MLDSA65 support for AWS-LC (#14404)

* MLDSA65 support for AWS-LC

* Improve coverage

* Initial review

* First round of review

* Clean tests

* Revert spurious formatting

* Incorporate review

* Rename from mldsa65 to mldsa

* Improve serialization/deserialization

* Fix coverage

* Use ASN1 struct to parse the private key

* Use Enum instead of Struct

* Inline function

* Change match arm

* Remove duplicate comment

* Change unimplemented by assert

* More review fix

* Fix Wycheproof vectors handling

* Add NO-COVERAGE marker

* Remove vectors

* Review comments

* Remove markers

* Additional round of review

Author: DarkaMaul

src/cryptography/hazmat/backends/openssl/backend.py

@@ -272,6 +272,9 @@ def x448_supported(self) -> bool:
             and not rust_openssl.CRYPTOGRAPHY_IS_AWSLC
         )
 
+    def mldsa_supported(self) -> bool:
+        return rust_openssl.CRYPTOGRAPHY_IS_AWSLC
+
     def ed25519_supported(self) -> bool:
         return not self._fips_enabled
 

src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi

@@ -18,6 +18,7 @@ from cryptography.hazmat.bindings._rust.openssl import (
     hpke,
     kdf,
     keys,
+    mldsa,
     poly1305,
     rsa,
     x448,
@@ -38,6 +39,7 @@ __all__ = [
     "hpke",
     "kdf",
     "keys",
+    "mldsa",
     "openssl_version",
     "openssl_version_text",
     "poly1305",

src/cryptography/hazmat/bindings/_rust/openssl/mldsa.pyi

@@ -0,0 +1,13 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from cryptography.hazmat.primitives.asymmetric import mldsa
+from cryptography.utils import Buffer
+
+class MlDsa65PrivateKey: ...
+class MlDsa65PublicKey: ...
+
+def generate_key() -> mldsa.MlDsa65PrivateKey: ...
+def from_public_bytes(data: bytes) -> mldsa.MlDsa65PublicKey: ...
+def from_seed_bytes(data: Buffer) -> mldsa.MlDsa65PrivateKey: ...

src/cryptography/hazmat/primitives/asymmetric/mldsa.py

@@ -0,0 +1,155 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import abc
+
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.primitives import _serialization
+from cryptography.utils import Buffer
+
+
+class MlDsa65PublicKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def from_public_bytes(cls, data: bytes) -> MlDsa65PublicKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.mldsa_supported():
+            raise UnsupportedAlgorithm(
+                "ML-DSA-65 is not supported by this backend.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.mldsa.from_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PublicFormat,
+    ) -> bytes:
+        """
+        The serialized bytes of the public key.
+        """
+
+    @abc.abstractmethod
+    def public_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the public key.
+        Equivalent to public_bytes(Raw, Raw).
+
+        The public key is 1,952 bytes for MLDSA-65.
+        """
+
+    @abc.abstractmethod
+    def verify(
+        self,
+        signature: Buffer,
+        data: Buffer,
+        context: Buffer | None = None,
+    ) -> None:
+        """
+        Verify the signature.
+        """
+
+    @abc.abstractmethod
+    def __eq__(self, other: object) -> bool:
+        """
+        Checks equality.
+        """
+
+    @abc.abstractmethod
+    def __copy__(self) -> MlDsa65PublicKey:
+        """
+        Returns a copy.
+        """
+
+    @abc.abstractmethod
+    def __deepcopy__(self, memo: dict) -> MlDsa65PublicKey:
+        """
+        Returns a deep copy.
+        """
+
+
+if hasattr(rust_openssl, "mldsa"):
+    MlDsa65PublicKey.register(rust_openssl.mldsa.MlDsa65PublicKey)
+
+
+class MlDsa65PrivateKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def generate(cls) -> MlDsa65PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.mldsa_supported():
+            raise UnsupportedAlgorithm(
+                "ML-DSA-65 is not supported by this backend.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.mldsa.generate_key()
+
+    @classmethod
+    def from_seed_bytes(cls, data: Buffer) -> MlDsa65PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.mldsa_supported():
+            raise UnsupportedAlgorithm(
+                "ML-DSA-65 is not supported by this backend.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.mldsa.from_seed_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self) -> MlDsa65PublicKey:
+        """
+        The MlDsa65PublicKey derived from the private key.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PrivateFormat,
+        encryption_algorithm: _serialization.KeySerializationEncryption,
+    ) -> bytes:
+        """
+        The serialized bytes of the private key.
+
+        This method only returns the serialization of the seed form of the
+        private key, never the expanded one.
+        """
+
+    @abc.abstractmethod
+    def private_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the private key.
+        Equivalent to private_bytes(Raw, Raw, NoEncryption()).
+
+        This method only returns the seed form of the private key (32 bytes).
+        """
+
+    @abc.abstractmethod
+    def sign(self, data: Buffer, context: Buffer | None = None) -> bytes:
+        """
+        Signs the data.
+        """
+
+    @abc.abstractmethod
+    def __copy__(self) -> MlDsa65PrivateKey:
+        """
+        Returns a copy.
+        """
+
+    @abc.abstractmethod
+    def __deepcopy__(self, memo: dict) -> MlDsa65PrivateKey:
+        """
+        Returns a deep copy.
+        """
+
+
+if hasattr(rust_openssl, "mldsa"):
+    MlDsa65PrivateKey.register(rust_openssl.mldsa.MlDsa65PrivateKey)

