diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2022-01-04 22:11:00 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2022-10-17 16:35:35 +0900 |
| commit | 10f93a8bd787658996f08b13a0e564eaf3f41489 (patch) | |
| tree | 0dfd1c5d83e8b4a101f09e85ad0e2e9cd64a21b1 /ext/openssl | |
| parent | 65bba0ef6fa104324d34079f107f9c72ed8d0e2f (diff) | |
| download | ruby-10f93a8bd787658996f08b13a0e564eaf3f41489.tar.gz | |
[ruby/openssl] pkey/dsa: let PKey::DSA.generate choose appropriate q size
DSA parameters generation via EVP_PKEY_paramgen() will not automatically
adjust the size of q value but uses 224 bits by default unless specified
explicitly. This behavior is different from the now-deprecated
DSA_generate_parameters_ex(), which PKey::DSA.generate used to call.
Fixes https://github.com/ruby/openssl/issues/483
Fixes: https://github.com/ruby/openssl/commit/1800a8d5ebaf ("pkey/dsa: use high level EVP interface to generate parameters and keys", 2020-05-17)
https://github.com/ruby/openssl/commit/0105975a0b
Diffstat (limited to 'ext/openssl')
| -rw-r--r-- | ext/openssl/lib/openssl/pkey.rb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb index c3e0629091..d51f066b89 100644 --- a/ext/openssl/lib/openssl/pkey.rb +++ b/ext/openssl/lib/openssl/pkey.rb @@ -167,8 +167,16 @@ module OpenSSL::PKey # +size+:: # The desired key size in bits. def generate(size, &blk) + # FIPS 186-4 specifies four (L,N) pairs: (1024,160), (2048,224), + # (2048,256), and (3072,256). + # + # q size is derived here with compatibility with + # DSA_generator_parameters_ex() which previous versions of ruby/openssl + # used to call. + qsize = size >= 2048 ? 256 : 160 dsaparams = OpenSSL::PKey.generate_parameters("DSA", { "dsa_paramgen_bits" => size, + "dsa_paramgen_q_bits" => qsize, }, &blk) OpenSSL::PKey.generate_key(dsaparams) end |