Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DSA no longer approved for signature generation by FIPS 186-5 #858

Open
msedzins opened this issue Sep 9, 2024 · 8 comments · May be fixed by #859
Open

DSA no longer approved for signature generation by FIPS 186-5 #858

msedzins opened this issue Sep 9, 2024 · 8 comments · May be fixed by #859

Comments

@msedzins
Copy link

msedzins commented Sep 9, 2024

FIPS 186-4 referenced in README.md has been superseded by FIPS 186-5 which no longer approves DSA for digital signature generation. DSA may be used only to verify already existing signatures.

Link:
https://csrc.nist.gov/pubs/fips/186-5/final

Should we add this information as part of README.md?

@msedzins msedzins closed this as completed Sep 9, 2024
@msedzins msedzins reopened this Sep 9, 2024
@tarcieri
Copy link
Member

Moving to verification only, possibly placing signing under a hazmat feature, seems like a reasonable approach to me

@msedzins
Copy link
Author

I tried to put signing under hazmat feature (in signing_key.rs) but tests stopped working (for example: signature.rs/signer_verifier_signature).

I don't think it's a good idea to put all those tests under hazmat feature.
It would be good if we could enable hazmat feature for dev/test profiles by default but it is not supported.

Any other possible approach?

@tarcieri
Copy link
Member

It's fine to gate the tests on the corresponding feature. They won't work unless the feature is enabled.

@msedzins msedzins linked a pull request Sep 15, 2024 that will close this issue
@msedzins
Copy link
Author

Please have a look at PR #859

There are two main issues there:

  1. Tests fail because of examples (they work only with signing enabled). But those examples (generate.rs/sign.rs) don't make sense without signing enabled.
  2. I think we are missing a test that that verify already existing signatures (current tests first generate signature and then verify them, which doesn't work without signing enabled).

@tarcieri
Copy link
Member

You can also feature gate the examples. Here's an example of a pattern we use to do this:

https://github.com/RustCrypto/SSH/blob/f741cf0/ssh-key/src/lib.rs#L44-L45

@msedzins
Copy link
Author

I think we are talking about different "examples".

In my case example is just a binary crate, binary crate must have "main" function. So, the error I get is this:

% cargo run --package dsa --example sign

error[E0601]: `main` function not found in crate `sign`
  --> dsa/examples/sign.rs:35:2
   |
35 | }
   |  ^ consider adding a `main` function to `dsa/examples/sign.rs`

Of course, I can add dummy "main", but I'm not sure if it makes sense.

@tarcieri
Copy link
Member

You can use required-features in Cargo.toml for that

@msedzins
Copy link
Author

msedzins commented Sep 17, 2024

done. please have a look at PR #859

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants