From 1580a2c164316beba5482518187b38416a219f21 Mon Sep 17 00:00:00 2001 From: msedzins Date: Sun, 15 Sep 2024 11:33:12 +0200 Subject: [PATCH 1/4] Adding signing under hazmat. Draft version. --- dsa/Cargo.toml | 1 + dsa/examples/export.rs | 2 ++ dsa/examples/generate.rs | 2 ++ dsa/examples/sign.rs | 2 ++ dsa/src/generate.rs | 4 +++- dsa/src/generate/keypair.rs | 3 ++- dsa/src/generate/secret_number.rs | 2 +- dsa/src/lib.rs | 5 ++++- dsa/src/signing_key.rs | 2 ++ dsa/tests/deterministic.rs | 2 ++ dsa/tests/signature.rs | 1 + dsa/tests/signing_key.rs | 1 + dsa/tests/verifying_key.rs | 13 +++++++++++-- 13 files changed, 34 insertions(+), 6 deletions(-) diff --git a/dsa/Cargo.toml b/dsa/Cargo.toml index 00df2734..ce7bd484 100644 --- a/dsa/Cargo.toml +++ b/dsa/Cargo.toml @@ -33,3 +33,4 @@ sha1 = "=0.11.0-pre.4" [features] std = [] +hazmat = [] diff --git a/dsa/examples/export.rs b/dsa/examples/export.rs index a2d529d2..ebedc32f 100644 --- a/dsa/examples/export.rs +++ b/dsa/examples/export.rs @@ -1,3 +1,5 @@ +#![cfg(feature = "hazmat")] + use dsa::{Components, KeySize, SigningKey}; use pkcs8::{EncodePrivateKey, EncodePublicKey, LineEnding}; use std::{fs::File, io::Write}; diff --git a/dsa/examples/generate.rs b/dsa/examples/generate.rs index 7d22795e..443b4991 100644 --- a/dsa/examples/generate.rs +++ b/dsa/examples/generate.rs @@ -1,3 +1,5 @@ +#![cfg(feature = "hazmat")] + use dsa::{Components, KeySize, SigningKey}; fn main() { diff --git a/dsa/examples/sign.rs b/dsa/examples/sign.rs index 42349ee2..25be84fd 100644 --- a/dsa/examples/sign.rs +++ b/dsa/examples/sign.rs @@ -1,3 +1,5 @@ +#![cfg(feature = "hazmat")] + use digest::Digest; use dsa::{Components, KeySize, SigningKey}; use pkcs8::{EncodePrivateKey, EncodePublicKey, LineEnding}; diff --git a/dsa/src/generate.rs b/dsa/src/generate.rs index 1e9b12c3..1f56060e 100644 --- a/dsa/src/generate.rs +++ b/dsa/src/generate.rs @@ -8,9 +8,11 @@ mod keypair; mod secret_number; pub use self::components::{common as common_components, public as public_component}; -pub use self::keypair::keypair; pub use self::secret_number::{secret_number, secret_number_rfc6979}; +#[cfg(feature = "hazmat")] +pub use self::keypair::keypair; + /// Calculate the upper and lower bounds for generating values like p or q #[inline] fn calculate_bounds(size: u32) -> (BigUint, BigUint) { diff --git a/dsa/src/generate/keypair.rs b/dsa/src/generate/keypair.rs index 39cdc2b5..697fa013 100644 --- a/dsa/src/generate/keypair.rs +++ b/dsa/src/generate/keypair.rs @@ -1,8 +1,9 @@ +#![cfg(feature = "hazmat")] //! //! Generate a DSA keypair //! -use crate::{generate::components, Components, SigningKey, VerifyingKey}; +use crate::{generate::components, Components, signing_key::SigningKey, VerifyingKey}; use num_bigint::{BigUint, RandBigInt}; use num_traits::One; use signature::rand_core::CryptoRngCore; diff --git a/dsa/src/generate/secret_number.rs b/dsa/src/generate/secret_number.rs index 3c974ed4..c01a4c62 100644 --- a/dsa/src/generate/secret_number.rs +++ b/dsa/src/generate/secret_number.rs @@ -2,7 +2,7 @@ //! Generate a per-message secret number //! -use crate::{Components, SigningKey}; +use crate::{Components, signing_key::SigningKey}; use alloc::{vec, vec::Vec}; use core::cmp::min; use digest::{core_api::BlockSizeUser, Digest, FixedOutputReset}; diff --git a/dsa/src/lib.rs b/dsa/src/lib.rs index 89805fd3..00d41bdb 100644 --- a/dsa/src/lib.rs +++ b/dsa/src/lib.rs @@ -46,8 +46,11 @@ extern crate alloc; +#[cfg(feature = "hazmat")] +pub use crate::signing_key::SigningKey; + pub use crate::{ - components::Components, signing_key::SigningKey, size::KeySize, verifying_key::VerifyingKey, + components::Components, size::KeySize, verifying_key::VerifyingKey, }; pub use num_bigint::BigUint; diff --git a/dsa/src/signing_key.rs b/dsa/src/signing_key.rs index bcd7e029..1204806e 100644 --- a/dsa/src/signing_key.rs +++ b/dsa/src/signing_key.rs @@ -51,6 +51,7 @@ impl SigningKey { }) } + #[cfg(feature = "hazmat")] /// Generate a new DSA keypair #[inline] pub fn generate(rng: &mut impl CryptoRngCore, components: Components) -> SigningKey { @@ -70,6 +71,7 @@ impl SigningKey { &self.x } + #[cfg(feature = "hazmat")] /// Try to sign the given message digest deterministically with a prehashed digest. /// The parameter `D` must match the hash function used to sign the digest. /// diff --git a/dsa/tests/deterministic.rs b/dsa/tests/deterministic.rs index 483844a0..cc426daf 100644 --- a/dsa/tests/deterministic.rs +++ b/dsa/tests/deterministic.rs @@ -1,3 +1,5 @@ +#![cfg(feature = "hazmat")] + use digest::{core_api::BlockSizeUser, Digest, FixedOutputReset}; use dsa::{Components, Signature, SigningKey, VerifyingKey}; use num_bigint::BigUint; diff --git a/dsa/tests/signature.rs b/dsa/tests/signature.rs index 33922298..6bceb145 100644 --- a/dsa/tests/signature.rs +++ b/dsa/tests/signature.rs @@ -1,3 +1,4 @@ +#![cfg(feature = "hazmat")] #![allow(deprecated)] use digest::Digest; diff --git a/dsa/tests/signing_key.rs b/dsa/tests/signing_key.rs index 5b853987..aca82360 100644 --- a/dsa/tests/signing_key.rs +++ b/dsa/tests/signing_key.rs @@ -1,3 +1,4 @@ +#![cfg(feature = "hazmat")] // We abused the deprecated attribute for unsecure key sizes // But we want to use those small key sizes for fast tests #![allow(deprecated)] diff --git a/dsa/tests/verifying_key.rs b/dsa/tests/verifying_key.rs index ed8babe5..f11e4e7c 100644 --- a/dsa/tests/verifying_key.rs +++ b/dsa/tests/verifying_key.rs @@ -2,13 +2,20 @@ // But we want to use those small key sizes for fast tests #![allow(deprecated)] -use dsa::{Components, KeySize, SigningKey, VerifyingKey}; +use dsa::VerifyingKey; +use pkcs8::{DecodePublicKey, EncodePublicKey, LineEnding}; + + +#[cfg(feature = "hazmat")] +use dsa::{Components, KeySize, SigningKey}; +#[cfg(feature = "hazmat")] use num_bigint::BigUint; +#[cfg(feature = "hazmat")] use num_traits::One; -use pkcs8::{DecodePublicKey, EncodePublicKey, LineEnding}; const OPENSSL_PEM_PUBLIC_KEY: &str = include_str!("pems/public.pem"); +#[cfg(feature = "hazmat")] fn generate_verifying_key() -> VerifyingKey { let mut rng = rand::thread_rng(); let components = Components::generate(&mut rng, KeySize::DSA_1024_160); @@ -29,6 +36,7 @@ fn decode_encode_openssl_verifying_key() { assert_eq!(reencoded_verifying_key, OPENSSL_PEM_PUBLIC_KEY); } +#[cfg(feature = "hazmat")] #[test] fn encode_decode_verifying_key() { let verifying_key = generate_verifying_key(); @@ -38,6 +46,7 @@ fn encode_decode_verifying_key() { assert_eq!