Danger

This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.

DSA

DSA is a public-key algorithm for signing messages.

Generation

cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key(key_size, backend)

New in version 0.5.

Generate a DSA private key from the given key size. This function will generate a new set of parameters and key in one step.

Parameters:
  • key_size (int) – The length of the modulus in bits. It should be either 1024, 2048 or 3072. For keys generated in 2015 this should be at least 2048 (See page 41). Note that some applications (such as SSH) have not yet gained support for larger key sizes specified in FIPS 186-3 and are still restricted to only the 1024-bit keys specified in FIPS 186-2.
  • backend – An instance of DSABackend.
Returns:

An instance of DSAPrivateKey.

Raises:

cryptography.exceptions.UnsupportedAlgorithm – This is raised if the provided backend does not implement DSABackend

cryptography.hazmat.primitives.asymmetric.dsa.generate_parameters(key_size, backend)

New in version 0.5.

Generate DSA parameters using the provided backend.

Parameters:
  • key_size (int) – The length of q. It should be either 1024, 2048 or 3072. For keys generated in 2015 this should be at least 2048 (See page 41). Note that some applications (such as SSH) have not yet gained support for larger key sizes specified in FIPS 186-3 and are still restricted to only the 1024-bit keys specified in FIPS 186-2.
  • backend – An instance of DSABackend.
Returns:

An instance of DSAParameters.

Raises:

cryptography.exceptions.UnsupportedAlgorithm – This is raised if the provided backend does not implement DSABackend

Signing

Using a DSAPrivateKey instance.

>>> from cryptography.hazmat.backends import default_backend
>>> from cryptography.hazmat.primitives import hashes
>>> from cryptography.hazmat.primitives.asymmetric import dsa
>>> private_key = dsa.generate_private_key(
...     key_size=1024,
...     backend=default_backend()
... )
>>> signer = private_key.signer(hashes.SHA256())
>>> data = b"this is some data I'd like to sign"
>>> signer.update(data)
>>> signature = signer.finalize()

There is a shortcut to sign sufficiently short messages directly:

>>> data = b"this is some data I'd like to sign"
>>> signature = private_key.sign(
...     data,
...     hashes.SHA256()
... )

The signature is a bytes object, whose contents is DER encoded as described in RFC 3279. This can be decoded using decode_dss_signature().

Verification

Verification is performed using a DSAPublicKey instance. You can get a public key object with load_pem_public_key(), load_der_public_key(), public_key() , or public_key().

>>> public_key = private_key.public_key()
>>> verifier = public_key.verifier(signature, hashes.SHA256())
>>> verifier.update(data)
>>> verifier.verify()

There is a shortcut to verify sufficiently short messages directly:

>>> public_key.verify(
...     signature,
...     data,
...     hashes.SHA256()
... )

verifier() takes the signature in the same format as is returned by signer.finalize().

verify() will raise an InvalidSignature exception if the signature isn’t valid.

Numbers

class cryptography.hazmat.primitives.asymmetric.dsa.DSAParameterNumbers(p, q, g)

New in version 0.5.

The collection of integers that make up a set of DSA parameters.

p
Type:int

The public modulus.

q
Type:int

The sub-group order.

g
Type:int

The generator.

parameters(backend)
Parameters:backend – An instance of DSABackend.
Returns:A new instance of DSAParameters.
class cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicNumbers(y, parameter_numbers)

New in version 0.5.

The collection of integers that make up a DSA public key.

y
Type:int

The public value y.

parameter_numbers
Type:DSAParameterNumbers

The DSAParameterNumbers associated with the public key.

public_key(backend)
Parameters:backend – An instance of DSABackend.
Returns:A new instance of DSAPublicKey.
class cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateNumbers(x, public_numbers)

New in version 0.5.

The collection of integers that make up a DSA private key.

Warning

Revealing the value of x will compromise the security of any cryptographic operations performed.

x
Type:int

The private value x.

public_numbers
Type:DSAPublicNumbers

The DSAPublicNumbers associated with the private key.

private_key(backend)
Parameters:backend – An instance of DSABackend.
Returns:A new instance of DSAPrivateKey.

Key interfaces

class cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters

New in version 0.3.

DSA parameters.

generate_private_key()

New in version 0.5.

Generate a DSA private key. This method can be used to generate many new private keys from a single set of parameters.

Returns:An instance of DSAPrivateKey.
class cryptography.hazmat.primitives.asymmetric.dsa.DSAParametersWithNumbers

New in version 0.5.

Extends DSAParameters.

parameter_numbers()

Create a DSAParameterNumbers object.

Returns:A DSAParameterNumbers instance.
class cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey

New in version 0.3.

A DSA private key.

public_key()
Returns:DSAPublicKey

An DSA public key object corresponding to the values of the private key.

parameters()
Returns:DSAParameters

The DSAParameters object associated with this private key.

signer(algorithm, backend)

New in version 0.4.

Sign data which can be verified later by others using the public key. The signature is formatted as DER-encoded bytes, as specified in RFC 3279.

Parameters:
Returns:

AsymmetricSignatureContext

key_size
Type:int

The bit length of q.

sign(data, algorithm)

New in version 1.5.

Changed in version 1.6: Prehashed can now be used as an algorithm.

Sign one block of data which can be verified later by others using the public key.

Parameters:
  • data (bytes) – The message string to sign.
  • algorithm – An instance of HashAlgorithm or Prehashed if the data you want to sign has already been hashed.
Return bytes:

Signature.

class cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithSerialization

New in version 0.8.

Extends DSAPrivateKey.

private_numbers()

Create a DSAPrivateNumbers object.

Returns:A DSAPrivateNumbers instance.
private_bytes(encoding, format, encryption_algorithm)

Allows serialization of the key to bytes. Encoding ( PEM or DER), format ( TraditionalOpenSSL or PKCS8) and encryption algorithm (such as BestAvailableEncryption or NoEncryption) are chosen to define the exact serialization.

Parameters:
Return bytes:

Serialized key.

class cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey

New in version 0.3.

A DSA public key.

key_size
Type:int

The bit length of q.

parameters()
Returns:DSAParameters

The DSAParameters object associated with this public key.

verifier(signature, algorithm, backend)

New in version 0.4.

Verify data was signed by the private key associated with this public key.

Parameters:
  • signature (bytes) – The signature to verify. DER encoded as specified in RFC 3279.
  • algorithm – An instance of HashAlgorithm.
  • backend – An instance of DSABackend.
Returns:

AsymmetricVerificationContext

public_numbers()

Create a DSAPublicNumbers object.

Returns:A DSAPublicNumbers instance.
public_bytes(encoding, format)

Allows serialization of the key to bytes. Encoding ( PEM or DER) and format ( SubjectPublicKeyInfo) are chosen to define the exact serialization.

Parameters:
Return bytes:

Serialized key.

verify(signature, data, algorithm)

New in version 1.5.

Changed in version 1.6: Prehashed can now be used as an algorithm.

Verify one block of data was signed by the private key associated with this public key.

Parameters:
  • signature (bytes) – The signature to verify.
  • data (bytes) – The message string that was signed.
  • algorithm – An instance of HashAlgorithm or Prehashed if the data you want to sign has already been hashed.
Raises:

cryptography.exceptions.InvalidSignature – If the signature does not validate.

class cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKeyWithSerialization

New in version 0.8.

Alias for DSAPublicKey.