#include "prov/implementations.h"
#include "prov/providercommonerr.h"
#include "prov/provider_ctx.h"
+#include "prov/provider_util.h"
#include "crypto/dsa.h"
#include "prov/der_dsa.h"
static OSSL_FUNC_signature_newctx_fn dsa_newctx;
-static OSSL_FUNC_signature_sign_init_fn dsa_signature_init;
-static OSSL_FUNC_signature_verify_init_fn dsa_signature_init;
+static OSSL_FUNC_signature_sign_init_fn dsa_sign_init;
+static OSSL_FUNC_signature_verify_init_fn dsa_verify_init;
static OSSL_FUNC_signature_sign_fn dsa_sign;
static OSSL_FUNC_signature_verify_fn dsa_verify;
-static OSSL_FUNC_signature_digest_sign_init_fn dsa_digest_signverify_init;
+static OSSL_FUNC_signature_digest_sign_init_fn dsa_digest_sign_init;
static OSSL_FUNC_signature_digest_sign_update_fn dsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_sign_final_fn dsa_digest_sign_final;
-static OSSL_FUNC_signature_digest_verify_init_fn dsa_digest_signverify_init;
+static OSSL_FUNC_signature_digest_verify_init_fn dsa_digest_verify_init;
static OSSL_FUNC_signature_digest_verify_update_fn dsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_verify_final_fn dsa_digest_verify_final;
static OSSL_FUNC_signature_freectx_fn dsa_freectx;
EVP_MD *md;
EVP_MD_CTX *mdctx;
size_t mdsize;
+ int operation;
+
} PROV_DSA_CTX;
+/*
+ * Check for valid key sizes if fips mode. Refer to
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
+ * "Table 2"
+ */
+static int dsa_check_key_size(const PROV_DSA_CTX *ctx)
+{
+#ifdef FIPS_MODULE
+ size_t L, N;
+ const BIGNUM *p, *q;
+ DSA *dsa = ctx->dsa;
+
+ if (dsa == NULL)
+ return 0;
+
+ p = DSA_get0_p(dsa);
+ q = DSA_get0_q(dsa);
+ if (p == NULL || q == NULL)
+ return 0;
+
+ L = BN_num_bits(p);
+ N = BN_num_bits(q);
+
+ /*
+ * Valid sizes or verification - Note this could be a fips186-2 type
+ * key - so we allow 512 also. When this is no longer suppported the
+ * lower bound should be increased to 1024.
+ */
+ if (ctx->operation != EVP_PKEY_OP_SIGN)
+ return (L >= 512 && N >= 160);
+
+ /* Valid sizes for both sign and verify */
+ if (L == 2048 && (N == 224 || N == 256))
+ return 1;
+ return (L == 3072 && N == 256);
+#else
+ return 1;
+#endif
+}
+
static size_t dsa_get_md_size(const PROV_DSA_CTX *pdsactx)
{
if (pdsactx->md != NULL)
return 0;
}
-static int dsa_get_md_nid(const EVP_MD *md)
+static int dsa_get_md_nid(const PROV_DSA_CTX *ctx, const EVP_MD *md)
{
- /*
- * Because the DSA library deals with NIDs, we need to translate.
- * We do so using EVP_MD_is_a(), and therefore need a name to NID
- * map.
