SKE tests

FrantisekKrenzelok · FrantisekKrenzelok · commit 88d9c81d9267 · 2021-02-18T16:58:38.000+01:00
diff --git a/tests/serverDSACert.pem b/tests/serverDSACert.pem
@@ -0,0 +1,121 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: dsa_with_SHA256
+        Issuer: O=Example CA
+        Validity
+            Not Before: Feb  8 14:15:57 2021 GMT
+            Not After : Feb  8 14:15:57 2022 GMT
+        Subject: O=dsa server, CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: dsaEncryption
+                pub: 
+                    58:7d:8d:91:6b:69:46:d6:4e:02:2f:e4:c5:c5:da:
+                    62:1b:0f:c6:96:ba:e6:6c:ba:c5:d9:20:b4:9c:4e:
+                    e9:97:53:44:05:50:01:d1:a4:d5:ad:2e:80:14:77:
+                    05:65:a2:ce:8b:c7:ae:a4:40:45:0f:4e:24:d9:c9:
+                    e7:3e:1f:8a:1b:7d:90:24:38:f2:fe:a0:16:08:2a:
+                    aa:b5:bd:79:bb:1f:04:e2:f1:be:e6:01:18:8b:27:
+                    d5:b4:9e:96:81:7a:df:99:4e:4c:2a:25:c6:15:ef:
+                    33:09:f7:b2:b2:bb:84:42:b4:23:78:fa:52:76:61:
+                    12:b6:09:06:e0:84:e3:55:58:df:97:83:77:be:6f:
+                    5a:b4:96:77:96:f9:50:fe:1e:78:68:fc:8f:69:37:
+                    84:0b:6a:9e:d4:5e:13:f5:f2:fc:4c:89:66:44:24:
+                    46:7f:5c:d3:c1:48:84:63:5a:1d:27:26:1c:dc:24:
+                    fd:c0:43:18:51:6b:1b:e7:72:73:29:dd:99:d4:f6:
+                    38:90:d5:9b:b2:86:bc:67:35:3a:27:35:eb:56:97:
+                    98:e9:26:78:86:e3:a2:f7:f1:c3:cf:88:77:92:fe:
+                    4d:cf:44:9f:2b:67:f7:8d:1c:99:37:df:89:f9:fb:
+                    de:9e:1c:a6:c1:d6:cf:13:16:92:cf:af:00:60:3c:
+                    e1
+                P:   
+                    00:95:c5:2e:aa:36:d7:2d:29:20:29:26:a5:17:1b:
+                    1f:c3:9e:09:8d:7f:f1:7a:57:e0:3a:5e:da:0b:f6:
+                    b9:14:5e:2a:7b:6d:aa:6f:e6:6e:eb:6c:0f:f2:5c:
+                    ad:0e:ce:d5:ae:6a:b2:a1:bf:18:a0:96:d8:b0:b0:
+                    00:c9:e5:97:81:b6:41:af:e0:6f:cf:18:cf:91:3a:
+                    3b:de:04:20:f5:36:9c:55:52:72:06:cb:77:45:9d:
+                    83:64:f5:dc:a3:17:3d:69:51:28:2a:d1:47:8a:6a:
+                    b3:d2:72:8a:2b:d8:b5:36:fb:4f:e7:ab:1c:85:c3:
+                    a6:a4:46:9a:33:19:f6:2a:c3:af:e7:50:44:ff:b8:
+                    06:46:ce:c2:f5:94:09:bd:c3:0a:31:8e:32:8b:a4:
+                    3f:82:0c:df:0a:f5:a9:8a:2a:7a:5e:75:f1:a3:fc:
+                    7d:5d:6e:0a:2e:18:8a:3b:4f:90:8f:c9:36:63:42:
+                    d1:3e:6e:19:cd:22:76:09:e4:49:57:3f:51:95:f7:
+                    9b:4b:df:32:26:c0:ba:b8:da:ea:e2:9d:b2:11:ab:
+                    a1:fe:a4:df:ca:73:8c:1e:7d:2e:8e:e3:8a:ca:6a:
+                    bf:45:47:0d:0d:82:1c:d0:51:58:d4:25:dc:3d:fa:
+                    5c:e6:ef:27:86:b0:02:8f:30:51:41:78:fb:27:9b:
+                    af:33
+                Q:   
+                    00:9a:13:45:eb:94:f3:58:b7:82:7b:3b:67:16:4d:
+                    03:54:f8:aa:aa:8d:71:ca:83:3c:7a:e2:b5:2e:5d:
+                    bc:f2:e1
