ML_DSA Add support for generation of X509 certificates using the openssl

commandline.

In order to support this gettables are required in both the key and
signature.:

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26575)

diff --git a/.gitignore b/.gitignore
index 745edad6df102949969b1054402fda8a4d65dc9c..23dfd7c8ee6ba96e98125f82e4f9a7a4ef540ee2 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -74,6 +74,7 @@ providers/common/der/der_ecx_gen.c
 providers/common/der/der_rsa_gen.c
 providers/common/der/der_wrap_gen.c
 providers/common/der/der_sm2_gen.c
+providers/common/der/der_ml_dsa_gen.c
 providers/common/include/prov/der_dsa.h
 providers/common/include/prov/der_ec.h
 providers/common/include/prov/der_ecx.h
@@ -81,6 +82,7 @@ providers/common/include/prov/der_rsa.h
 providers/common/include/prov/der_digests.h
 providers/common/include/prov/der_wrap.h
 providers/common/include/prov/der_sm2.h
+providers/common/include/prov/der_ml_dsa.h
 
 # error code files
 /crypto/err/openssl.txt.old

diff --git a/doc/designs/ml-dsa.md b/doc/designs/ml-dsa.md
index acadcf8d298b83c542c31a5f24d964012bc154ae..4fd13fedcbdfbce6ed859e93908819bdb1ec09f8 100644 (file)
--- a/doc/designs/ml-dsa.md
+++ b/doc/designs/ml-dsa.md
@@ -94,6 +94,17 @@ the API's used should be
 EVP_PKEY_sign_message_init(), EVP_PKEY_sign(),
 EVP_PKEY_verify_message_init(), EVP_PKEY_verify().
 
+OpenSSL command line support
+----------------------------
+
+For backwards compatability reasons EVP_DigestSignInit_ex(), EVP_DigestSign(),
+EVP_DigestVerifyInit_ex() and EVP_DigestVerify() may also be used, but the digest
+passed in `mdname` must be NULL (i.e. It effectively behaves the same as above).
+Passing a non NULL digest results in an error.
+
+OSSL_PKEY_PARAM_MANDATORY_DIGEST must return "" in the key manager getter and
+OSSL_SIGNATURE_PARAM_ALGORITHM_ID in the signature context getter.
+
 Encoding/Decoding
 -----------------
 

diff --git a/doc/man7/EVP_SIGNATURE-ML-DSA.pod b/doc/man7/EVP_SIGNATURE-ML-DSA.pod
index 4fed0d9e19e7427ae9f57beb5260f6ed0c1367f0..e94cbf8ca409a984bc9c938f88d2bcb56a82d58d 100644 (file)
--- a/doc/man7/EVP_SIGNATURE-ML-DSA.pod
+++ b/doc/man7/EVP_SIGNATURE-ML-DSA.pod
@@ -70,6 +70,11 @@ to be set to 32 bytes of zeros. This value is ignored if "test-entropy" is set.
 
 See L<EVP_PKEY-ML-DSA(7)> for information related to B<ML-DSA> keys.
 
+=head1 NOTES
+
+For backwards compatability reasons EVP_DigestSignInit_ex(), EVP_DigestSign(),
+EVP_DigestVerifyInit_ex() and EVP_DigestVerify() may also be used, but the digest
+passed in |mdname| must be NULL.
 
 =head1 EXAMPLES
 

diff --git a/providers/common/der/ML_DSA.asn1 b/providers/common/der/ML_DSA.asn1
new file mode 100644 (file)
index 0000000..46d6f80
--- /dev/null
+++ b/providers/common/der/ML_DSA.asn1
@@ -0,0 +1,15 @@
+-- Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+--
+-- Licensed under the Apache License 2.0 (the "License").  You may not use
+-- this file except in compliance with the License.  You can obtain a copy
+-- in the file LICENSE in the source distribution or at
+-- https://www.openssl.org/source/license.html
+
+-- -------------------------------------------------------------------
+-- Taken from https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration
+
+sigAlgs OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 4 3 }
+
+id-ml-dsa-44 OBJECT IDENTIFIER ::= { sigAlgs 17 }
+id-ml-dsa-65 OBJECT IDENTIFIER ::= { sigAlgs 18 }
+id-ml-dsa-87 OBJECT IDENTIFIER ::= { sigAlgs 19 }

diff --git a/providers/common/der/build.info b/providers/common/der/build.info
index 764bff539ed41e75e7f2d5a5e3663cbeb3abc3c2..3e8904d54a6fc07e29b969d2ab24a2015cd46799 100644 (file)
--- a/providers/common/der/build.info
+++ b/providers/common/der/build.info
@@ -71,6 +71,21 @@ IF[{- !$disabled{ecx} -}]
   DEPEND[$DER_ECX_H]=oids_to_c.pm ECX.asn1
 ENDIF
 