- */
- static const OSSL_ITEM name_to_nid[] = {
- { NID_sha1, OSSL_DIGEST_NAME_SHA1 },
- { NID_sha224, OSSL_DIGEST_NAME_SHA2_224 },
- { NID_sha256, OSSL_DIGEST_NAME_SHA2_256 },
- { NID_sha384, OSSL_DIGEST_NAME_SHA2_384 },
- { NID_sha512, OSSL_DIGEST_NAME_SHA2_512 },
- { NID_sha3_224, OSSL_DIGEST_NAME_SHA3_224 },
- { NID_sha3_256, OSSL_DIGEST_NAME_SHA3_256 },
- { NID_sha3_384, OSSL_DIGEST_NAME_SHA3_384 },
- { NID_sha3_512, OSSL_DIGEST_NAME_SHA3_512 },
- };
- size_t i;
- int mdnid = NID_undef;
-
- if (md == NULL)
- goto end;
-
- for (i = 0; i < OSSL_NELEM(name_to_nid); i++) {
- if (EVP_MD_is_a(md, name_to_nid[i].ptr)) {
- mdnid = (int)name_to_nid[i].id;
- break;
- }
- }
-
- if (mdnid == NID_undef)
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
- end:
- return mdnid;
+ return ossl_prov_digest_get_approved_nid(md, sha1_allowed);
}
static void *dsa_newctx(void *provctx, const char *propq)
mdprops = ctx->propq;
if (mdname != NULL) {
- EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
- int md_nid = dsa_get_md_nid(md);
WPACKET pkt;
+ EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
+ int md_nid = dsa_get_md_nid(ctx, md);
+ size_t mdname_len = strlen(mdname);
if (md == NULL || md_nid == NID_undef) {
+ if (md == NULL)
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+ "%s could not be fetched", mdname);
+ if (md_nid == NID_undef)
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
+ "digest=%s", mdname);
+ if (mdname_len >= sizeof(ctx->mdname))
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+ "%s exceeds name buffer length", mdname);
EVP_MD_free(md);
return 0;
}
return 1;
}
-static int dsa_signature_init(void *vpdsactx, void *vdsa)
+static int dsa_signverify_init(void *vpdsactx, void *vdsa, int operation)
{
PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx;
return 0;
DSA_free(pdsactx->dsa);
pdsactx->dsa = vdsa;
+ pdsactx->operation = operation;
+ if (!dsa_check_key_size(pdsactx)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
return 1;
}
+static int dsa_sign_init(void *vpdsactx, void *vdsa)
+{
+ return dsa_signverify_init(vpdsactx, vdsa, EVP_PKEY_OP_SIGN);
+}
+
+static int dsa_verify_init(void *vpdsactx, void *vdsa)
+{
+ return dsa_signverify_init(vpdsactx, vdsa, EVP_PKEY_OP_VERIFY);
+}
+
static int dsa_sign(void *vpdsactx, unsigned char *sig, size_t *siglen,
size_t sigsize, const unsigned char *tbs, size_t tbslen)
{
}
static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname,
- void *vdsa)
+ void *vdsa, int operation)
{
PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx;
return 0;
pdsactx->flag_allow_md = 0;
- if (!dsa_signature_init(vpdsactx, vdsa))
+ if (!dsa_signverify_init(vpdsactx, vdsa, operation))
return 0;
if (!dsa_setup_md(pdsactx, mdname, NULL))
return 0;
}
+static int dsa_digest_sign_init(void *vpdsactx, const char *mdname,
+ void *vdsa)
+{
+ return dsa_digest_signverify_init(vpdsactx, mdname, vdsa, EVP_PKEY_OP_SIGN);
+}
+
+static int dsa_digest_verify_init(void *vpdsactx, const char *mdname, void *vdsa)
+{
+ return dsa_digest_signverify_init(vpdsactx, mdname, vdsa, EVP_PKEY_OP_VERIFY);
+}
+
int dsa_digest_signverify_update(void *vpdsactx, const unsigned char *data,
size_t datalen)
{
OSSL_PARAM_END
};
-static const OSSL_PARAM *dsa_gettable_ctx_params(ossl_unused void *provctx)
+static const OSSL_PARAM *dsa_gettable_ctx_params(ossl_unused void *vctx)
{
return known_gettable_ctx_params;
}
* params if the ctx is being used for a DigestSign/DigestVerify? In that
* case it is not allowed to set the digest size/digest name because the
* digest is explicitly set as part of the init.
