Allow generating ML-DSA roots and intermediates

Author: aarongable

ca/ca.go

@@ -7,7 +7,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
@@ -21,6 +21,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/cloudflare/circl/sign/mldsa/mldsa65"
+
 	"github.com/letsencrypt/pebble/v2/acme"
 	"github.com/letsencrypt/pebble/v2/core"
 	"github.com/letsencrypt/pebble/v2/db"
@@ -78,25 +80,37 @@ func makeSerial() *big.Int {
 
 // Taken from https://github.com/cloudflare/cfssl/blob/b94e044bb51ec8f5a7232c71b1ed05dbe4da96ce/signer/signer.go#L221-L244
 func makeSubjectKeyID(key crypto.PublicKey) ([]byte, error) {
-	// Marshal the public key as ASN.1
-	pubAsDER, err := x509.MarshalPKIXPublicKey(key)
-	if err != nil {
-		return nil, err
-	}
+	var pubkeyBytes []byte
+	var err error
+	switch key := key.(type) {
+	case *rsa.PublicKey, *ecdsa.PublicKey:
+		// Marshal the public key as ASN.1
+		pubAsDER, err := x509.MarshalPKIXPublicKey(key)
+		if err != nil {
+			return nil, err
+		}
 
-	// Unmarshal it again so we can extract the key bitstring bytes
-	var pubInfo struct {
-		Algorithm        pkix.AlgorithmIdentifier
-		SubjectPublicKey asn1.BitString
-	}
-	_, err = asn1.Unmarshal(pubAsDER, &pubInfo)
-	if err != nil {
-		return nil, err
+		// Unmarshal it again so we can extract the key bitstring bytes
+		var pubInfo struct {
+			Algorithm        pkix.AlgorithmIdentifier
+			SubjectPublicKey asn1.BitString
+		}
+		_, err = asn1.Unmarshal(pubAsDER, &pubInfo)
+		if err != nil {
+			return nil, err
+		}
+
+		pubkeyBytes = pubInfo.SubjectPublicKey.Bytes
+	case *mldsa65.PublicKey:
+		pubkeyBytes, err = key.MarshalBinary()
+		if err != nil {
+			return nil, err
+		}
 	}
 
-	// Hash it according to https://tools.ietf.org/html/rfc5280#section-4.2.1.2 Method #1:
-	ski := sha1.Sum(pubInfo.SubjectPublicKey.Bytes)
-	return ski[:], nil
+	// Hash it according to https://datatracker.ietf.org/doc/html/rfc7093#section-2 Method #1:
+	skid := sha256.Sum256(pubkeyBytes)
+	return skid[0:20:20], nil
 }
 
 // makeKey and makeRootCert are adapted from MiniCA:
@@ -112,6 +126,8 @@ func makeKey(keyAlg string) (crypto.Signer, []byte, error) {
 		key, err = rsa.GenerateKey(rand.Reader, 2048)
 	case "ecdsa":
 		key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	case "mldsa":
+		_, key, err = mldsa65.GenerateKey(rand.Reader)
 	}
 	if err != nil {
 		return nil, nil, err

ca/ca_test.go

@@ -27,7 +27,7 @@ var (
 func makeCa() *CAImpl {
 	logger := log.New(os.Stdout, "Pebble ", log.LstdFlags)
 	db := db.NewMemoryStore()
-	return New(logger, db, "", "ecdsa", 0, 1, map[string]Profile{"default": {}})
+	return New(logger, db, "", "mldsa", 0, 1, map[string]Profile{"default": {}})
 }
 
 func makeCertOrderWithExtensions(extensions []pkix.Extension) core.Order {

cmd/pebble/main.go

@@ -109,7 +109,7 @@ func main() {
 	if keyAlg == "" {
 		keyAlg = "rsa"
 	}
-	acceptableKeyAlgs := []string{"rsa", "ecdsa"}
+	acceptableKeyAlgs := []string{"rsa", "ecdsa", "mldsa"}
 	if !slices.Contains(acceptableKeyAlgs, keyAlg) {
 		cmd.FailOnError(fmt.Errorf("%q is not one of %#v", keyAlg, acceptableKeyAlgs), "invalid key algorithm")
 	}

go.mod

@@ -5,6 +5,7 @@ go 1.24
 toolchain go1.24.2
 
 require (
+	github.com/cloudflare/circl v1.6.1
 	github.com/go-jose/go-jose/v4 v4.1.2
 	github.com/letsencrypt/challtestsrv v1.3.2
 	github.com/miekg/dns v1.1.62

go.sum

@@ -1,3 +1,5 @@
+github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
+github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI=
 github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=