+#----- ML-DSA
+IF[{- !$disabled{'ml-dsa'} -}]
+  $DER_ML_DSA_H=$INCDIR/der_ml_dsa.h
+  $DER_ML_DSA_GEN=der_ml_dsa_gen.c
+  $DER_ML_DSA_AUX=der_ml_dsa_key.c
+
+  GENERATE[$DER_ML_DSA_GEN]=der_ml_dsa_gen.c.in
+  DEPEND[$DER_ML_DSA_GEN]=oids_to_c.pm ML_DSA.asn1
+
+  DEPEND[${DER_ML_DSA_GEN/.c/.o}]=$DER_ML_DSA_H
+  DEPEND[${DER_ML_DSA_AUX/.c/.o}]=$DER_ML_DSA_H
+  GENERATE[$DER_ML_DSA_H]=$INCDIR/der_ml_dsa.h.in
+  DEPEND[$DER_ML_DSA_H]=oids_to_c.pm ML_DSA.asn1
+ENDIF
+
 #----- KEY WRAP
 $DER_WRAP_H=$INCDIR/der_wrap.h
 $DER_WRAP_GEN=der_wrap_gen.c
@@ -112,6 +127,10 @@ IF[{- !$disabled{ec} -}]
   ENDIF
 ENDIF
 
+IF[{- !$disabled{'ml-dsa'} -}]
+  $COMMON = $COMMON $DER_ML_DSA_GEN $DER_ML_DSA_AUX
+ENDIF
+
 IF[{- !$disabled{sm2} -}]
   $NONFIPS = $NONFIPS $DER_SM2_GEN $DER_SM2_AUX
 ENDIF

diff --git a/providers/common/der/der_ml_dsa_gen.c.in b/providers/common/der/der_ml_dsa_gen.c.in
new file mode 100644 (file)
index 0000000..0097fc7
--- /dev/null
+++ b/providers/common/der/der_ml_dsa_gen.c.in
@@ -0,0 +1,19 @@
+/*
+ * {- join("\n * ", @autowarntext) -}
+ *
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "prov/der_ml_dsa.h"
+
+/* Well known OIDs precompiled */
+{-
+    $OUT = oids_to_c::process_leaves('providers/common/der/ML_DSA.asn1',
+                                     { dir => $config{sourcedir},
+                                       filter => \&oids_to_c::filter_to_C });
+-}

diff --git a/providers/common/der/der_ml_dsa_key.c b/providers/common/der/der_ml_dsa_key.c
new file mode 100644 (file)
index 0000000..f9481fc
--- /dev/null
+++ b/providers/common/der/der_ml_dsa_key.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
+#include "internal/packet.h"
+#include "prov/der_ml_dsa.h"
+
+int ossl_DER_w_algorithmIdentifier_ML_DSA(WPACKET *pkt, int tag, ML_DSA_KEY *key)
+{
+    const uint8_t *alg;
+    size_t len;
+    const char *name = ossl_ml_dsa_key_get_name(key);
+
+    if (OPENSSL_strcasecmp(name, "ML-DSA-44") == 0) {
+        alg = ossl_der_oid_id_ml_dsa_44;
+        len = sizeof(ossl_der_oid_id_ml_dsa_44);
+    } else if (OPENSSL_strcasecmp(name, "ML-DSA-65") == 0) {
+        alg = ossl_der_oid_id_ml_dsa_65;
+        len = sizeof(ossl_der_oid_id_ml_dsa_65);
+    } else if (OPENSSL_strcasecmp(name, "ML-DSA-87") == 0) {
+        alg = ossl_der_oid_id_ml_dsa_87;
+        len = sizeof(ossl_der_oid_id_ml_dsa_87);
+    } else {
+        return 0;
+    }
+    return ossl_DER_w_begin_sequence(pkt, tag)
+        /* No parameters */
+        && ossl_DER_w_precompiled(pkt, -1, alg, len)
+        && ossl_DER_w_end_sequence(pkt, tag);
+}

