Allow DSA q=224 (#4147)

* load Q=224 vectors * DSA parameters should support 224 for q length * oxford comma
2026-05-14 20:37:55 +00:00 · 2018-03-18 10:12:14 -04:00 · 2018-03-18 10:12:14 -04:00 · 47a66f19bd
commit 47a66f19bd
parent 17c8f126c7
3 changed files with 20 additions and 93 deletions
--- a/src/cryptography/hazmat/primitives/asymmetric/dsa.py
+++ b/src/cryptography/hazmat/primitives/asymmetric/dsa.py
@ -130,8 +130,8 @@ def generate_private_key(key_size, backend):
 def _check_dsa_parameters(parameters):
    if parameters.p.bit_length() not in [1024, 2048, 3072]:
        raise ValueError("p must be exactly 1024, 2048, or 3072 bits long")
-    if parameters.q.bit_length() not in [160, 256]:
-        raise ValueError("q must be exactly 160 or 256 bits long")
+    if parameters.q.bit_length() not in [160, 224, 256]:
+        raise ValueError("q must be exactly 160, 224, or 256 bits long")

    if not (1 < parameters.g < parameters.p):
        raise ValueError("g, p don't satisfy 1 < g < p.")
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@ -1514,42 +1514,6 @@ e80204646bf99b5771d249a6fea627
 7383a06365af82225dd3713ca5a45006316f53bd12b0e260d5f79795e5a4c9f353f12867a1d320\
 2394673ada8563b71555e53f415254

-    [mod = L=2048, N=224]
-
-    P = 904ef8e31e14721910fa0969e77c99b79f190071a86026e37a887a6053960dbfb74390\
-a6641319fe0af32c4e982934b0f1f4c5bc57534e8e56d77c36f0a99080c0d5bc9022fa34f58922\
-81d7b1009571cb5b35699303f912b276d86b1b0722fc0b1500f0ffb2e4d90867a3bdca181a9734\
-617a8a9f991aa7c14dec1cf45ceba00600f8425440ed0c3b52c82e3aa831932a98b477da220867\
-eb2d5e0ca34580b33b1b65e558411ed09c369f4717bf03b551787e13d9e47c267c91c697225265\
-da157945cd8b32e84fc45b80533265239aa00a2dd3d05f5cb231b7daf724b7ecdce170360a8397\
-2e5be94626273d449f441be300a7345db387bebadad67d8060a7
-    Q = d7d0a83e84d13032b830ed74a6a88592ec9a4cf42bf37080c6600aad
-    G = 2050b18d3c9f39fac396c009310d6616f9309b67b59aef9aee813d6b4f12ee29ba8a6b\
-350b11d4336d44b4641230002d870f1e6b1d8728bdd40262df0d2440999185ae077f7034c61679\
-f4360fbb5d181569e7cb8acb04371c11ba55f1bbd777b74304b99b66d4405303e7120dc8bc4785\
-f56e9533e65b63a0c77cce7bba0d5d6069df5edffa927c5a255a09405a008258ed93506a843366\
-2154f6f67e922d7c9788f04d4ec09581063950d9cde8e373ea59a58b2a6df6ba8663345574fabb\
-a9ca981696d83aeac1f34f14f1a813ba900b3f0341dea23f7d3297f919a97e1ae00ac0728c93fe\
-0a88b66591baf4eb0bc6900f39ba5feb41cbbeea7eb7919aa4d3
-
-    X = 3f19424da3b4f0cafca3fc5019fcd225dd7e496ffdf6b77e364f45be
-    Y = 7681ed0ac257ab7ff17c52de4638c0614749792707a0c0d23883697e34963df15c806f\
-a6206f7fafb3269018e7703bd1e6f518d13544331a017713dbbe0cee8da6c095271fbf24edb74a\
-44e18b1d3b835622f68d31921c67c83e8479d1972ed0cb106c68188fe22c044254251ebf880b90\
-49dc3b7958ef61e1e67d2f677d2a7d2ab6b7c42b70cc5dedc3e5de7459a2dbc70c69008553d7ff\
-b6bf81c012c8bd67bdddeaab9a4a4373027912a7c7d9cd9cfc6c81dffe0cc7a6d40c3b2065aee7\
-be80e3c35497d64c8045bc511edaf7314c84c56bd9f0fecf62262ea5b45b49a0cffb223713bdbd\
-3ad03a25a0bb2211eba41ffcd08ab0e1ad485c29a3fc25ee8359
-
-    X = 241396352dd26efe0e2e184da52fe2b61d9d51b91b5009674c447854
-    Y = 2f07a3aa9884c65288e5fef56c7b7f4445632273290bae6fcaab87c90058b2bef81ad3\
-34958657cf649ffb976d618b34ce69ef6d68c0d8bfe275cf097a301e8dd5595958e0c668c15f67\
-b5c0b0d01983057ce61593635aab5e0564ed720b0336f055a86755c76be22df3b8487f16e2ba0b\
-5136fd30d7e3b1d30c3bd298d3acc0a1988a11756c94e9a53184d0d3edfbb649caf03eace3083d\
-e9933921e627f4b2e011d1c79e45d8ea1eb7e4e59a1cbd8382b3238474eb949749c985200fbb25\
-41e2dce080aa881945d4d935076e48a0846dc5513bb4da8563b946af54f546455931e79c065ce7\
-ca223a98f8fde40091d38eb2c3eb8e3b81d88374f3146b0afc42
-
    [mod = L=2048, N=256]