src/cryptography/hazmat/primitives/asymmetric/types.py

@@ -13,6 +13,7 @@
     ec,
     ed448,
     ed25519,
+    mldsa,
     rsa,
     x448,
     x25519,
@@ -26,6 +27,7 @@
     ec.EllipticCurvePublicKey,
     ed25519.Ed25519PublicKey,
     ed448.Ed448PublicKey,
+    mldsa.MlDsa65PublicKey,
     x25519.X25519PublicKey,
     x448.X448PublicKey,
 ]
@@ -42,6 +44,7 @@
     dh.DHPrivateKey,
     ed25519.Ed25519PrivateKey,
     ed448.Ed448PrivateKey,
+    mldsa.MlDsa65PrivateKey,
     rsa.RSAPrivateKey,
     dsa.DSAPrivateKey,
     ec.EllipticCurvePrivateKey,

src/rust/cryptography-key-parsing/src/pkcs8.rs

@@ -22,6 +22,28 @@ pub struct PrivateKeyInfo<'a> {
     pub attributes: Option<Attributes<'a>>,
 }
 
+// RFC 9881 Section 6.5
+#[cfg(CRYPTOGRAPHY_IS_AWSLC)]
+#[derive(asn1::Asn1Read, asn1::Asn1Write)]
+pub enum MlDsaPrivateKey {
+    #[implicit(0)]
+    Seed([u8; 32]),
+}
+
+/// Extract the 32-byte ML-DSA-65 seed from a private key.
+///
+/// AWS-LC's `raw_private_key()` returns the expanded key, not the seed.
+/// This function round-trips through the native PKCS#8 encoding to extract it.
+/// https://github.com/aws/aws-lc/issues/3072
+#[cfg(CRYPTOGRAPHY_IS_AWSLC)]
+pub fn mldsa_seed_from_pkey(
+    pkey: &openssl::pkey::PKeyRef<openssl::pkey::Private>,
+) -> Result<MlDsaPrivateKey, openssl::error::ErrorStack> {
+    let pkcs8_der = pkey.private_key_to_pkcs8()?;
+    let pki = asn1::parse_single::<PrivateKeyInfo<'_>>(&pkcs8_der).unwrap();
+    Ok(asn1::parse_single::<MlDsaPrivateKey>(pki.private_key).unwrap())
+}
+
 pub fn parse_private_key(
     data: &[u8],
 ) -> KeyParsingResult<openssl::pkey::PKey<openssl::pkey::Private>> {
@@ -108,6 +130,12 @@ pub fn parse_private_key(
             )?)
         }
 
+        #[cfg(CRYPTOGRAPHY_IS_AWSLC)]
+        AlgorithmParameters::MlDsa65 => {
+            let MlDsaPrivateKey::Seed(seed) = asn1::parse_single::<MlDsaPrivateKey>(k.private_key)?;
+            Ok(cryptography_openssl::mldsa::new_raw_private_key(&seed)?)
+        }
+
         _ => Err(KeyParsingError::UnsupportedKeyType(
             k.algorithm.oid().clone(),
         )),
@@ -443,6 +471,11 @@ pub fn serialize_private_key(
 
             (params, private_key_der)
         }
+        #[cfg(CRYPTOGRAPHY_IS_AWSLC)]
+        cryptography_openssl::mldsa::PKEY_ID => {
+            let private_key_der = asn1::write_single(&mldsa_seed_from_pkey(pkey)?)?;
+            (AlgorithmParameters::MlDsa65, private_key_der)
+        }
         _ => {
             unimplemented!("Unknown key type");
         }

src/rust/cryptography-key-parsing/src/spki.rs

@@ -100,6 +100,12 @@ pub fn parse_public_key(
 
             Ok(openssl::pkey::PKey::from_dh(dh)?)
         }
+        #[cfg(CRYPTOGRAPHY_IS_AWSLC)]
+        AlgorithmParameters::MlDsa65 => Ok(cryptography_openssl::mldsa::new_raw_public_key(
+            k.subject_public_key.as_bytes(),
+        )
+        .map_err(|_| KeyParsingError::InvalidKey)?),
+
         _ => Err(KeyParsingError::UnsupportedKeyType(
             k.algorithm.oid().clone(),
         )),
@@ -214,6 +220,15 @@ pub fn serialize_public_key(
 
             (params, pub_key_der)
         }
+        #[cfg(CRYPTOGRAPHY_IS_AWSLC)]
+        cryptography_openssl::mldsa::PKEY_ID => {
+            let raw_bytes = pkey.raw_public_key()?;
+            assert_eq!(
+                raw_bytes.len(),
+                cryptography_openssl::mldsa::MLDSA65_PUBLIC_KEY_BYTES
+            );
+            (AlgorithmParameters::MlDsa65, raw_bytes)
+        }
         _ => {
             unimplemented!("Unknown key type");
         }

src/rust/cryptography-openssl/src/lib.rs

@@ -9,6 +9,8 @@ pub mod aead;
 pub mod cmac;
 pub mod fips;
 pub mod hmac;
+#[cfg(CRYPTOGRAPHY_IS_AWSLC)]
+pub mod mldsa;
 #[cfg(any(
     CRYPTOGRAPHY_IS_BORINGSSL,
     CRYPTOGRAPHY_IS_LIBRESSL,