diff --git a/providers/common/include/prov/der_ml_dsa.h.in b/providers/common/include/prov/der_ml_dsa.h.in
new file mode 100644 (file)
index 0000000..07f0f3f
--- /dev/null
+++ b/providers/common/include/prov/der_ml_dsa.h.in
@@ -0,0 +1,22 @@
+/*
+ * {- join("\n * ", @autowarntext) -}
+ *
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/der.h"
+#include "crypto/ml_dsa.h"
+
+/* Well known OIDs precompiled */
+{-
+    $OUT = oids_to_c::process_leaves('providers/common/der/ML_DSA.asn1',
+                                     { dir => $config{sourcedir},
+                                       filter => \&oids_to_c::filter_to_H });
+-}
+
+int ossl_DER_w_algorithmIdentifier_ML_DSA(WPACKET *pkt, int tag, ML_DSA_KEY *key);

diff --git a/providers/implementations/keymgmt/build.info b/providers/implementations/keymgmt/build.info
index 852d9dc7d2ee0dbc91f141b719f09cf2c30c4bc7..9fe922a3451b5383cbd4dc3f68032ab8402a7393 100644 (file)
--- a/providers/implementations/keymgmt/build.info
+++ b/providers/implementations/keymgmt/build.info
@@ -46,6 +46,6 @@ SOURCE[$MAC_GOAL]=mac_legacy_kmgmt.c
 
 SOURCE[$TEMPLATE_GOAL]=template_kmgmt.c
 
-IF[{- !$disabled{ml-dsa} -}]
+IF[{- !$disabled{'ml-dsa'} -}]
   SOURCE[$ML_DSA_GOAL]=ml_dsa_kmgmt.c
 ENDIF

diff --git a/providers/implementations/keymgmt/ml_dsa_kmgmt.c b/providers/implementations/keymgmt/ml_dsa_kmgmt.c
index 03e054d28cb328d077692165765a136aa9d4ebfc..376076479a0f3ba6f07cf28be9790c59c7b77f57 100644 (file)
--- a/providers/implementations/keymgmt/ml_dsa_kmgmt.c
+++ b/providers/implementations/keymgmt/ml_dsa_kmgmt.c
@@ -132,6 +132,7 @@ static const OSSL_PARAM ml_dsa_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
+    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0),
     ML_DSA_IMEXPORTABLE_PARAMETERS,
     OSSL_PARAM_END
 };
@@ -174,6 +175,14 @@ static int ml_dsa_get_params(void *keydata, OSSL_PARAM params[])
                                                 ossl_ml_dsa_key_get_pub_len(key)))
             return 0;
     }
+    /*
+     * This allows apps to use an empty digest, so that the old API
+     * for digest signing can be used.
+     */
+    p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MANDATORY_DIGEST);
+    if (p != NULL && !OSSL_PARAM_set_utf8_string(p, ""))
+        return 0;
+
     return 1;
 }
 

diff --git a/providers/implementations/signature/build.info b/providers/implementations/signature/build.info
index a37fc68a66d74d87a4feb4b29ba817e4d1399397..cd603024ab5c2fe7dc7ae402a29bd5dcfeaf1f7b 100644 (file)
--- a/providers/implementations/signature/build.info
+++ b/providers/implementations/signature/build.info
@@ -25,6 +25,7 @@ ENDIF
 
 SOURCE[$RSA_GOAL]=rsa_sig.c
 
+DEPEND[ml_dsa_sig.o]=../../common/include/prov/der_ml_dsa.h
 DEPEND[rsa_sig.o]=../../common/include/prov/der_rsa.h
 DEPEND[dsa_sig.o]=../../common/include/prov/der_dsa.h
 DEPEND[ecdsa_sig.o]=../../common/include/prov/der_ec.h
@@ -33,6 +34,6 @@ DEPEND[sm2_sig.o]=../../common/include/prov/der_sm2.h
 
 SOURCE[$MAC_GOAL]=mac_legacy_sig.c
 
-IF[{- !$disabled{ml-dsa} -}]
+IF[{- !$disabled{'ml-dsa'} -}]
   SOURCE[$DSA_GOAL]=ml_dsa_sig.c
 ENDIF

diff --git a/providers/implementations/signature/ml_dsa_sig.c b/providers/implementations/signature/ml_dsa_sig.c
index a4803859c87b8a3d636e38dd0209d7af1a2a4f7b..d2c23abe3d7a6ffbede10d6fb7c91da8661958ed 100644 (file)
--- a/providers/implementations/signature/ml_dsa_sig.c
+++ b/providers/implementations/signature/ml_dsa_sig.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -18,7 +18,10 @@
 #include "prov/implementations.h"
 #include "prov/providercommon.h"
 #include "prov/provider_ctx.h"
+#include "prov/der_ml_dsa.h"
 #include "crypto/ml_dsa.h"
+#include "internal/packet.h"
+#include "internal/sizes.h"
 
