dsa: gate signing under hazmat feature (#859)

Resolves #858
RustCrypto · Jan 19, 2025 · 4064907 · 4064907
1 parent e658b96
commit 4064907
Show file tree

Hide file tree

Showing 13 changed files with 49 additions and 10 deletions.
diff --git a/dsa/Cargo.toml b/dsa/Cargo.toml
@@ -33,3 +33,16 @@ sha1 = "=0.11.0-pre.4"
 
 [features]
 std = []
+hazmat = []
+
+[[example]]
+name = "sign"
+required-features = ["hazmat"]
+
+[[example]]
+name = "generate"
+required-features = ["hazmat"]
+
+[[example]]
+name = "export"
+required-features = ["hazmat"]
diff --git a/dsa/examples/export.rs b/dsa/examples/export.rs
@@ -1,3 +1,5 @@
+#![cfg(feature = "hazmat")]
+
 use dsa::{Components, KeySize, SigningKey};
 use pkcs8::{EncodePrivateKey, EncodePublicKey, LineEnding};
 use std::{fs::File, io::Write};

diff --git a/dsa/examples/generate.rs b/dsa/examples/generate.rs
@@ -1,3 +1,5 @@
+#![cfg(feature = "hazmat")]
+
 use dsa::{Components, KeySize, SigningKey};
 
 fn main() {

diff --git a/dsa/examples/sign.rs b/dsa/examples/sign.rs
@@ -1,3 +1,5 @@
+#![cfg(feature = "hazmat")]
+
 use digest::Digest;
 use dsa::{Components, KeySize, SigningKey};
 use pkcs8::{EncodePrivateKey, EncodePublicKey, LineEnding};

diff --git a/dsa/src/generate.rs b/dsa/src/generate.rs
@@ -8,9 +8,11 @@ mod keypair;
 mod secret_number;
 
 pub use self::components::{common as common_components, public as public_component};
-pub use self::keypair::keypair;
 pub use self::secret_number::{secret_number, secret_number_rfc6979};
 
+#[cfg(feature = "hazmat")]
+pub use self::keypair::keypair;
+
 /// Calculate the upper and lower bounds for generating values like p or q
 #[inline]
 fn calculate_bounds(size: u32) -> (BigUint, BigUint) {

diff --git a/dsa/src/generate/keypair.rs b/dsa/src/generate/keypair.rs
@@ -1,8 +1,9 @@
+#![cfg(feature = "hazmat")]
 //!
 //! Generate a DSA keypair
 //!
 
-use crate::{generate::components, Components, SigningKey, VerifyingKey};
+use crate::{generate::components, signing_key::SigningKey, Components, VerifyingKey};
 use num_bigint::{BigUint, RandBigInt};
 use num_traits::One;
 use signature::rand_core::CryptoRngCore;

diff --git a/dsa/src/generate/secret_number.rs b/dsa/src/generate/secret_number.rs
@@ -2,7 +2,7 @@
 //! Generate a per-message secret number
 //!
 
-use crate::{Components, SigningKey};
+use crate::{signing_key::SigningKey, Components};
 use alloc::{vec, vec::Vec};
 use core::cmp::min;
 use digest::{core_api::BlockSizeUser, Digest, FixedOutputReset};

diff --git a/dsa/src/lib.rs b/dsa/src/lib.rs
@@ -12,7 +12,8 @@
 //!
 //! Generate a DSA keypair
 //!
-//! ```
+#![cfg_attr(feature = "hazmat", doc = "```")]
+#![cfg_attr(not(feature = "hazmat"), doc = "```ignore")]
 //! # use dsa::{KeySize, Components, SigningKey};
 //! let mut csprng = rand::thread_rng();
 //! let components = Components::generate(&mut csprng, KeySize::DSA_2048_256);
@@ -22,7 +23,8 @@
 //!
 //! Create keypair from existing components
 //!
-//! ```
+#![cfg_attr(feature = "hazmat", doc = "```")]
+#![cfg_attr(not(feature = "hazmat"), doc = "```ignore")]
 //! # use dsa::{Components, SigningKey, VerifyingKey};
 //! # use num_bigint::BigUint;
 //! # use num_traits::One;
@@ -46,9 +48,10 @@
 
 extern crate alloc;
 
