE: $hash_name can be 'SHA1' (DEFAULT), 'SHA256' or any other hash supported by Crypt::Digest
231 decrypt
233 my $pk = Crypt::PK::DSA->new($priv_key_filename);
234 my $pt = $pk->decrypt($ciphertext);
235 sign_message
237 my $pk = Crypt::PK::DSA->new($priv_key_filename);
238 my $signature = $priv->sign_message($message);
239 #or
240 my $signature = $priv->sign_message($message, $hash_name);
241 #NOTE: $hash_name can be 'SHA1' (DEFAULT), 'SHA256' or any other hash supported by Crypt::Digest
243 verify_message
245 my $pk = Crypt::PK::DSA->new($pub_key_filename);
246 my $valid = $pub->verify_message($signature, $message)
247 #or
248 my $valid = $pub->verify_message($signature, $message, $hash_name);
249 #NOTE: $hash_name can be 'SHA1' (DEFAULT), 'SHA256' or any other hash supported by Crypt::Digest
251 sign_hash
253 my $pk = Crypt::PK::DSA->new($priv_key_filename);
254 my $signature = $priv->sign_hash($message_hash);
255 verify_hash
257 my $pk = Crypt::PK::DSA->new($pub_key_filename);
258 my $valid = $pub->verify_hash($signature, $message_hash);
259 is_private
261 my $rv = $pk->is_private;
262 # 1 .. private key loaded
263 # 0 .. public key loaded
264 # undef .. no key loaded
265 size
267 my $size = $pk->size;
268 # returns key size (length of the prime p) in bytes or undef if key not loaded
269 size_q
271 my $size = $pk->size_q;
272 # returns length of the prime q in bytes or undef if key not loaded
273 key2hash
275 my $hash = $pk->key2hash;
276 # returns hash like this (or undef if no key loaded):
278 {
279 type => 1, # integer: 1 .. private, 0 .. public
280 size => 256, # integer: key size in bytes
281 # all the rest are hex strings
282 p => "AAF839A764E04D80824B79FA1F0496C093...", #prime modulus
283 q => "D05C4CB45F29D353442F1FEC43A6BE2BE8...", #prime divisor
284 g => "847E8896D12C9BF18FE283AE7AD58ED7F3...", #generator of a subgroup of order q in GF(p)
285 x => "6C801901AC74E2DC714D75A9F6969483CF...", #private key, random 0 < x < q
286 y => "8F7604D77FA62C7539562458A63C7611B7...", #public key, where y = g^x mod p
287 }
288
290 dsa_encrypt
291 DSA based encryption as implemented by libtomcrypt. See method
292 "encrypt" below.
293 my $ct = dsa_encrypt($pub_key_filename, $message);
295 #or
296 my $ct = dsa_encrypt(\$buffer_containing_pub_key, $message);
297 #or
298 my $ct = dsa_encrypt($pub_key_filename, $message, $hash_name);
299 #NOTE: $hash_name can be 'SHA1' (DEFAULT), 'SHA256' or any other hash supported by Crypt::Digest
301 Encryption works similar to the Crypt::PK::ECC encryption whereas
303 shared DSA key is computed, and the hash of the shared key XOR'ed
304 against the plaintext forms the ciphertext.
305 dsa_decrypt
307 DSA based decryption as implemented by libtomcrypt. See method
308 "decrypt" below.
309 my $pt = dsa_decrypt($priv_key_filename, $ciphertext);
311 #or
312 my $pt = dsa_decrypt(\$buffer_containing_priv_key, $ciphertext);
313 dsa_sign_message
315 Generate DSA signature. See method "sign_message" below.
316 my $sig = dsa_sign_message($priv_key_filename, $message);
318 #or
319 my $sig = dsa_sign_message(\$buffer_containing_priv_key, $message);
320 #or
321 my $sig = dsa_sign_message($priv_key, $message, $hash_name);
322 dsa_verify_message
324 Verify DSA signature. See method "verify_message" below.
325 dsa_verify_message($pub_key_filename, $signature, $message) or die "ERROR";
327 #or
328 dsa_verify_message(\$buffer_containing_pub_key, $signature, $message) or die "ERROR";
329 #or
330 dsa_verify_message($pub_key, $signature, $message, $hash_name) or die "ERROR";