+ * NOTE: Ideally we would check pdsactx->flag_allow_md, but this is
+ * problematic because there is no nice way of passing the
+ * PROV_DSA_CTX down to this function...
+ * Because we have API's that dont know about their parent..
+ * e.g: EVP_SIGNATURE_gettable_ctx_params(const EVP_SIGNATURE *sig).
+ * We could pass NULL for that case (but then how useful is the check?).
*/
return known_settable_ctx_params;
}
const OSSL_DISPATCH dsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))dsa_newctx },
- { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))dsa_signature_init },
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))dsa_sign_init },
{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))dsa_sign },
- { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))dsa_signature_init },
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))dsa_verify_init },
{ OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))dsa_verify },
{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
- (void (*)(void))dsa_digest_signverify_init },
+ (void (*)(void))dsa_digest_sign_init },
{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
(void (*)(void))dsa_digest_signverify_update },
{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
(void (*)(void))dsa_digest_sign_final },
{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
- (void (*)(void))dsa_digest_signverify_init },
+ (void (*)(void))dsa_digest_verify_init },
{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
(void (*)(void))dsa_digest_signverify_update },
{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
PrivPubKeyPair = DSA-1024-BIS:DSA-1024-PUBLIC
Result = KEYPAIR_MISMATCH
+
+
+PrivateKey = DSA-1024-FIPS186-2
+-----BEGIN PRIVATE KEY-----
+MIIBWgIBADCCATMGByqGSM44BAEwggEmAoGBALRSnNcjMPIl4tekT5D3AgqsK042
+Ar1dGKeJCmWrSngAELtSH0yZCwsbl7wLEgG2lfusbn5sdtbpFioKInohZruRhzwC
+59GRXjAFD0QPhVE/qy6Oto+8WIHAa/RiEIkxRfTiAe9Ach56k9lZYONDUHDqH38u
+UIfjoUN+jlzoJcWbAh0A6TfgjmB+CxvxG/2pz8OAXXfNP8/JLfYvolE/fwKBgH7l
+jLeoOofKc+rwO2Fha8nuFddXRSePZKzC7mRQsPXwfvX5V6msU2xizjdPIsqVu7qA
