RustCrypto
DSA no longer approved for signature generation by FIPS 186-5
FIPS 186-4 referenced in README.md has been superseded by FIPS 186-5 which no longer approves DSA for digital signature generation. DSA may be used only to verify already existing signatures.
Link: https://csrc.nist.gov/pubs/fips/186-5/final
Should we add this information as part of README.md?
Moving to verification only, possibly placing signing under a hazmat feature, seems like a reasonable approach to me
I tried to put signing under hazmat feature (in signing_key.rs) but tests stopped working (for example: signature.rs/signer_verifier_signature).
I don't think it's a good idea to put all those tests under hazmat feature.
It would be good if we could enable hazmat feature for dev/test profiles by default but it is not supported.
Any other possible approach?
It's fine to gate the tests on the corresponding feature. They won't work unless the feature is enabled.
Please have a look at PR #859
There are two main issues there:
- Tests fail because of examples (they work only with signing enabled). But those examples (generate.rs/sign.rs) don't make sense without signing enabled.
- I think we are missing a test that that verify already existing signatures (current tests first generate signature and then verify them, which doesn't work without signing enabled).
You can also feature gate the examples. Here's an example of a pattern we use to do this:
https://github.com/RustCrypto/SSH/blob/f741cf0/ssh-key/src/lib.rs#L44-L45
I think we are talking about different "examples".
In my case example is just a binary crate, binary crate must have "main" function. So, the error I get is this:
% cargo run --package dsa --example sign
error[E0601]: `main` function not found in crate `sign`
--> dsa/examples/sign.rs:35:2
|
35 | }
| ^ consider adding a `main` function to `dsa/examples/sign.rs`
Of course, I can add dummy "main", but I'm not sure if it makes sense.