+                G:   
+                    20:ad:7e:c1:9b:e4:ba:7d:ca:7b:5b:cd:d6:97:48:
+                    e8:bf:6b:a3:ea:bc:ab:c1:05:7a:8f:7b:11:dd:9d:
+                    a7:f2:5d:08:5e:fd:b1:ad:a0:d6:e8:87:58:75:bf:
+                    5b:f7:3a:70:45:a4:95:a3:00:04:2b:c1:73:dd:f5:
+                    fb:67:01:4b:81:67:61:47:25:0b:6f:ea:2d:25:a2:
+                    66:53:1b:2f:2e:54:8b:c4:6c:0b:da:cd:f6:58:02:
+                    37:02:ef:f9:42:d8:97:55:a0:13:ba:25:19:aa:5e:
+                    50:53:00:a2:0e:ac:64:62:12:01:c5:7a:02:27:de:
+                    3d:de:dc:85:12:bb:8f:04:6f:c2:b9:92:40:b8:92:
+                    0d:37:d5:90:b5:22:91:63:7e:c7:8d:0f:cd:67:fe:
+                    85:25:b6:3b:5e:14:c4:7f:8b:09:21:d6:b1:da:fb:
+                    5f:6b:f7:23:76:22:93:0a:ef:45:a4:00:2f:4c:fa:
+                    ce:b9:ee:66:4f:92:9f:e7:ee:5f:09:67:59:5c:62:
+                    17:92:16:28:fc:7d:8e:8b:61:c7:d3:d5:a9:98:9a:
+                    7d:bf:3e:7c:1e:d8:c0:ca:a9:46:fe:b4:78:cb:b3:
+                    11:ce:23:c8:96:32:55:f8:46:f1:ea:6a:7e:4a:8f:
+                    f0:88:7c:67:7d:bb:3b:1d:6c:af:81:54:9e:75:09:
+                    73
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                DC:23:24:9D:CD:AA:94:15:82:E7:8F:D8:31:E9:0C:71:33:83:EA:4A
+            X509v3 Authority Key Identifier: 
+                keyid:EE:29:FB:C3:3C:CF:14:4D:99:D1:A1:3C:09:D4:95:F4:52:CA:DB:42
+                DirName:/O=Example CA
+                serial:01
+
+    Signature Algorithm: dsa_with_SHA256
+         r:   
+             73:8f:48:44:e7:69:0e:e3:ea:cd:04:2c:cf:41:08:
+             e0:9e:46:ee:ee:2d:c1:6e:16:9e:ca:71:ab:0d:d5:
+             a6:c3
+         s:   
+             1f:92:62:3b:02:8e:eb:6a:08:dd:40:9b:d5:84:11:
+             6a:8c:8a:73:06:03:85:a9:e8:f4:18:0c:11:35:db:
+             b5:4b
+-----BEGIN CERTIFICATE-----
+MIIEpDCCBEqgAwIBAgIBAjALBglghkgBZQMEAwIwFTETMBEGA1UECgwKRXhhbXBs
+ZSBDQTAeFw0yMTAyMDgxNDE1NTdaFw0yMjAyMDgxNDE1NTdaMCkxEzARBgNVBAoM
+CmRzYSBzZXJ2ZXIxEjAQBgNVBAMMCWxvY2FsaG9zdDCCA0YwggI5BgcqhkjOOAQB
+MIICLAKCAQEAlcUuqjbXLSkgKSalFxsfw54JjX/xelfgOl7aC/a5FF4qe22qb+Zu
+62wP8lytDs7Vrmqyob8YoJbYsLAAyeWXgbZBr+BvzxjPkTo73gQg9TacVVJyBst3
+RZ2DZPXcoxc9aVEoKtFHimqz0nKKK9i1NvtP56schcOmpEaaMxn2KsOv51BE/7gG
+Rs7C9ZQJvcMKMY4yi6Q/ggzfCvWpiip6XnXxo/x9XW4KLhiKO0+Qj8k2Y0LRPm4Z
+zSJ2CeRJVz9RlfebS98yJsC6uNrq4p2yEauh/qTfynOMHn0ujuOKymq/RUcNDYIc
+0FFY1CXcPfpc5u8nhrACjzBRQXj7J5uvMwIhAJoTReuU81i3gns7ZxZNA1T4qqqN
+ccqDPHritS5dvPLhAoIBACCtfsGb5Lp9yntbzdaXSOi/a6PqvKvBBXqPexHdnafy
+XQhe/bGtoNboh1h1v1v3OnBFpJWjAAQrwXPd9ftnAUuBZ2FHJQtv6i0lomZTGy8u
+VIvEbAvazfZYAjcC7/lC2JdVoBO6JRmqXlBTAKIOrGRiEgHFegIn3j3e3IUSu48E
+b8K5kkC4kg031ZC1IpFjfseND81n/oUltjteFMR/iwkh1rHa+19r9yN2IpMK70Wk
+AC9M+s657mZPkp/n7l8JZ1lcYheSFij8fY6LYcfT1amYmn2/Pnwe2MDKqUb+tHjL
+sxHOI8iWMlX4RvHqan5Kj/CIfGd9uzsdbK+BVJ51CXMDggEFAAKCAQBYfY2Ra2lG
+1k4CL+TFxdpiGw/GlrrmbLrF2SC0nE7pl1NEBVAB0aTVrS6AFHcFZaLOi8eupEBF
+D04k2cnnPh+KG32QJDjy/qAWCCqqtb15ux8E4vG+5gEYiyfVtJ6WgXrfmU5MKiXG
+Fe8zCfeysruEQrQjePpSdmEStgkG4ITjVVjfl4N3vm9atJZ3lvlQ/h54aPyPaTeE