+Bcc1YMd7/5C3vaKuS21DxBOs7nAHbO9ZZtGlpUAnJwM/P09nMb3yG6tR9LF3AQmu
+Kr2KShQB0FlSgvcCDTX7g8eJ/UuIWo6wX4hSdHDhBB4CHAdVVg1m5ikOICUBo37Y
+/TqkTaCFsMDwcDc20Jg=
+-----END PRIVATE KEY-----
+
+PrivateKey = DSA-2048-224
+-----BEGIN PRIVATE KEY-----
+MIICXAIBADCCAjUGByqGSM44BAEwggIoAoIBAQDVjuiHR3XA9yAjToNQOmdg2rN9
+0A4mIEV3XGy1nqaKZXdavdXcsAGLmttZ/gfiHi0JNh3rxj4dbvcaN+K0IWXq6hAY
+6ZOvDZ0FH5DRH63Ecd8fWY/BMDr178sOINkPG8hLRmYcrAp/4woMBPxkEtQBfl4R
+POus+OYS4sJpl8wEgfy0HhLXkkN4YQhBf57NvQ7+LcwaErDcNLRguI3TRzflhNEh
+ieBfYtIIgISIi0yMsxOINopuHeAmcANLjyUqkQ44xcJ0kM+OoAKFq/XukkTj++iP
+9Okh+bmNEo23RtM4qqScZyUIX4bPyynbkMdu01ZG+q8PEhyoxGpHkMT6kYHBAh0A
+/rbeX9L8STLoLIsLUMbdPVLWvnLyLooSygawvwKCAQAhscCNIY/bPZ6DRULS8i4G
+0f+9chMR+C5tNykaTzCUxRjObOWKu0z1JyViiafcAoV8j1e64xRxA4a8g9RrKilK
+KztCJfwIJCeHIjHi/dvIR0z1SDeNNVpFacAT+DF5G+sMqS8Mael0MnEcR2sNkw+1
+MVIO5tinKWAFM087hsSmKs/uIvdVexH2ptKKehxTFjs8ySfAMiMfqhaC2JgPCFL1
+jUpAIvs4oCx2yZKvq+TzJOq8LRHG3qSHa0BcNVPKfVkmVJRg4ETzza1/e14Re1BR
+si7RL7EtHuFiFjYiWTGueT+e0jdBS8CoafD1V/I7NPqVmGc5NeaRv4n+ESpDSX+z
+BB4CHBN2hfQxLXg+t/MNcza5M0WoAWna5JzQBAtDzIM=
+-----END PRIVATE KEY-----
+
+PrivateKey = DSA-2048-256
+-----BEGIN PRIVATE KEY-----
+MIICZQIBADCCAjoGByqGSM44BAEwggItAoIBAQDAuDj/d/t7n4013h18atbOYg4Q
+oWZPLmA7MvFABqrlv9lfa0dRGhOHyXClHh2bsNMwk3txKjTaTwjM9v80xe47y2lv
+34DPEKaWf+6HGcsu313kjIoAITO61HK0TJXjm0BV2uzZQFmvVHwEZmt7uGFcTc4t
+Vl71Z+MjhlMqpOmXIL/OBJkMOE1CXF/b6oKyXJvyZRpE4oxS+8B1l7d/N0B1XhQl
+EMToFwmvsKfeeK24wDfxasfbNbQ7Zih/5HylWtNXbvldnOf6cfPPPM6FO7HVI9R5
+llQKxFWujVrX0IOXu89xT8t+/ICKJtLKD5HzmeH1Y6LO+Qnsu5tW8IhnDHKLAiEA
+prlohsCeURHqsKcqtMElD7vg+Ati8OKgdo79/ktz9bMCggEBALC9Awm0lClgvefU
+inwV6gQppvAQttX7fUGjnrmuAXjw/pm4MBuzkR1P7vm2IY51+SopK+ZvgXXXnWGQ
+m8y3DCuoSnfE6Y+NpAfL9iJxy5W+ByvW75GW7/Lj5hR/igKKuYhfGYT/2eIGtdQ2
+C2tcWTcV7Gfk60WSw9eLUtKCUjBHaoFHFMo3MWH64Fc0xVEQ1DLgEC5Y3TLmiLBx
+VOGpp5ZFeAc52n/W4afbBcQ5ifGFPwgcS7+WdnUUs7awuCCldh74kz58kdTJAztZ
+ZjjK728BYEE4P6itUNtr3jgNzhqwTBFvOwWCQA//a7vpyqtHMzDmpcVuDx6f4iP3
+aghyxFAEIgIgK1Ct6iRtcq01mdt4EGRrkiAHBr5zTcAgbv5ZaU99pmQ=