    P = ea1fb1af22881558ef93be8a5f8653c5a559434c49c8c2c12ace5e9c41434c9cf0a8e9\
@ -1883,17 +1847,6 @@ d291b6da18eb0cbe51676ceb0977504eb97c27c0b191883f72fb2710a9fbd8bcf13be\
    S = 18ea15bd9f00475b25204cbc23f8c23e01588015
    Result = F (3 - R changed )

-    [mod = L=2048, N=224, SHA-1]
-
-    # unsupported so we ignore this
-
-    Msg = f9d01693df99a125b4f17e184331c6b6e8ca00f54f3a
-    X = e0c4b7d58836046c436fbb2322
-    Y = fb6d9bf23a07215093f319725ad0877accff
-    R = 5764e8dae0327c5bf1972ff7681b9
-    S = 475b25204cbc23f8c23e01588015
-    Result = F (3 - R changed )
-
    [mod = L=2048, N=256, SHA-384]

    P = e7c1c86125db9ef417da1ced7ea0861bdad629216a3f3c745df42a46b989e59f4d984\
--- a/tests/utils.py
+++ b/tests/utils.py
@ -353,43 +353,28 @@ def load_fips_dsa_key_pair_vectors(vector_data):
    Loads data out of the FIPS DSA KeyPair vector files.
    """
    vectors = []
-    # When reading_key_data is set to True it tells the loader to continue
-    # constructing dictionaries. We set reading_key_data to False during the
-    # blocks of the vectors of N=224 because we don't support it.
-    reading_key_data = True
    for line in vector_data:
        line = line.strip()

-        if not line or line.startswith("#"):
-            continue
-        elif line.startswith("[mod = L=1024"):
-            continue
-        elif line.startswith("[mod = L=2048, N=224"):
-            reading_key_data = False
-            continue
-        elif line.startswith("[mod = L=2048, N=256"):
-            reading_key_data = True
-            continue
-        elif line.startswith("[mod = L=3072"):
+        if not line or line.startswith("#") or line.startswith("[mod"):
            continue

-        if reading_key_data:
-            if line.startswith("P"):
-                vectors.append({'p': int(line.split("=")[1], 16)})
-            elif line.startswith("Q"):
-                vectors[-1]['q'] = int(line.split("=")[1], 16)
-            elif line.startswith("G"):
-                vectors[-1]['g'] = int(line.split("=")[1], 16)
-            elif line.startswith("X") and 'x' not in vectors[-1]:
-                vectors[-1]['x'] = int(line.split("=")[1], 16)
-            elif line.startswith("X") and 'x' in vectors[-1]:
-                vectors.append({'p': vectors[-1]['p'],
-                                'q': vectors[-1]['q'],
-                                'g': vectors[-1]['g'],
-                                'x': int(line.split("=")[1], 16)
-                                })
-            elif line.startswith("Y"):
-                vectors[-1]['y'] = int(line.split("=")[1], 16)
+        if line.startswith("P"):
+            vectors.append({'p': int(line.split("=")[1], 16)})
+        elif line.startswith("Q"):
+            vectors[-1]['q'] = int(line.split("=")[1], 16)
+        elif line.startswith("G"):
+            vectors[-1]['g'] = int(line.split("=")[1], 16)
+        elif line.startswith("X") and 'x' not in vectors[-1]:
+            vectors[-1]['x'] = int(line.split("=")[1], 16)
+        elif line.startswith("X") and 'x' in vectors[-1]:
+            vectors.append({'p': vectors[-1]['p'],
+                            'q': vectors[-1]['q'],
+                            'g': vectors[-1]['g'],
+                            'x': int(line.split("=")[1], 16)
+                            })
+        elif line.startswith("Y"):
+            vectors[-1]['y'] = int(line.split("=")[1], 16)

    return vectors

@ -402,10 +387,6 @@ def load_fips_dsa_sig_vectors(vector_data):
    sha_regex = re.compile(
        r"\[mod = L=...., N=..., SHA-(?P<sha>1|224|256|384|512)\]"
    )
-    # When reading_key_data is set to True it tells the loader to continue
-    # constructing dictionaries. We set reading_key_data to False during the
-    # blocks of the vectors of N=224 because we don't support it.
-    reading_key_data = True

    for line in vector_data:
        line = line.strip()
@ -417,14 +398,7 @@ def load_fips_dsa_sig_vectors(vector_data):
        if sha_match:
            digest_algorithm = "SHA-{0}".format(sha_match.group("sha"))

-        if line.startswith("[mod = L=2048, N=224"):
-            reading_key_data = False
-            continue
-        elif line.startswith("[mod = L=2048, N=256"):
-            reading_key_data = True
-            continue
-
-        if not reading_key_data or line.startswith("[mod"):
+        if line.startswith("[mod"):
            continue

        name, value = [c.strip() for c in line.split("=")]