+C2qe1F4T9fL8TIlmRCRGf1zTwUiEY1odJyYc3CT9wEMYUWsb53JzKd2Z1PY4kNWb
+soa8ZzU6JzXrVpeY6SZ4huOi9/HDz4h3kv5Nz0SfK2f3jRyZN9+J+fvenhymwdbP
+ExaSz68AYDzho4GGMIGDMA4GA1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEF
+BQcDATAdBgNVHQ4EFgQU3CMknc2qlBWC54/YMekMcTOD6kowPQYDVR0jBDYwNIAU
+7in7wzzPFE2Z0aE8CdSV9FLK20KhGaQXMBUxEzARBgNVBAoMCkV4YW1wbGUgQ0GC
+AQEwCwYJYIZIAWUDBAMCA0cAMEQCIHOPSETnaQ7j6s0ELM9BCOCeRu7uLcFuFp7K
+casN1abDAiAfkmI7Ao7ragjdQJvVhBFqjIpzBgOFqej0GAwRNdu1Sw==
+-----END CERTIFICATE-----
diff --git a/tests/serverDSAKey.pem b/tests/serverDSAKey.pem
@@ -0,0 +1,20 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIDVQIBAAKCAQEAlcUuqjbXLSkgKSalFxsfw54JjX/xelfgOl7aC/a5FF4qe22q
+b+Zu62wP8lytDs7Vrmqyob8YoJbYsLAAyeWXgbZBr+BvzxjPkTo73gQg9TacVVJy
+Bst3RZ2DZPXcoxc9aVEoKtFHimqz0nKKK9i1NvtP56schcOmpEaaMxn2KsOv51BE
+/7gGRs7C9ZQJvcMKMY4yi6Q/ggzfCvWpiip6XnXxo/x9XW4KLhiKO0+Qj8k2Y0LR
+Pm4ZzSJ2CeRJVz9RlfebS98yJsC6uNrq4p2yEauh/qTfynOMHn0ujuOKymq/RUcN
+DYIc0FFY1CXcPfpc5u8nhrACjzBRQXj7J5uvMwIhAJoTReuU81i3gns7ZxZNA1T4
+qqqNccqDPHritS5dvPLhAoIBACCtfsGb5Lp9yntbzdaXSOi/a6PqvKvBBXqPexHd
+nafyXQhe/bGtoNboh1h1v1v3OnBFpJWjAAQrwXPd9ftnAUuBZ2FHJQtv6i0lomZT
+Gy8uVIvEbAvazfZYAjcC7/lC2JdVoBO6JRmqXlBTAKIOrGRiEgHFegIn3j3e3IUS
+u48Eb8K5kkC4kg031ZC1IpFjfseND81n/oUltjteFMR/iwkh1rHa+19r9yN2IpMK
+70WkAC9M+s657mZPkp/n7l8JZ1lcYheSFij8fY6LYcfT1amYmn2/Pnwe2MDKqUb+
+tHjLsxHOI8iWMlX4RvHqan5Kj/CIfGd9uzsdbK+BVJ51CXMCggEAWH2NkWtpRtZO
+Ai/kxcXaYhsPxpa65my6xdkgtJxO6ZdTRAVQAdGk1a0ugBR3BWWizovHrqRARQ9O
+JNnJ5z4fiht9kCQ48v6gFggqqrW9ebsfBOLxvuYBGIsn1bSeloF635lOTColxhXv
+Mwn3srK7hEK0I3j6UnZhErYJBuCE41VY35eDd75vWrSWd5b5UP4eeGj8j2k3hAtq
+ntReE/Xy/EyJZkQkRn9c08FIhGNaHScmHNwk/cBDGFFrG+dycyndmdT2OJDVm7KG
+vGc1Oic161aXmOkmeIbjovfxw8+Id5L+Tc9Enytn940cmTffifn73p4cpsHWzxMW
+ks+vAGA84QIgDR0eOWXgG++QAwl7Lsm1QDQEAL2XvHMGL978OfObntM=
+-----END DSA PRIVATE KEY-----
diff --git a/tests/tlstest.py b/tests/tlstest.py
@@ -849,6 +849,34 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good X.509 DSA, SSLv3".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 0)
+    settings.maxVersion = (3, 0)
+    connection.handshakeClientCert(settings=settings)
+    testConnClient(connection)
+    assert connection.session.cipherSuite in\
+            constants.CipherSuite.dheDsaSuites
+    assert isinstance(connection.session.serverCertChain, X509CertChain)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - good X.509 DSA, TLSv1.2".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 3)
+    settings.maxVersion = (3, 3)
+    connection.handshakeClientCert(settings=settings)
+    testConnClient(connection)
+    assert connection.session.cipherSuite in\
+            constants.CipherSuite.dheDsaSuites
+    assert isinstance(connection.session.serverCertChain, X509CertChain)
+    connection.close()
+
     print("Test {0} - good mutual X.509, TLSv1.3 no certs".format(test_no))
     synchro.recv(1)
     connection = connect()
@@ -1704,6 +1732,13 @@ def connect():
         x509KeyECDSANonCA = parsePEMKey(f.read(), private=True,
                                        implementations=["python"])
 