331 dsa_sign_hash
333 Generate DSA signature. See method "sign_hash" below.
334 my $sig = dsa_sign_hash($priv_key_filename, $message_hash);
336 #or
337 my $sig = dsa_sign_hash(\$buffer_containing_priv_key, $message_hash);
338 dsa_verify_hash
340 Verify DSA signature. See method "verify_hash" below.
341 dsa_verify_hash($pub_key_filename, $signature, $message_hash) or die "ERROR";
343 #or
344 dsa_verify_hash(\$buffer_containing_pub_key, $signature, $message_hash) or die "ERROR";
345
347 ### let's have:
348 # DSA private key in PEM format - dsakey.priv.pem
349 # DSA public key in PEM format - dsakey.pub.pem
350 # data file to be signed - input.data
351 Sign by OpenSSL, verify by Crypt::PK::DSA
353 Create signature (from commandline):
354 openssl dgst -sha1 -sign dsakey.priv.pem -out input.sha1-dsa.sig input.data
356 Verify signature (Perl code):
358 use Crypt::PK::DSA;
360 use Crypt::Digest 'digest_file';
361 use Crypt::Misc 'read_rawfile';
362 my $pkdsa = Crypt::PK::DSA->new("dsakey.pub.pem");
364 my $signature = read_rawfile("input.sha1-dsa.sig");
365 my $valid = $pkdsa->verify_hash($signature, digest_file("SHA1", "input.data"), "SHA1", "v1.5");
366 print $valid ? "SUCCESS" : "FAILURE";
367 Sign by Crypt::PK::DSA, verify by OpenSSL
369 Create signature (Perl code):
370 use Crypt::PK::DSA;
372 use Crypt::Digest 'digest_file';
373 use Crypt::Misc 'write_rawfile';
374 my $pkdsa = Crypt::PK::DSA->new("dsakey.priv.pem");
376 my $signature = $pkdsa->sign_hash(digest_file("SHA1", "input.data"), "SHA1", "v1.5");
377 write_rawfile("input.sha1-dsa.sig", $signature);
378 Verify signature (from commandline):
380 openssl dgst -sha1 -verify dsakey.pub.pem -signature input.sha1-dsa.sig input.data
382 Keys generated by Crypt::PK::DSA
384 Generate keys (Perl code):
385 use Crypt::PK::DSA;
387 use Crypt::Misc 'write_rawfile';
388 my $pkdsa = Crypt::PK::DSA->new;
390 $pkdsa->generate_key(20, 128);
391 write_rawfile("dsakey.pub.der", $pkdsa->export_key_der('public'));
392 write_rawfile("dsakey.priv.der", $pkdsa->export_key_der('private'));
393 write_rawfile("dsakey.pub.pem", $pkdsa->export_key_pem('public_x509'));
394 write_rawfile("dsakey.priv.pem", $pkdsa->export_key_pem('private'));
395 write_rawfile("dsakey-passwd.priv.pem", $pkdsa->export_key_pem('private', 'secret'));
396 Use keys by OpenSSL:
398 openssl dsa -in dsakey.priv.der -text -inform der
400 openssl dsa -in dsakey.priv.pem -text
401 openssl dsa -in dsakey-passwd.priv.pem -text -inform pem -passin pass:secret
402 openssl dsa -in dsakey.pub.der -pubin -text -inform der
403 openssl dsa -in dsakey.pub.pem -pubin -text
404 Keys generated by OpenSSL
406 Generate keys:
407 openssl dsaparam -genkey -out dsakey.priv.pem 1024
409 openssl dsa -in dsakey.priv.pem -out dsakey.priv.der -outform der
410 openssl dsa -in dsakey.priv.pem -out dsakey.pub.pem -pubout
411 openssl dsa -in dsakey.priv.pem -out dsakey.pub.der -outform der -pubout
412 openssl dsa -in dsakey.priv.pem -passout pass:secret -des3 -out dsakey-passwd.priv.pem
413 Load keys (Perl code):
415 use Crypt::PK::DSA;
417 my $pkdsa = Crypt::PK::DSA->new;
419 $pkdsa->import_key("dsakey.pub.der");
420 $pkdsa->import_key("dsakey.priv.der");
421 $pkdsa->import_key("dsakey.pub.pem");
422 $pkdsa->import_key("dsakey.priv.pem");
423 $pkdsa->import_key("dsakey-passwd.priv.pem", "secret");
424
426 • <https://en.wikipedia.org/wiki/Digital_Signature_Algorithm>
427perl v5.36.0 2022-07-22 Crypt::PK::DSA(3)