(verifying_key, decoded_verifying_key); } +#[cfg(feature = "hazmat")] #[test] fn validate_verifying_key() { let verifying_key = generate_verifying_key(); From 4dadd124ab864570d36651b58ed926665f75dde0 Mon Sep 17 00:00:00 2001 From: msedzins Date: Mon, 16 Sep 2024 23:19:01 +0200 Subject: [PATCH 2/4] added hazmat as required feature for examples binary crates --- dsa/Cargo.toml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/dsa/Cargo.toml b/dsa/Cargo.toml index ce7bd484..19da5fb7 100644 --- a/dsa/Cargo.toml +++ b/dsa/Cargo.toml @@ -34,3 +34,15 @@ sha1 = "=0.11.0-pre.4" [features] std = [] hazmat = [] + +[[example]] +name = "sign" +required-features = ["hazmat"] + +[[example]] +name = "generate" +required-features = ["hazmat"] + +[[example]] +name = "export" +required-features = ["hazmat"] From 21c672bf6eb8c4e254f8613a222ee4bd4fef0fe6 Mon Sep 17 00:00:00 2001 From: msedzins Date: Tue, 17 Sep 2024 22:15:49 +0200 Subject: [PATCH 3/4] Excluded examples in lib.rs when hazmat feature not enabled --- dsa/src/lib.rs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dsa/src/lib.rs b/dsa/src/lib.rs index 00d41bdb..727613b7 100644 --- a/dsa/src/lib.rs +++ b/dsa/src/lib.rs @@ -12,7 +12,8 @@ //! //! Generate a DSA keypair //! -//! ``` +#![cfg_attr(feature = "hazmat", doc = "```")] +#![cfg_attr(not(feature = "hazmat"), doc = "```ignore")] //! # use dsa::{KeySize, Components, SigningKey}; //! let mut csprng = rand::thread_rng(); //! let components = Components::generate(&mut csprng, KeySize::DSA_2048_256); @@ -22,7 +23,8 @@ //! //! Create keypair from existing components //! -//! ``` +#![cfg_attr(feature = "hazmat", doc = "```")] +#![cfg_attr(not(feature = "hazmat"), doc = "```ignore")] //! # use dsa::{Components, SigningKey, VerifyingKey}; //! # use num_bigint::BigUint; //! # use num_traits::One; From 9cdee785dae0fd65d26b4c1ec387ea021bd03687 Mon Sep 17 00:00:00 2001 From: msedzins Date: Tue, 17 Sep 2024 22:24:26 +0200 Subject: [PATCH 4/4] Formating errors fixed --- dsa/src/generate/keypair.rs | 2 +- dsa/src/generate/secret_number.rs | 2 +- dsa/src/lib.rs | 4 +--- dsa/tests/verifying_key.rs | 1 - 4 files changed, 3 insertions(+), 6 deletions(-) diff --git a/dsa/src/generate/keypair.rs b/dsa/src/generate/keypair.rs index 697fa013..c1af8325 100644 --- a/dsa/src/generate/keypair.rs +++ b/dsa/src/generate/keypair.rs @@ -3,7 +3,7 @@ //! Generate a DSA keypair //! -use crate::{generate::components, Components, signing_key::SigningKey, VerifyingKey}; +use crate::{generate::components, signing_key::SigningKey, Components, VerifyingKey}; use num_bigint::{BigUint, RandBigInt}; use num_traits::One; use signature::rand_core::CryptoRngCore; diff --git a/dsa/src/generate/secret_number.rs b/dsa/src/generate/secret_number.rs index c01a4c62..1d315f7a 100644 --- a/dsa/src/generate/secret_number.rs +++ b/dsa/src/generate/secret_number.rs @@ -2,7 +2,7 @@ //! Generate a per-message secret number //! -use crate::{Components, signing_key::SigningKey}; +use crate::{signing_key::SigningKey, Components}; use alloc::{vec, vec::Vec}; use core::cmp::min; use digest::{core_api::BlockSizeUser, Digest, FixedOutputReset}; diff --git a/dsa/src/lib.rs b/dsa/src/lib.rs index 727613b7..024c2ae7 100644 --- a/dsa/src/lib.rs +++ b/dsa/src/lib.rs @@ -51,9 +51,7 @@ extern crate alloc; #[cfg(feature = "hazmat")] pub use crate::signing_key::SigningKey; -pub use crate::{ - components::Components, size::KeySize, verifying_key::VerifyingKey, -}; +pub use crate::{components::Components, size::KeySize, verifying_key::VerifyingKey}; pub use num_bigint::BigUint; pub use pkcs8; diff --git a/dsa/tests/verifying_key.rs b/dsa/tests/verifying_key.rs index f11e4e7c..145d87e5 100644 --- a/dsa/tests/verifying_key.rs +++ b/dsa/tests/verifying_key.rs @@ -5,7 +5,6 @@ use dsa::VerifyingKey; use pkcs8::{DecodePublicKey, EncodePublicKey, LineEnding}; - #[cfg(feature = "hazmat")] use dsa::{Components, KeySize, SigningKey}; #[cfg(feature = "hazmat")]