+    with open(os.path.join(dir, "serverDSACert.pem")) as f:
+        x509CertDSA = X509().parse(f.read())
+    x509ChainDSA = X509CertChain([x509CertDSA])
+    assert x509CertDSA.certAlg == "dsa"
+    with open(os.path.join(dir, "serverDSAKey.pem")) as f:
+        x509KeyDSA = parsePEMKey(f.read(), private=True,
+                                    implementations=["python"])
     test_no = 0
 
     print("Test {0} - Anonymous server handshake".format(test_no))
@@ -1819,6 +1854,7 @@ def connect():
 
     test_no += 1
 
+
     print("Test {0} - good X.509 ECDSA, SSLv3".format(test_no))
     synchro.send(b'R')
     connection = connect()
@@ -2284,6 +2320,33 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good X.509 DSA, SSLv3".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 0)
+    settings.maxVersion = (3, 0)
+    connection.handshakeServer(certChain=x509ChainDSA,
+                               privateKey=x509KeyDSA, settings=settings)
+    assert not connection.extendedMasterSecret
+    testConnServer(connection)
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - good X.509 DSA, TLSv1.2".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 3)
+    settings.maxVersion = (3, 3)
+    connection.handshakeServer(certChain=x509ChainDSA,
+                               privateKey=x509KeyDSA, settings=settings)
+    testConnServer(connection)
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - good mutual X.509, TLSv1.3 no certs".format(test_no))
     synchro.send(b'R')
     connection = connect()
diff --git a/tlslite/handshakesettings.py b/tlslite/handshakesettings.py
@@ -24,7 +24,7 @@
 MAC_NAMES = ["sha", "sha256", "sha384", "aead"]
 ALL_MAC_NAMES = MAC_NAMES + ["md5"]
 KEY_EXCHANGE_NAMES = ["ecdhe_ecdsa", "rsa", "dhe_rsa", "ecdhe_rsa", "srp_sha",
-                      "srp_sha_rsa", "ecdh_anon", "dh_anon"]
+                      "srp_sha_rsa", "ecdh_anon", "dh_anon", "dhe_dsa"]
 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
 CERTIFICATE_TYPES = ["x509"]
 RSA_SIGNATURE_HASHES = ["sha512", "sha384", "sha256", "sha224", "sha1"]
@@ -144,15 +144,15 @@ class HandshakeSettings(object):
     :vartype minKeySize: int
     :ivar minKeySize: The minimum bit length for asymmetric keys.
 
-        If the other party tries to use SRP, RSA, or Diffie-Hellman
+        If the other party tries to use SRP, RSA, DSA, or Diffie-Hellman
         parameters smaller than this length, an alert will be
         signalled.  The default is 1023.
 
 
     :vartype maxKeySize: int
     :ivar maxKeySize: The maximum bit length for asymmetric keys.
 
-        If the other party tries to use SRP, RSA, or Diffie-Hellman
+        If the other party tries to use SRP, RSA, DSA, or Diffie-Hellman
         parameters larger than this length, an alert will be signalled.
         The default is 8193.
 
@@ -523,7 +523,7 @@ def _sanityCheckPrimitivesNames(other):
                              .format(unknownRSAPad))
 
         unknownSigHash = not_matching(other.dsaSigHashes,
-                                      ALL_RSA_SIGNATURE_HASHES)
+                                      DSA_SIGNATURE_HASHES)
         if unknownSigHash:
             raise ValueError("Unknown DSA signature hash: '{0}'"
                              .format(unknownSigHash))
diff --git a/tlslite/keyexchange.py b/tlslite/keyexchange.py
@@ -105,27 +105,22 @@ def _tls12_sign_dsa_SKE(self, serverKeyExchange, sigHash=None):
         try:
             serverKeyExchange.hashAlg, serverKeyExchange.signAlg = \
                 getattr(SignatureScheme, sigHash)
-            hashName = SignatureScheme.getHash(sigHash)
 
         except AttributeError:
             serverKeyExchange.signAlg = SignatureAlgorithm.dsa
             serverKeyExchange.hashAlg = getattr(HashAlgorithm, sigHash)
-            keyType = 'dsa'
-            hashName = sigHash
 
-        hash_bytes = serverKeyExchange.hash(self.clientHello.random,
-                                            self.serverHello.random)
+        hashBytes = serverKeyExchange.hash(self.clientHello.random,
+                                           self.serverHello.random)
 
         serverKeyExchange.signature = \
-            self.privateKey.sign(hashBytes,
-                                 hashAlg=hashName)
+            self.privateKey.sign(hashBytes)
 
         if not serverKeyExchange.signature:
             raise TLSInternalError("Empty signature")
 
         if not self.privateKey.verify(serverKeyExchange.signature,
-                                      hashBytes,
-                                      hashAlg=hashName):
+                                      hashBytes):
             raise TLSInternalError("Server Key Exchange signature invalid")
 
     def _tls12_signSKE(self, serverKeyExchange, sigHash=None):
@@ -218,9 +213,6 @@ def _tls12_verify_ecdsa_SKE(serverKeyExchange, publicKey, clientRandom,
     @staticmethod
     def _tls12_verify_dsa_SKE(serverKeyExchange, publicKey, clientRandom,
                               serverRandom, validSigAlgs):
-        hashName = HashAlgorithm.toRepr(serverKeyExchange.hashAlg)
-        if not hashName:
-            raise TLSIllegalParameterException("Unknown hash algorithm")
 
         hashBytes = serverKeyExchange.hash(clientRandom, serverRandom)
 
diff --git a/tlslite/tlsconnection.py b/tlslite/tlsconnection.py
@@ -1654,7 +1654,8 @@ def _clientKeyExchange(self, settings, cipherSuite,
         serverCertChain = None
         publicKey = None
         if cipherSuite in CipherSuite.certAllSuites or \
-                cipherSuite in CipherSuite.ecdheEcdsaSuites:
+                cipherSuite in CipherSuite.ecdheEcdsaSuites or \
+                cipherSuite in CipherSuite.dheDsaSuites:
             # get the certificate
             for result in self._clientGetKeyFromChain(serverCertificate,
                                                       settings,
@@ -1666,6 +1667,7 @@ def _clientKeyExchange(self, settings, cipherSuite,
 