 #define ML_DSA_ENTROPY_LEN 32
 
@@ -29,9 +32,15 @@ static OSSL_FUNC_signature_sign_message_init_fn ml_dsa_sign_msg_init;
 static OSSL_FUNC_signature_sign_fn ml_dsa_sign;
 static OSSL_FUNC_signature_verify_message_init_fn ml_dsa_verify_msg_init;
 static OSSL_FUNC_signature_verify_fn ml_dsa_verify;
+static OSSL_FUNC_signature_digest_sign_init_fn ml_dsa_digest_signverify_init;
+static OSSL_FUNC_signature_digest_sign_fn ml_dsa_digest_sign;
+static OSSL_FUNC_signature_digest_verify_fn ml_dsa_digest_verify;
+
 static OSSL_FUNC_signature_freectx_fn ml_dsa_freectx;
 static OSSL_FUNC_signature_set_ctx_params_fn ml_dsa_set_ctx_params;
 static OSSL_FUNC_signature_settable_ctx_params_fn ml_dsa_settable_ctx_params;
+static OSSL_FUNC_signature_get_ctx_params_fn ml_dsa_get_ctx_params;
+static OSSL_FUNC_signature_gettable_ctx_params_fn ml_dsa_gettable_ctx_params;
 static OSSL_FUNC_signature_dupctx_fn ml_dsa_dupctx;
 
 typedef struct {
@@ -44,6 +53,9 @@ typedef struct {
     int msg_encode;
     int deterministic;
     const char *alg;
+    /* The Algorithm Identifier of the signature algorithm */
+    uint8_t aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
+    size_t  aid_len;
 } PROV_ML_DSA_CTX;
 
 static void ml_dsa_freectx(void *vctx)
@@ -86,6 +98,32 @@ static void *ml_dsa_dupctx(void *vctx)
     return OPENSSL_memdup(srcctx, sizeof(*srcctx));
 }
 
+static int set_alg_id_buffer(PROV_ML_DSA_CTX *ctx)
+{
+    int ret;
+    WPACKET pkt;
+    uint8_t *aid = NULL;
+
+    /*
+     * We do not care about DER writing errors.
+     * All it really means is that for some reason, there's no
+     * AlgorithmIdentifier to be had, but the operation itself is
+     * still valid, just as long as it's not used to construct
+     * anything that needs an AlgorithmIdentifier.
+     */
+    ctx->aid_len = 0;
+    ret = WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf));
+    ret = ret && ossl_DER_w_algorithmIdentifier_ML_DSA(&pkt, -1, ctx->key);
+    if (ret && WPACKET_finish(&pkt)) {
+        WPACKET_get_total_written(&pkt, &ctx->aid_len);
+        aid = WPACKET_get_curr(&pkt);
+    }
+    WPACKET_cleanup(&pkt);
+    if (aid != NULL && ctx->aid_len != 0)
+        memmove(ctx->aid_buf, aid, ctx->aid_len);
+    return 1;
+}
+
 static int ml_dsa_signverify_msg_init(void *vctx, void *vkey,
                                       const OSSL_PARAM params[], int operation,
                                       const char *desc)
@@ -107,6 +145,8 @@ static int ml_dsa_signverify_msg_init(void *vctx, void *vkey,
     if (!ossl_ml_dsa_key_matches(ctx->key, ctx->alg))
         return 0;
 
+    set_alg_id_buffer(ctx);
+
     return ml_dsa_set_ctx_params(ctx, params);
 }
 
@@ -116,8 +156,26 @@ static int ml_dsa_sign_msg_init(void *vctx, void *vkey, const OSSL_PARAM params[
                                       EVP_PKEY_OP_SIGN, "ML_DSA Sign Init");
 }
 
-static int ml_dsa_sign(void *vctx, unsigned char *sig, size_t *siglen,
-                       size_t sigsize, const unsigned char *msg, size_t msg_len)
+static int ml_dsa_digest_signverify_init(void *vctx, const char *mdname,
+                                         void *vkey, const OSSL_PARAM params[])
+{
+    PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;
+
+    if (mdname != NULL && mdname[0] != '\0') {
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+                       "Explicit digest not supported for ML-DSA operations");
+        return 0;
+    }
+
+    if (vkey == NULL && ctx->key != NULL)
+        return ml_dsa_set_ctx_params(ctx, params);
+
+    return ml_dsa_signverify_msg_init(vctx, vkey, params,
+                                      EVP_PKEY_OP_SIGN, "ML_DSA Sign Init");
+}
+
+static int ml_dsa_sign(void *vctx, uint8_t *sig, size_t *siglen, size_t sigsize,
+                       const uint8_t *msg, size_t msg_len)
 {
     int ret = 0;
     PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;
@@ -147,14 +205,20 @@ static int ml_dsa_sign(void *vctx, unsigned char *sig, size_t *siglen,
     return ret;
 }
 
