From 1036be4384ba2af961fc4ce7289def47da2ec2b9 Mon Sep 17 00:00:00 2001 From: slontis Date: Wed, 5 Feb 2025 10:20:50 +1100 Subject: [PATCH] ML_DSA: Make apps.c do_X509_REQ_verify() call work correctly. - Added sigid_algs for ML_DSA such that OBJ_find_sigid_algs() works. - OBJ_sn2nid() was also being called, so the SN form of ML_DSA algorithms needed to be added to the provider dispatch tables. Reviewed-by: Viktor Dukhovni Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/26636) --- crypto/objects/obj_xref.h | 3 +++ crypto/objects/obj_xref.txt | 3 +++ providers/implementations/include/prov/names.h | 6 +++--- test/recipes/25-test_req.t | 16 ++++++++++++++-- 4 files changed, 23 insertions(+), 5 deletions(-) diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index 5d3a5a338f8..12f4b7f11ba 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -84,6 +84,9 @@ static const nid_triple sigoid_srt[] = { {NID_RSA_SHA3_384, NID_sha3_384, NID_rsaEncryption}, {NID_RSA_SHA3_512, NID_sha3_512, NID_rsaEncryption}, {NID_SM2_with_SM3, NID_sm3, NID_sm2}, + {NID_ML_DSA_44, NID_undef, NID_ML_DSA_44}, + {NID_ML_DSA_65, NID_undef, NID_ML_DSA_65}, + {NID_ML_DSA_87, NID_undef, NID_ML_DSA_87}, }; static const nid_triple *const sigoid_srt_xref[] = { diff --git a/crypto/objects/obj_xref.txt b/crypto/objects/obj_xref.txt index 31c6eb99281..e34158457ba 100644 --- a/crypto/objects/obj_xref.txt +++ b/crypto/objects/obj_xref.txt @@ -23,6 +23,9 @@ RSA_SHA3_512 sha3_512 rsaEncryption rsassaPss undef rsassaPss ED25519 undef ED25519 ED448 undef ED448 +ML_DSA_44 undef ML_DSA_44 +ML_DSA_65 undef ML_DSA_65 +ML_DSA_87 undef ML_DSA_87 # Alternative deprecated OIDs. By using the older "rsa" OID this # type will be recognized by not normally used. diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h index 06b9b5ff056..9280be0bbea 100644 --- a/providers/implementations/include/prov/names.h +++ b/providers/implementations/include/prov/names.h @@ -384,9 +384,9 @@ #define PROV_DESCS_RSA_PSS "OpenSSL RSA-PSS implementation" #define PROV_NAMES_SM2 "SM2:1.2.156.10197.1.301" #define PROV_DESCS_SM2 "OpenSSL SM2 implementation" -#define PROV_NAMES_ML_DSA_44 "ML-DSA-44:2.16.840.1.101.3.4.3.17" +#define PROV_NAMES_ML_DSA_44 "ML-DSA-44:2.16.840.1.101.3.4.3.17:id-ml-dsa-44" #define PROV_DESCS_ML_DSA_44 "OpenSSL ML-DSA-44 implementation" -#define PROV_NAMES_ML_DSA_65 "ML-DSA-65:2.16.840.1.101.3.4.3.18" +#define PROV_NAMES_ML_DSA_65 "ML-DSA-65:2.16.840.1.101.3.4.3.18:id-ml-dsa-65" #define PROV_DESCS_ML_DSA_65 "OpenSSL ML-DSA-65 implementation" -#define PROV_NAMES_ML_DSA_87 "ML-DSA-87:2.16.840.1.101.3.4.3.19" +#define PROV_NAMES_ML_DSA_87 "ML-DSA-87:2.16.840.1.101.3.4.3.19:id-ml-dsa-87" #define PROV_DESCS_ML_DSA_87 "OpenSSL ML-DSA-87 implementation" diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index ce85f996495..078932f461e 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -356,10 +356,10 @@ subtest "generating SM2 certificate requests" => sub { }; subtest "generating certificate requests with ML-DSA" => sub { - plan tests => 3; + plan tests => 5; SKIP: { - skip "ML-DSA is not supported by this OpenSSL build", 3 + skip "ML-DSA is not supported by this OpenSSL build", 5 if disabled("ml-dsa"); ok(run(app(["openssl", "req", @@ -389,6 +389,18 @@ subtest "generating certificate requests with ML-DSA" => sub { "-subj", "/CN=test-self-signed", "-addext","keyUsage=digitalSignature"])), "Generating self signed ML-DSA-87 cert and private key"); + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-new", + "-sigopt","hextest-entropy:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "-out", "csr_ml_dsa_87.pem", + "-newkey", "ML-DSA-87", + "-passout", "pass:x"])), + "Generating ML-DSA-87 csr"); + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-in", "csr_ml_dsa_87.pem"])), + "verifying ML-DSA-87 csr"); } }; -- 2.47.2