feat: add dsa support

[dignifiedquire]

Based on #124

Depends on RustCrypto/signatures#798

TODOs

• Implement verification
• Update to released version of feat(dsa): implement `SigningKey::sign_prehashed_rfc6979 RustCrypto/signatures#798
• Implement key creation
• Update key tests

[hko-s]

I am surprised to see these numbers go down by so much.

If I understand the meaning of this diff correctly, then: by implementing DSA in this PR, around 500 public keys per ~20k block of SKS data can now not be used anymore. Presumably because the signature verification fails?

Did you look into what's going on with those keys?

[dignifiedquire]

so before we completely ignored dsa keys, so this number was expected to go down, I haven’t had time to dig into the failures in detail though

[hko-s]

Right, I agree with the expectations that the number would go down somewhat, but 2.5% of all SKS keys being seemingly broken now doesn't feel right. I wonder what percentage of all DSA keys in the test data is broken.

Maybe this quantitative regression indicates that some historical implementations of PGP encoded DSA key material in a way that is not currently handled correctly?

[dignifiedquire]

that is very much possible, we should investigate this, but I didn't want to block getting the basic support in by this

[hko-s]

makes sense. opening a ticket to investigate this some other time might be nice as a reminder.

[dignifiedquire]

#284

[hko-s]

The interop test suite didn't yield any interesting results for this PR, so I decided to test data signatures manually, using a few SOP implementations.

This comment documents my testing procedure. I'm attaching the test artifacts.

Generate test key

As setup, we generate a dsa3072 key with rpgp:

$ rsop generate-key --profile dsa alice@example.org > key.dsa

Generate data signature with rsop (rpgp), verify with different implementations

We then produce a data signature with rsop (rpgp):

$ echo -n "hello world" | rsop sign key.dsa > sig.rpgp

... and verify it with other SOP implementations:

$ echo -n "hello world" | rsop verify sig.rpgp key.dsa
2024-02-06T22:39:11Z 13375374f22eb5a0563137673cb7f9b7a8bb79a2 13375374f22eb5a0563137673cb7f9b7a8bb79a2 mode:binary

$ echo -n "hello world" | sqop verify sig.rpgp key.dsa
2024-02-06T22:39:11Z 13375374F22EB5A0563137673CB7F9B7A8BB79A2 13375374F22EB5A0563137673CB7F9B7A8BB79A2 mode:binary

$ echo -n "hello world" | pgpainless-cli verify sig.rpgp key.dsa
2024-02-06T22:39:11Z 13375374F22EB5A0563137673CB7F9B7A8BB79A2 13375374F22EB5A0563137673CB7F9B7A8BB79A2 mode:binary

$ echo -n "hello world" | ~/go/bin/gosop verify sig.rpgp key.dsa
2024-02-06T22:39:11Z 13375374F22EB5A0563137673CB7F9B7A8BB79A2 13375374F22EB5A0563137673CB7F9B7A8BB79A2

Generate data signature with sqop (sequoia), verify with different implementations

For comparison, we create a signature with sqop (sequoia), using the same private key (generated by rpgp):

$ echo -n "hello world" | sqop sign key.dsa > sig.seq

Verifying this signature works with all SOP implementations used above, including rsop and gosop.

$ echo -n "hello world" | rsop verify sig.seq key.dsa
2024-02-06T22:40:32Z 13375374f22eb5a0563137673cb7f9b7a8bb79a2 13375374f22eb5a0563137673cb7f9b7a8bb79a2 mode:binary

$ echo -n "hello world" | ~/go/bin/gosop verify sig.seq key.dsa
2024-02-06T22:40:32Z 13375374F22EB5A0563137673CB7F9B7A8BB79A2 13375374F22EB5A0563137673CB7F9B7A8BB79A2

sig.seq.txt
key.dsa.txt
sig.rpgp.txt

EDIT: a previous version of this comment showed a failure with gosop that I mistook for a signature verification problem.
However, that failure was a bug in the gosop CLI tool itself: gosop crashes for filenames that are too short (my testing signature file was initially called just sig, which caused a gosop crash; also see ProtonMail/gosop#22)

[hko-s]

I've concluded my review. Besides being surprised by the numbers in the test_parse_dumps tests, nothing stood out to me.