Nikos Mavrogiannopoulos nmav@gnutls.org writes:
I tried to switch gnutls to use dsa_generate_keypair() to generate primes for the DH key exchange, but unfortunately this interface has the strict DSS checks for q_bits.
I'm not sure what's the right thing is here.
Simplest would be to just drop these requirements from dsa_generate_keypair, and let it do whatever the caller asks for. Do you think that makes sense?
Would it be possible to have a dh_generate_keypair() that does the exact same thing without the q_bits and p_bits limitations?
Do you need exactly the same thing for DH? I.e., a group of relatively small size q, which is a subgroup of Z_p^* for some much larger p?
I imagine one might want to rather use primes like p = 2q + 1 or so, so the size q subgroup is almost as large as Z_p. I'm not sure the current code works with q_size = p_size-1.
Related issue, which soemone else asked about some week ago, is separating generation of DSA parameters (i.e., p, q, g) from generation of the key pair. Currently, there's no easy way in nettle to generate a key for some pre-specified DSA group. It might be better to have something like
struct dsa_params { mpz_t p; mpz_t q; mpz_t g; };
struct dsa_private_key { const struct dsa_params *params; mpz_t x; };
struct dsa_private_key { const struct dsa_params *params; mpz_t y; };
(a bit analogous to the new ecdsa code). But that would be a pretty large and incompatible change, so we maybe shouldn't do that, or at least think carefully about compatibility.
Regards, /Niels