+-----END PRIVATE KEY-----
+
+PrivateKey = DSA-3072-256
+-----BEGIN PRIVATE KEY-----
+MIIDZgIBADCCAzoGByqGSM44BAEwggMtAoIBgQCvf6pPUvu2J7j4aaGcpEkfjX7e
+DvM5qlpuf2GDwbWFQpkxeRFtmd5EFbgNvRMsLyfTA3KWd4k2nFug2Uf5kFJ0rOcI
+nToVcrPjg8onD43Rcknvmu5grsjDvCFMmWFu361LbWxZCgGCwSUv4P647kS5ccaD
+k0o4f+a8YWLahop/HowqoN8/TvC/izdN0WvRYKeegJcBzaaBKWsBS8ucu0jEh5S3
+PCAQRFoKNRPjUzjIhycIlpdmI5BG72SkvSSMef9wvGl72FN2t3v5dbWjl7QgghU5
+0BB/RlueApJgrFhadE/0ZJKSukPMbL9a0L1xZl01iJYraa76rn5weVkU8sW7BN7C
+oHTovusrls/AtEBKXKC47rNnfSc9VwfwdNBuvs33Ga872575bjOunQiXQRxuuqjq
+u3MyixPygIy+MmjhjPhnpYnb+1sytpoN1UOTi9QMHWLp2ExYvurda6n4nCjbJBcB
+DvWPyapslDP+yT/3aEH0ctqu/QMk3rPxBAzVytUCIQD/CwBYEWtyd6IoiqcWVMT5
+4k1cKfg5ZbNu7mG3iS+iSwKCAYEAm1QNpGrOS2orCVUP80KQFTQwg37tlynJjXev
+ORdBgDXpIjFcdEgsEx9cHzlOywBDQWxHLXRukvgQbx7dCq2RgEM6Fo6ngbhj87zw
+dLFdXxj/TU0fJPhj3VIF2qu5vG1SZRu4zKNZ6uoJP7R4/7o/shHOoTyCOigRew4X
+A2P9eIxpEv/KXRznxjG1IcAQJcPYBDwjE555WNHL0jzzKEyxyxmkm9ThEpleW7HU
+ij78B5O45V/AHVF7oB/L+Aqmbc2dZy8EtShsMKqSMdFWjV0BnuzsPt9KmKT+rbj6
+MpqgdaKPEsYVD4Nk6EWEyYbWmELtS9jKH5E4Z/pqFGeamsiD5Sn0ap7SGa81BtA+
+s7FMG851b2jtRw0RB4+boGx0Lt43WbytfmW445i4h/NMB0nE/pzjIIjD3URdNoaS
+2G2eZcW/aC9bKkOoAr2USSlgylPCkz2a/CAx7i925HOZ2dw9HJ940vkAoxP+nMQv
+kMzKKeM5QVgAeRwjDqRk9uCWD7VyBCMCIQDxycQrIIL4PxAoPIM7//v8mL7A3YSW
+o3mO5AXuBuEe2g==
+-----END PRIVATE KEY-----
+
+PrivateKey = DSA-3072-224
+-----BEGIN PRIVATE KEY-----
+MIIDXAIBADCCAzUGByqGSM44BAEwggMoAoIBgQDEY9anVQ8qwdz77IQx1bSmu5MI
+mP7pf9IUXbH5fZFrCjlDu34w2WvsdDRrM2/isvKb/wj+sgg5dx5bWRn/+xolwu8l
+upmD6KMJ07t9SSla155tkvS/8hU5AD8elH9vV+HlTPKRHNF1X3jFJRVay64O+vFX
+WRe7t3yBFv/VqkhnYwm5aymMK6/TXR1znJzrMNgU1Ao3unhjaFnRsldHVHjXrA4y
+rJRMsa4r5BCPQNK8iXKabAw19oiRbRvqs3YfzoR1HqZ3LGO1/p9ECoc/QW0uI1Za
+LYQli1aNtNmtYhwKvy7O8IzjrbjkDRgl/TtDmtfpDnM6FkQebgU0OxQXTOwZgtEV
+a7VY+EwG1q+Qab7uvuO2YJ7Mk2JKmu4u0Gz7tq5N+hEN4P5UMC/MUw6ftLCGN6l6
+ycEJHMgGzDsAKEJW6NcXneY3vXpdaRGnuxyUKI86wQd3Qg1Mm3H1gqtkd48owIJm
+RtE/u91T4OJOcwVm2FxDgmMsb0LwqAELL+I9RH8CHQDNAddLZ4ovSccoD+s06I+X
+d+GzJ8cNcbn4H1TVAoIBgAmwgz0CjHaacOiXcQ4GLw0kN2IpXKAXYma1vDlDcesT