             #Check the server's signature, if the server chose an authenticated
             # PFS-enabled ciphersuite
+
             if serverKeyExchange:
                 valid_sig_algs = \
                     self._sigHashesToList(settings,
@@ -1862,7 +1864,7 @@ def _check_certchain_with_settings(self, cert_chain, settings):
                             .format(curve_name)):
                         yield result
         else:
-            # for RSA keys
+            # for RSA and DSA keys
             if len(publicKey) < settings.minKeySize:
                 for result in self._sendError(
                         AlertDescription.handshake_failure,
@@ -2249,6 +2251,7 @@ def _handshakeServerAsyncHelper(self, verifierDB,
         # Perform a certificate-based key exchange
         elif (cipherSuite in CipherSuite.certSuites or
               cipherSuite in CipherSuite.dheCertSuites or
+              cipherSuite in CipherSuite.dheDsaSuites or
               cipherSuite in CipherSuite.ecdheCertSuites or
               cipherSuite in CipherSuite.ecdheEcdsaSuites):
             try:
@@ -2268,7 +2271,8 @@ def _handshakeServerAsyncHelper(self, verifierDB,
                                              clientHello,
                                              serverHello,
                                              privateKey)
-            elif cipherSuite in CipherSuite.dheCertSuites:
+            elif cipherSuite in CipherSuite.dheCertSuites or \
+                    cipherSuite in CipherSuite.dheDsaSuites:
                 dhGroups = self._groupNamesToList(settings)
                 keyExchange = DHE_RSAKeyExchange(cipherSuite,
                                                  clientHello,
@@ -3356,6 +3360,8 @@ def _serverGetClientHello(self, settings, private_key, cert_chain,
             if ffGroupIntersect:
                 cipherSuites += CipherSuite.getDheCertSuites(settings,
                                                              version)
+                cipherSuites += CipherSuite.getDheDsaSuites(settings,
+                                                            version)
             cipherSuites += CipherSuite.getCertSuites(settings, version)
         elif anon:
             cipherSuites += CipherSuite.getAnonSuites(settings, version)
@@ -4430,7 +4436,7 @@ def _sigHashesToList(settings, privateKey=None, certList=None,
                                 SignatureAlgorithm.ecdsa))
 
         if not certType or certType == "dsa":
-            for schemeName in settings.dsaSigHashes:
+            for hashName in settings.dsaSigHashes:
                 if version > (3, 3):
                     continue
 
diff --git a/tlslite/utils/dsakey.py b/tlslite/utils/dsakey.py
@@ -60,6 +60,9 @@ def hashAndSign(self, data, hAlg):
         """
         raise NotImplementedError()
 
+    def sign(self, data):
+        raise NotImplementedError()
+
     def hashAndVerify(self, signature, data, hAlg="sha1"):
         """Hash and verify the passed-in bytes with signature.
 
diff --git a/tlslite/utils/keyfactory.py b/tlslite/utils/keyfactory.py
@@ -131,7 +131,7 @@ def _parseKeyHelper(key, private, public):
         if cryptomath.m2cryptoLoaded:
             if type(key) == Python_RSAKey:
                 return _createPrivateKey(key)
-            assert type(key) in (OpenSSL_RSAKey, Python_ECDSAKey), type(key)
+            assert type(key) in (OpenSSL_RSAKey, Python_ECDSAKey, Python_DSAKey), type(key)
             return key
         elif hasattr(key, "d"):
             return _createPrivateKey(key)
diff --git a/tlslite/utils/python_dsakey.py b/tlslite/utils/python_dsakey.py
diff --git a/tlslite/utils/python_key.py b/tlslite/utils/python_key.py
diff --git a/tlslite/x509.py b/tlslite/x509.py
diff --git a/unit_tests/test_tlslite_keyexchange.py b/unit_tests/test_tlslite_keyexchange.py
