Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id#9965
Open
kojo1 wants to merge 2 commits intowolfSSL:masterfrom
Open
Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id#9965kojo1 wants to merge 2 commits intowolfSSL:masterfrom
kojo1 wants to merge 2 commits intowolfSSL:masterfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds ML-DSA (Dilithium) handling to the X.509 public key extraction path and verifies it via new API tests using generated ML-DSA certificates.
Changes:
- Recognize ML-DSA public key OIDs in
wolfSSL_X509_get_pubkey()and map them toWC_EVP_PKEY_DILITHIUM. - Extend
wolfSSL_EVP_PKEY_type()to return the Dilithium key type when enabled. - Add a new X.509 test plus certificate/key artifacts and renew script support for generating ML-DSA certs.
Reviewed changes
Copilot reviewed 14 out of 17 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfcrypt/src/evp_pk.c | Adjustes error handling/return codes for alternate DH key decoding. |
| wolfcrypt/src/evp.c | Adds Dilithium case to wolfSSL_EVP_PKEY_type(). |
| src/x509.c | Detects ML-DSA public key OIDs and sets EVP_PKEY type accordingly. |
| tests/api/test_mldsa.h | Declares the new ML-DSA X.509 pubkey/sigtype test. |
| tests/api/test_mldsa.c | Implements the new X.509 pubkey + signature type test over ML-DSA certs. |
| tests/api.c | Registers the new test in the test runner. |
| certs/renewcerts.sh | Adds generation of ML-DSA PEM/DER certs using an OpenSSL with ML-DSA support. |
| certs/mldsa/include.am | Distributes the newly added ML-DSA PEM/DER artifacts. |
| certs/mldsa/mldsa87-key.pem | Adds ML-DSA-87 private key test artifact. |
| certs/mldsa/mldsa87-cert.pem | Adds ML-DSA-87 certificate test artifact. |
| certs/mldsa/mldsa65-key.pem | Adds ML-DSA-65 private key test artifact. |
| certs/mldsa/mldsa65-cert.pem | Adds ML-DSA-65 certificate test artifact. |
| certs/mldsa/mldsa44-key.pem | Adds ML-DSA-44 private key test artifact. |
| certs/mldsa/mldsa44-cert.pem | Adds ML-DSA-44 certificate test artifact. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| dhObj = wolfSSL_DH_new(); | ||
| if (dhObj == NULL) { | ||
| return 0; | ||
| return WOLFSSL_FATAL_ERROR; |
| if (wc_DhKeyDecode(mem, &keyIdx, key, (word32)memSz) != 0) { | ||
| ret = 0; | ||
| wolfSSL_DH_free(dhObj); | ||
| return WOLFSSL_FATAL_ERROR; |
Comment on lines
9970
to
+9976
| return WC_EVP_PKEY_EC; | ||
| case WC_EVP_PKEY_DH: | ||
| return WC_EVP_PKEY_DH; | ||
| #ifdef HAVE_DILITHIUM | ||
| case WC_EVP_PKEY_DILITHIUM: | ||
| return WC_EVP_PKEY_DILITHIUM; | ||
| #endif |
Comment on lines
+1042
to
+1053
| OPENSSL3="" | ||
| for candidate in \ | ||
| "/usr/local/opt/openssl@3.2/bin/openssl" \ | ||
| "/usr/local/opt/openssl@3/bin/openssl" \ | ||
| "/opt/homebrew/opt/openssl@3.2/bin/openssl" \ | ||
| "/opt/homebrew/opt/openssl@3/bin/openssl" \ | ||
| "openssl"; do | ||
| if "$candidate" genpkey -algorithm mldsa44 -out /dev/null 2>/dev/null; then | ||
| OPENSSL3="$candidate" | ||
| break | ||
| fi | ||
| done |
Comment on lines
+17201
to
+17202
| sig_oid = wolfSSL_X509_get_signature_type(x509); | ||
| ExpectIntEQ((word32)sig_oid, cases[i].expected_sig_oid); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id
Fixes zd#21306
Testing
Added test_mldsa_x509_pubkey_sigtype, ML-DSA certs for the test
modify certs/renewcerts.sh to update the certs.
Checklist