-pub use crate::{
-    components::Components, signing_key::SigningKey, size::KeySize, verifying_key::VerifyingKey,
-};
+#[cfg(feature = "hazmat")]
+pub use crate::signing_key::SigningKey;
+
+pub use crate::{components::Components, size::KeySize, verifying_key::VerifyingKey};
 
 pub use num_bigint::BigUint;
 pub use pkcs8;

diff --git a/dsa/src/signing_key.rs b/dsa/src/signing_key.rs
@@ -51,6 +51,7 @@ impl SigningKey {
         })
     }
 
+    #[cfg(feature = "hazmat")]
     /// Generate a new DSA keypair
     #[inline]
     pub fn generate(rng: &mut impl CryptoRngCore, components: Components) -> SigningKey {
@@ -70,6 +71,7 @@ impl SigningKey {
         &self.x
     }
 
+    #[cfg(feature = "hazmat")]
     /// Try to sign the given message digest deterministically with a prehashed digest.
     /// The parameter `D` must match the hash function used to sign the digest.
     ///

diff --git a/dsa/tests/deterministic.rs b/dsa/tests/deterministic.rs
@@ -1,3 +1,5 @@
+#![cfg(feature = "hazmat")]
+
 use digest::{core_api::BlockSizeUser, Digest, FixedOutputReset};
 use dsa::{Components, Signature, SigningKey, VerifyingKey};
 use num_bigint::BigUint;

diff --git a/dsa/tests/signature.rs b/dsa/tests/signature.rs
@@ -1,3 +1,4 @@
+#![cfg(feature = "hazmat")]
 #![allow(deprecated)]
 
 use digest::Digest;

diff --git a/dsa/tests/signing_key.rs b/dsa/tests/signing_key.rs
@@ -1,3 +1,4 @@
+#![cfg(feature = "hazmat")]
 // We abused the deprecated attribute for unsecure key sizes
 // But we want to use those small key sizes for fast tests
 #![allow(deprecated)]

diff --git a/dsa/tests/verifying_key.rs b/dsa/tests/verifying_key.rs
@@ -2,13 +2,19 @@
 // But we want to use those small key sizes for fast tests
 #![allow(deprecated)]
 
-use dsa::{Components, KeySize, SigningKey, VerifyingKey};
+use dsa::VerifyingKey;
+use pkcs8::{DecodePublicKey, EncodePublicKey, LineEnding};
+
+#[cfg(feature = "hazmat")]
+use dsa::{Components, KeySize, SigningKey};
+#[cfg(feature = "hazmat")]
 use num_bigint::BigUint;
+#[cfg(feature = "hazmat")]
 use num_traits::One;
-use pkcs8::{DecodePublicKey, EncodePublicKey, LineEnding};
 
 const OPENSSL_PEM_PUBLIC_KEY: &str = include_str!("pems/public.pem");
 
+#[cfg(feature = "hazmat")]
 fn generate_verifying_key() -> VerifyingKey {
     let mut rng = rand::thread_rng();
     let components = Components::generate(&mut rng, KeySize::DSA_1024_160);
@@ -29,6 +35,7 @@ fn decode_encode_openssl_verifying_key() {
     assert_eq!(reencoded_verifying_key, OPENSSL_PEM_PUBLIC_KEY);
 }
 
+#[cfg(feature = "hazmat")]
 #[test]
 fn encode_decode_verifying_key() {
     let verifying_key = generate_verifying_key();
@@ -38,6 +45,7 @@ fn encode_decode_verifying_key() {
     assert_eq!(verifying_key, decoded_verifying_key);
 }
 
+#[cfg(feature = "hazmat")]
 #[test]
 fn validate_verifying_key() {
     let verifying_key = generate_verifying_key();