DSA Key

The DSA Signature requires a SafeNet ProtectToolkit-J DSA public or private Key during initialization. The DSA key may be any length between 512 and 4096 bits (inclusive).

A new SafeNet ProtectToolkit-J DSA key pair can be generated randomly using the KeyPairGenerator, as described in Key Generation, or, a provider-independent form. The AES key may also be stored in the SafeNet ProtectToolkit-J KeyStore as described in Key Storage.

The SafeNet ProtectToolkit-J DSA public and private keys will return the string “DSA” as the algorithm name, “RAW” as the encoding type and null for the encoding.

DSA KeyGenerator

The DSA KeyPairGenerator is used to generate random DSA key pairs. The generated key pair will consist of two hardware keys: the public key and a private key with the Cryptoki CKA_SENSITIVE attribute set. Each key will also share the same set of DSA parameters.

During initialization, the strength parameter may be either 512 or 4096. The default key size is 1024 bits. The random parameter is ignored as the hardware includes a cryptographically-secure random source. Any provided AlgorithmParameterSpec parameters will also be ignored (this precludes generation of keys with non-default parameters). The DSA parameters used for the 512 and 1024 bit keys are as specified in the Java Cryptography Architecture Specification.

Keys generated using the KeyGenerator are not thread-safe. That is, a SafeNet ProtectToolkit-J Key instance may only be used by a single Cipher instance (as well as a single MAC instance) at any given time. SeeKey Generation for information on threading and SafeNet ProtectToolkit-J keys.

The following example will generate a new random 1024 bit key pair:

KeyPairGenerator keyGen = KeyPairGenerator.getInstance(
       “DSA”, “SAFENET”);
KeyPair dsaPair = keyGen.generateKeyPair();

DSA KeyFactory

The DSA KeyFactory is used to construct SafeNet ProtectToolkit-J keys from their provider-independent form. There are two standard provider-independent forms for DSA keys: one for public keys and one for private keys. They are java.security.spec.DSAPublicKeySpec, and java.security.spec.DSAPrivateKeySpec.

Keys generated using the KeyFactory are not thread-safe. That is, a SafeNet ProtectToolkit-J Key instance may only be used by a single Cipher instance (as well as a single MAC instance) at any given time. SeeKey Generation for information on threading and SafeNet ProtectToolkit-J keys.

To convert one of these supported KeySpec classes into a SafeNet ProtectToolkit-J provider key:

KeyFactory dsaKeyFact = KeyFactory.getInstance(“DSA”,
                                               “SAFENET”);
PublicKey pubKey = dsaKeyFact.generatePublic(pubKeySpec);
PrivateKey privKey = dsaKeyFact.generatePrivate(privKeySpec);  

The DSA KeyFactory cannot currently convert SafeNet ProtectToolkit-J keys into their provider independent format so the getKeySpec() method will throw an InvalidKeySpecException. The class also cannot perform any key translation via the translateKey() method.

DSA Example Code

The following example code will create a random DSA key pair, then create a DSA Signature. We will then use this instance to sign the message “hello world” and verify that signature using the public key.

KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA",
                                               "SAFENET");
KeyPair rsaPair = keyGen.generateKeyPair();
Signature dsaSig = Signature.getInstance("DSA",
                                         "SAFENET");
dsaSig.initSign(dsaPair.getPrivate());
dsaSig.update(“hello world”.getBytes());
byte[] sig = dsaSig.sign();
dsaSig.initVerify(dsaPair.getPublic();
dsaSig.update(“hello world”.getBytes());
if (dsaSig.verify()) {
    System.out.println(“Signature okay”);
}
else {
    System.out.println(“Signature fails verification”);
}