-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add dsa support #276
Conversation
b73f165
to
f8807a6
Compare
cdcfb48
to
c969839
Compare
(test_parse_dumps_7, 7, 18_133, 21_000), | ||
(test_parse_dumps_8, 8, 18_139, 21_000), | ||
(test_parse_dumps_9, 9, 17_992, 21_000), | ||
(test_parse_dumps_0, 0, 17_697, 20_998), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am surprised to see these numbers go down by so much.
If I understand the meaning of this diff correctly, then: by implementing DSA in this PR, around 500 public keys per ~20k block of SKS data can now not be used anymore. Presumably because the signature verification fails?
Did you look into what's going on with those keys?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so before we completely ignored dsa keys, so this number was expected to go down, I haven’t had time to dig into the failures in detail though
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, I agree with the expectations that the number would go down somewhat, but 2.5% of all SKS keys being seemingly broken now doesn't feel right. I wonder what percentage of all DSA keys in the test data is broken.
Maybe this quantitative regression indicates that some historical implementations of PGP encoded DSA key material in a way that is not currently handled correctly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that is very much possible, we should investigate this, but I didn't want to block getting the basic support in by this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
makes sense. opening a ticket to investigate this some other time might be nice as a reminder.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The interop test suite didn't yield any interesting results for this PR, so I decided to test data signatures manually, using a few SOP implementations. This comment documents my testing procedure. I'm attaching the test artifacts. Generate test keyAs setup, we generate a dsa3072 key with rpgp:
Generate data signature with rsop (rpgp), verify with different implementationsWe then produce a data signature with rsop (rpgp):
... and verify it with other SOP implementations:
Generate data signature with sqop (sequoia), verify with different implementationsFor comparison, we create a signature with sqop (sequoia), using the same private key (generated by rpgp):
Verifying this signature works with all SOP implementations used above, including rsop and gosop.
sig.seq.txt EDIT: a previous version of this comment showed a failure with gosop that I mistook for a signature verification problem. |
I've concluded my review. Besides being surprised by the numbers in the |
This handles no secret data and I'm reasonably confident in the implementation, but I'm not sure what the standard is for accepting new cryptographic implementations. This is actually already covered by the test suite, the DSA signatures were just being ignored previously.
Old version would fail for signatures where the digest's most significant bit happened to be zero. By chance, this was not the case for all three DSA signatures in the test suite.
This also adds more tests, using the test vectors from RFC6979. This adds a dependency on the hmac-drbg crate. The ecdsa crate also needs this functionality, and in a comment they mention wanting to switch to this crate after a pull request (which has already been merged) is merged. The current implementation in the ecdsa crate is not usable, since it assumes the hash output size will always be larger than the desired output size, and this is not the case for small hash functions with big DSA keys. The hmac-drbg crate does implement this correctly. Besides that the implementations seem interchangeable.
This adds just two tests from the test vectors because generating these parameters is a slow operation. Also a couple of really small tweaks to dsa.rs. Sorry.
Replace byte vectors and `Mpi` values with `BigUint`.
Replace with a copy/paste from the ecdsa crate until that code can be split out into a separate crate.
needed because of dependencies
Co-authored-by: Heiko Schaefer <59601023+hko-s@users.noreply.github.com>
Co-authored-by: Heiko Schaefer <59601023+hko-s@users.noreply.github.com>
Co-authored-by: Heiko Schaefer <59601023+hko-s@users.noreply.github.com>
9d266a1
to
f6ca4c4
Compare
Based on #124
Depends on RustCrypto/signatures#798
TODOs