[openssl-users] RES: Testing OpenSSL based solution

Marcus Vinicius do Nascimento m.vinicius at samsung.com
Thu May 14 13:39:53 UTC 2015

Thanks Dave.

Sure I can't recover the private key from the public. Otherwise it wouldn't
make any sense to use the DSA algorithm at all.

I dig a little into fips code and think using FIPs test vectors to validate
my API is not practical.
Looks like FIPs deals with openssl internals to test it. Structures that
should be opaque to the user are not to FIPs code.

I believe a simples approach like creating my own test vectors could be more
I know it wouldn't cover everything FIPs covers. But maybe this is exactly
the point, since openssl is well tested against FIPs and my code wraps
Does it make sense?


-----Mensagem original-----
De: openssl-users [mailto:openssl-users-bounces at openssl.org] Em nome de Dave
Enviada em: quarta-feira, 13 de maio de 2015 04:22
Para: openssl-users at openssl.org
Assunto: Re: [openssl-users] Testing OpenSSL based solution

> From: openssl-users On Behalf Of Marcus Vinicius do Nascimento
> Sent: Tuesday, May 12, 2015 16:50

> I did some quick research and found this:
> If my understanding is correct, the public key is (p, q, g, y).

You might want to look at the actual standard, FIPS 186, free from NIST and
referred to by wikipedia as well as easily searchable. The current version
is revision -4, but the basic logic of DSA hasn't changed since "-0"
(although the sizes used have increased).

Standardly a DSA public key is (parameters, y) where parameters is (p, q, g
{, seed, counter}) where the optional fields in the parameters allow
verification of the parameter generation process. OpenSSL does not use that
option, so it uses only p,g,q and y. See below.

> The private key would be x, such that y = g^x mod p.
> Is there some way to generate both public and private keys using 
> OpenSSL, based on p, q, g and y?

You cannot recover the private key from the public key for any secure PKC
scheme used with appropriate sizes. DSA is a secure scheme, and DSS and
these test cases use appropriate sizes.

> De: openssl-users Em nome de Marcus Vinicius do Nascimento Enviada em: 
> terça-feira, 12 de maio de 2015 17:06

> I tried using Y as the public key, but ssl seems not to accept that.
> From the FIP file: <snip>
> So I tried reformatting Y to pass it to PEM_read_bio_DSAPrivateKey.
> Converting Y to Base64 = <snip>
> Reformatting in PEM format = "-----BEGIN DSA PRIVATE KEY----- <snip>
[doesn't work]

As above, the public key requires all of p,q,g and y, not just y. 
The private key would require x as well, and you don't have x.

For public keys for _all_ algorithms in files including PEM 
OpenSSL uses the format standardized by X.509 called 
SubjectPublicKeyInfo or SPKI for short, which is an ASN.1 
sequence containing an AlgorithmIdentifier which is a(nother) 
sequence containing an OID identifying the algorithm and an 
optional parameters field whose type depends on the algorithm,
followed by a BITSTRING containing a nested encoding of the 
public key value relative to the parameters for that algorithm.

For DSA, the OID identifies DSA, the parameters are a sequence 
of three INTEGERs for p,g,q, and the nested key encoding is 
just an INTEGER. All elements in ASN.1 use a "TLV" (tag, length,
value) encoding, and INTEGER (thus) consists of a tag octet of 02 
specifying integer, a length whose length itself varies depending 
on the length it encodes, and a value field which for INTEGER is 
a _signed_ big-endian binary number. Since the particular y
you tried to encode below happens to have a magnitude size of 
1024 bits, a multiple of 8, it requires a leading sign octet of 00.
So does g in this case, and p and q by design (they are specified with 
magnitude sizes which are multiples of 8, and indeed of 32).

See rfc 5280 for the generic SPKI format, and rfc 3279 (referenced there) 
for the specifics for several algorithms including DSA.

Note that the PEM type is just "BEGIN/END PUBLIC KEY"  (no DSA) 
because as above the format handles all algorithms.

openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list