+lY8dcGsX2UjuLnfegMRkb5FMGZ8TDjgDG4vLo2p1ybt7S7s0hn56bju5HZLSOmAp
+nu5M15iZxDzgVvhRkB0EG/aw5i6iq22JUA5SUAGYLemcZIuukIDu6vhTeK2125qa
+q+Uc0/kyPMOf0zABo+I2wWNmZgdq26F147Yrf06VY3ekxcER1vAUfVBHxeYPfdZR
+N8ztdzYTPtCSxyIWATUxYvWxsaxqNckjXLZp5t9L72Zc8k5swsBDIAabhJTiQrRS
+hkhD0UOCf2pUNFcHIxLqYskOycEjtmKrAYbrHZDRw5CzP5ABaDYwqgxi2ZSt/tv4
+iYUhX4tRicGeAWLM7D3LxG+P/6q7dJ/Gjjx8gmbcBJKcjVDGp/b8xn1WY83gbNEJ
+HOAqdXyxgnQL+E581jk13LixzoOboyrhryFqVoMarZOXEAQKToG24tj5DO7LmviW
+8hzXTwJmVlKblGJxVmqDuQQeAhx6PjOtN4DxhxZdoX8+lU7C6CWYvyQbJOER0XVn
+-----END PRIVATE KEY-----
+
+PrivateKey = DSA-4096-256
+-----BEGIN PRIVATE KEY-----
+MIIEZQIBADCCBDoGByqGSM44BAEwggQtAoICAQD9m23nz0MOXi3GFvuv+Qpva9Ms
+oZ/oPS1sYy/JtxvBtEjWv0b0wxtLAiASkBBhaqC1Qy+9O7dC7s5wze/0v/mAxFtF
+X18KhMWSRtgiGOWzg6Nyog+Dus224Qa6wfYC1+lcGG/TmDLSmukBrVzd/71pSOkT
+6O3v5hx1JOdJzzNPt1kjq31B1/2h9OXnARg1JDCLHP6fxRkWj2ThwU+FwlKTpo+d
+MsC0Xl93t1lBOiS5VsHLSZIeqsInEj3bWBTT6C5q0huZKBQ9iT3SwAq/gG8KL9DV
+MGSWQwAQdUpQWcv6JDwLb6h6QhHmzclDCF8JAGRzLA9kDWbmYPXQuVxj1//LuJba
+fMe6tLWBuAMeQNFuB/pro2dszbo8GDOYEaOfogG86x9hfgBoPufU0oHlfhj3nhO8
+cLYwvhRkN/ZZyTM5/1aHQNvp6S+sIGD1WFKPxMZuTH2k01I0s8ESGrlWpnPgwNQx
+iwx+dlXLFZNdDOiS+Mb9JPSuJ/xDagHmQzG0gxYiLfWQKjAMol4niB6mGIm0gEYq
+Rw9OEHE/ghzBMbr6M+BLDm7PDac5y1a3L6l9e0Yq9h+4bwqTqZIpNIsRS4A0lmXd
+IXs54dQmTwF75cMWjOAOYwxua97I4Ci3nkJWiozBugoGrKTSkeNX21uMfVJKidjd
+j79Vlz79qnMSB42sqwIhAPwv8XkIkZvnDKTTowvUy8L6V/SxF7KZFtvX5Mx4KJt7
+AoICAQDdWpUSEpBLdFiu6MzqdWnRv9pt8BEu0sC9Z+xE3VrpDKqqnK2Rhtye0yIk
+4fofLl9VF2J4P6hzDcCu8QEDj0K3dWQR+BU1WMBHMCTHrTM51XAqbjR1H3ZYWVxC
+WgWrVGQkcD55TrM2RYBKH6Wa7K9HeFVJcdHrh0AZb4lXIBZHf0+71cOfZH8w1ufl
+yKzYNMGY9+eoU3Pm0D5gBO/69uWDrK21SJMW3Fpqm4rgeHtNhR4oI6cagyo2+XfD
+e+ivCk5XKCXgImKpKDMuKhJy0K4vZFjVHeIWl2mf1zyhmCxuAcGEf9dRVKtnQQGS
+8uJGddKuda67J9vecN78H2nhsZcU9DRPzgjW+tUTwSX3ycW/hEA65kN5PUSpj8Ax
+7gZN5Jn8bGNlCgLItHQMscGDo0L47+bN8G8JguZr+hpNFKmYMpbQ15yHaRU7DR36
+Zx91SEQ1o8Kn8mNT37RBYk/vZij9P8QRnn3pen9Ha5CBNs6/8RERaUJ84kSCV0iL
+4/ed3syr8bek8a2rN6qhLZSKfYwLdiu0VaBsmJrOoE7xNgJ+f0g7aTptO1NOiwtY
+ftiDvljQGG1QhAv9i1uSmz6EPYn3VCJPadxX8mlPmpGCewk8ycOV1IFgCK86cdTl
