Skip to content

Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey #10310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cconlon wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey #10310

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions certs/mldsa/README.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
ML-DSA (FIPS 204) test key material for wolfSSL tests.

File variants, per level N in {44, 65, 87}:
mldsa<N>_bare-seed.der raw 32-byte seed
mldsa<N>_seed-only.der PKCS#8 with seed-only private key
mldsa<N>_bare-priv.der raw expanded private key
mldsa<N>_priv-only.der PKCS#8 with expanded-only private key
mldsa<N>_seed-priv.der PKCS#8 with seed-and-expanded private key
mldsa<N>_oqskeypair.der liboqs concatenated (priv || pub) format
mldsa<N>_pub-spki.der SubjectPublicKeyInfo wrapping the public key

The *_pub-spki.der files were derived from the matching *_priv-only.der files
using OpenSSL 3.5+:

openssl pkey -inform DER -in mldsa<N>_priv-only.der \
-pubout -outform DER -out mldsa<N>_pub-spki.der

Regenerating the private-key variants requires producing each of the
PKCS#8 shape options explicitly; OpenSSL's default output is the
seed-and-expanded form.
4 changes: 4 additions & 0 deletions certs/mldsa/include.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,24 @@
#

EXTRA_DIST += \
certs/mldsa/README.txt \
certs/mldsa/mldsa44_seed-only.der \
certs/mldsa/mldsa44_priv-only.der \
certs/mldsa/mldsa44_pub-spki.der \
Comment thread
cconlon marked this conversation as resolved.
certs/mldsa/mldsa44_seed-priv.der \
certs/mldsa/mldsa44_oqskeypair.der \
certs/mldsa/mldsa44_bare-seed.der \
certs/mldsa/mldsa44_bare-priv.der \
certs/mldsa/mldsa65_seed-only.der \
certs/mldsa/mldsa65_priv-only.der \
certs/mldsa/mldsa65_pub-spki.der \
certs/mldsa/mldsa65_seed-priv.der \
certs/mldsa/mldsa65_oqskeypair.der \
certs/mldsa/mldsa65_bare-seed.der \
certs/mldsa/mldsa65_bare-priv.der \
certs/mldsa/mldsa87_seed-only.der \
certs/mldsa/mldsa87_priv-only.der \
certs/mldsa/mldsa87_pub-spki.der \
certs/mldsa/mldsa87_seed-priv.der \
certs/mldsa/mldsa87_oqskeypair.der \
certs/mldsa/mldsa87_bare-seed.der \
Expand Down
Binary file added certs/mldsa/mldsa44_pub-spki.der
View file
Open in desktop
Binary file not shown.
Binary file added certs/mldsa/mldsa65_pub-spki.der
View file
Open in desktop
Binary file not shown.
Binary file added certs/mldsa/mldsa87_pub-spki.der
View file
Open in desktop
Binary file not shown.
45 changes: 45 additions & 0 deletions gencertbuf.pl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2094,6 +2094,51 @@

";

# ML-DSA test key material encoded per the IETF LAMPS WG profile:
# SubjectPublicKeyInfo for public keys, PKCS#8 PrivateKeyInfo for
# private keys, using the NIST id-ml-dsa-N OIDs.
print OUT_FILE "#if defined(HAVE_DILITHIUM)\n\n";

for my $L ( [44,"WOLFSSL_NO_ML_DSA_44"],
[65,"WOLFSSL_NO_ML_DSA_65"],
[87,"WOLFSSL_NO_ML_DSA_87"] ) {
my ($n, $noLevel) = @$L;

print OUT_FILE "#if !defined($noLevel)\n\n";

print OUT_FILE "#ifndef WOLFSSL_DILITHIUM_NO_VERIFY\n";
print OUT_FILE "/* ./certs/mldsa/mldsa${n}_pub-spki.der */\n";
print OUT_FILE "static const unsigned char mldsa${n}_pub_spki[] =\n{\n";
file_to_hex("./certs/mldsa/mldsa${n}_pub-spki.der");
print OUT_FILE "};\n";
print OUT_FILE "#define sizeof_mldsa${n}_pub_spki (sizeof(mldsa${n}_pub_spki))\n";
print OUT_FILE "#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */\n\n";

print OUT_FILE "#ifndef WOLFSSL_DILITHIUM_NO_SIGN\n";
print OUT_FILE "/* ./certs/mldsa/mldsa${n}_priv-only.der */\n";
print OUT_FILE "static const unsigned char mldsa${n}_priv_only[] =\n{\n";
file_to_hex("./certs/mldsa/mldsa${n}_priv-only.der");
print OUT_FILE "};\n";
print OUT_FILE "#define sizeof_mldsa${n}_priv_only (sizeof(mldsa${n}_priv_only))\n";

print OUT_FILE "/* ./certs/mldsa/mldsa${n}_seed-priv.der */\n";
print OUT_FILE "static const unsigned char mldsa${n}_seed_priv[] =\n{\n";
file_to_hex("./certs/mldsa/mldsa${n}_seed-priv.der");
print OUT_FILE "};\n";
print OUT_FILE "#define sizeof_mldsa${n}_seed_priv (sizeof(mldsa${n}_seed_priv))\n";

print OUT_FILE "/* ./certs/mldsa/mldsa${n}_seed-only.der */\n";
print OUT_FILE "static const unsigned char mldsa${n}_seed_only[] =\n{\n";
file_to_hex("./certs/mldsa/mldsa${n}_seed-only.der");
print OUT_FILE "};\n";
print OUT_FILE "#define sizeof_mldsa${n}_seed_only (sizeof(mldsa${n}_seed_only))\n";
print OUT_FILE "#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */\n\n";

print OUT_FILE "#endif /* !$noLevel */\n\n";
}

print OUT_FILE "#endif /* HAVE_DILITHIUM */\n\n";

# convert and print 256-bit cert/keys
print OUT_FILE "#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)\n\n";
for (my $i = 0; $i < $num_ecc; $i++) {
Expand Down
Loading
Loading