+static int ml_dsa_digest_sign(void *vctx, uint8_t *sig, size_t *siglen, size_t sigsize,
+                              const uint8_t *tbs, size_t tbslen)
+{
+    return ml_dsa_sign(vctx, sig, siglen, sigsize, tbs, tbslen);
+}
+
 static int ml_dsa_verify_msg_init(void *vctx, void *vkey, const OSSL_PARAM params[])
 {
     return ml_dsa_signverify_msg_init(vctx, vkey, params, EVP_PKEY_OP_VERIFY,
                                       "ML_DSA Verify Init");
 }
 
-static int ml_dsa_verify(void *vctx, const unsigned char *sig, size_t siglen,
-                         const unsigned char *msg, size_t msg_len)
+static int ml_dsa_verify(void *vctx, const uint8_t *sig, size_t siglen,
+                         const uint8_t *msg, size_t msg_len)
 {
     PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;
 
@@ -164,6 +228,12 @@ static int ml_dsa_verify(void *vctx, const unsigned char *sig, size_t siglen,
                               ctx->context_string, ctx->context_string_len,
                               ctx->msg_encode, sig, siglen);
 }
+static int ml_dsa_digest_verify(void *vctx,
+                                const uint8_t *sig, size_t siglen,
+                                const uint8_t *tbs, size_t tbslen)
+{
+    return ml_dsa_verify(vctx, sig, siglen, tbs, tbslen);
+}
 
 static int ml_dsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
 {
@@ -223,6 +293,35 @@ static const OSSL_PARAM *ml_dsa_settable_ctx_params(void *vctx,
     return settable_ctx_params;
 }
 
+static const OSSL_PARAM known_gettable_ctx_params[] = {
+    OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
+    OSSL_PARAM_END
+};
+
+static const OSSL_PARAM *ml_dsa_gettable_ctx_params(ossl_unused void *vctx,
+                                                    ossl_unused void *provctx)
+{
+    return known_gettable_ctx_params;
+}
+
+static int ml_dsa_get_ctx_params(void *vctx, OSSL_PARAM *params)
+{
+    PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx;
+    OSSL_PARAM *p;
+
+    if (ctx == NULL)
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
+    if (p != NULL
+        && !OSSL_PARAM_set_octet_string(p,
+                                        ctx->aid_len == 0 ? NULL : ctx->aid_buf,
+                                        ctx->aid_len))
+        return 0;
+
+    return 1;
+}
+
 #define MAKE_SIGNATURE_FUNCTIONS(alg, fn)                                      \
     static OSSL_FUNC_signature_newctx_fn ml_dsa_##fn##_newctx;                 \
     static void *ml_dsa_##fn##_newctx(void *provctx, const char *propq)        \
@@ -237,11 +336,23 @@ static const OSSL_PARAM *ml_dsa_settable_ctx_params(void *vctx,
         { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT,                             \
           (void (*)(void))ml_dsa_verify_msg_init },                            \
         { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ml_dsa_verify },         \
+        { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,                                \
+          (void (*)(void))ml_dsa_digest_signverify_init },                     \
+        { OSSL_FUNC_SIGNATURE_DIGEST_SIGN,                                     \
+          (void (*)(void))ml_dsa_digest_sign },                                \
+        { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,                              \
+          (void (*)(void))ml_dsa_digest_signverify_init },                     \
+        { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY,                                   \
+          (void (*)(void))ml_dsa_digest_verify },                              \
         { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ml_dsa_freectx },       \
         { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS,                                  \
           (void (*)(void))ml_dsa_set_ctx_params },                             \
         { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,                             \
           (void (*)(void))ml_dsa_settable_ctx_params },                        \
+        { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS,                                  \
+          (void (*)(void))ml_dsa_get_ctx_params },                             \
+        { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,                             \
+          (void (*)(void))ml_dsa_gettable_ctx_params },                        \
         { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ml_dsa_dupctx },         \
         OSSL_DISPATCH_END                                                      \
     }