+bDfJavyQoCWW6EF260m2+rWtl6ILGhhWIbDN5KfXBhrOPvxvHQQiAiBZM1KxUjGw
+h2C/91Z0b0Xg4QYNOtVUbfqQTJQAqEpaRg==
+-----END PRIVATE KEY-----
+
+
+Title = FIPS Tests (using different key sizes and digests)
+
+# Test sign with a 2048 bit key with N == 224 is allowed in fips mode
+DigestSign = SHA256
+Key = DSA-2048-224
+Input = "Hello"
+Output = 00
+Result = SIGNATURE_MISMATCH
+
+# Test sign with a 2048 bit key with N == 256 is allowed in fips mode
+DigestSign = SHA256
+Key = DSA-2048-256
+Input = "Hello"
+Result = SIGNATURE_MISMATCH
+
+# Test sign with a 3072 bit key with N == 256 is allowed in fips mode
+DigestSign = SHA256
+Key = DSA-3072-256
+Input = "Hello"
+Result = SIGNATURE_MISMATCH
+
+# Test sign with a 2048 bit SHA3 is allowed in fips mode
+DigestSign = SHA3-224
+Key = DSA-2048-256
+Input = "Hello"
+Result = SIGNATURE_MISMATCH
+
+# Test verify with a 1024 bit key is allowed in fips mode
+DigestVerify = SHA256
+Key = DSA-1024
+Input = "Hello "
+Output = 302c02142e32c8a5b0bd19b2ba33fd9c78aad3729dcb1b9e02142c006f7726a9d6833d414865b95167ea5f4f7713
+
+# Test verify with SHA1 is allowed in fips mode
+DigestVerify = SHA1
+Key = DSA-1024
+Input = "Hello "
+Output = 302c0214602d21ed37e46051bb3d06cc002adddeb4cdb3bd02144f39f75587b286588862d06366b2f29bddaf8cf6
+
+Title = Fips Negative Tests (using different key sizes and digests)
+
+# Test sign with a 1024 bit key is not allowed in fips mode
+Availablein = fips
+DigestSign = SHA256
+Key = DSA-1024-FIPS186-2
+Input = "Hello"
+Result = DIGESTSIGNINIT_ERROR
+
+# Test sign with SHA1 is not allowed in fips mode
+Availablein = fips
+DigestSign = SHA1
+Key = DSA-2048
+Input = "Hello"
+Result = DIGESTSIGNINIT_ERROR
+
+# Test sign with a 3072 bit key with N == 224 is not allowed in fips mode
+Availablein = fips
+DigestSign = SHA256
+Key = DSA-3072-224
+Input = "Hello"
+Result = DIGESTSIGNINIT_ERROR
+
+# Test sign with a 4096 bit key is not allowed in fips mode
+Availablein = fips
+DigestSign = SHA256
+Key = DSA-4096-256
+Input = "Hello"
+Result = DIGESTSIGNINIT_ERROR