Add support for SLHDSA#752
Open
hsmguy wants to merge 1 commit into
Open
Conversation
Author
|
Hi @simo5 code is mostly done 99.9999 % :-) and its YOUR code from mldsa too, slightly modded. could use some help on the PR to take it further thank you |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
PR to add SLHDSA to the provider
new files:
keymgmt/slhdsa.c
sig/slhdsa.c
Code was mostly ported from the MLDSA implementation :-) so it looks familiar to you :-)
--took out MU as not present in SLHDSA
--left encoding, deterministic, and context
note: prehash still not implemented just like the mldsa code
Already did some testing:
--code compiles good
--provider initializes ok
(some testing done against an Entrust n5c rack mount hsm already):
--openssl genpkey slhdsa works (keymgmt/slhdsa.c new!)
--openssl export slhdsa key works, displays key ok
--(sign update) not working on entrust ncipher provider yet (only single part signing C_Sign not C_SignUpdate but the debug log got to that :-)
issue with req x509 cert routines:
--still need to find why openssl req failing, i think theres a bug in the ported code somewhere ooops! in objects.c the pubkey is 0 hmmmm think i screwed something up here. this is my only bug im tracking right now....
(trace output as follows)
(any helpers to find this bug? feel free to help!!!)
[root@rhel93sw139opssl352 nfast]# openssl req -key "pkcs11:token=accelerator;pin-value=1234;object=slhdsa22" -new -out req.csr
[2026-07-18 13:54:01.758] [../src/interface.gen.c:187] p11prov_GetSlotInfo(): Calling C_GetSlotInfo
[2026-07-18 13:54:01.759] [../src/interface.gen.c:187] p11prov_GetSlotInfo(): Calling C_GetSlotInfo
[2026-07-18 13:54:01.765] [../src/store.c:625] p11prov_store_close(): store close (0x5557e6489ef0)
[2026-07-18 13:54:01.765] [../src/store.c:35] p11prov_store_ctx_free(): store ctx free (0x5557e6489ef0)
[2026-07-18 13:54:01.765] [../src/obj/object.c:283] p11prov_obj_free(): Free Object: 0x5557e64dea80 (handle:1120)
[2026-07-18 13:54:01.765] [../src/obj/object.c:290] p11prov_obj_free(): object free: reference held
You are about to be asked to enter information that will be incorporated
[2026-07-18 13:54:06.370] [../src/encoder.c:328] p11prov_common_encoder_spki_der_encode(): DER Encoding SLH-DSA-SHA2-256s SubjectPublicKeyInfo
[2026-07-18 13:54:06.370] [../src/encoder.c:357] p11prov_common_encoder_spki_der_encode(): no pubkey
Error making certificate request
40375EAF607F0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:435:
40375EAF607F0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:crypto/objects/obj_dat.c:435:
40375EAF607F0000:error:0580006F:x509 certificate routines:X509_PUBKEY_set:unsupported algorithm:crypto/x509/x_pubkey.c:367:
[2026-07-18 13:54:06.370] [../src/kmgmt/common.c:374] p11prov_kmgmt_free(): Free key 0x5557e64dea80 (type 75)
[2026-07-18 13:54:06.370] [../src/obj/object.c:283] p11prov_obj_free(): Free Object: 0x5557e64dea80 (handle:1120)
[2026-07-18 13:54:06.370] [../src/obj/pool.c:186] obj_rm_from_pool(): Object to be removed from pool (idx=0, obj=0x5557e64dea80)
[2026-07-18 13:54:06.370] [../src/obj/object.c:283] p11prov_obj_free(): Free Object: (nil) (handle:0)
code is 99.9999 % done !
(1) 1 bug to find above in openssl req objects, the pubkey is running away hmmm not sure why yet need to spend some time on this.... prolly made a mistake somewhere when porting over the code hmmm
(2) should SLHDSA be made single part signing? or leave as multipart (pkcs11 3.2) signing?
Checklist
Reviewer's checklist: