From 808fccb721f2fb621c3ffeb789dc4c13f2f37986 Mon Sep 17 00:00:00 2001 From: slontis Date: Tue, 28 Jan 2025 19:46:07 +1100 Subject: [PATCH] ML_DSA Add support for generation of X509 certificates using the openssl commandline. In order to support this gettables are required in both the key and signature.: Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/26575) --- .gitignore | 2 + doc/designs/ml-dsa.md | 11 ++ doc/man7/EVP_SIGNATURE-ML-DSA.pod | 5 + providers/common/der/ML_DSA.asn1 | 15 +++ providers/common/der/build.info | 19 +++ providers/common/der/der_ml_dsa_gen.c.in | 19 +++ providers/common/der/der_ml_dsa_key.c | 41 ++++++ providers/common/include/prov/der_ml_dsa.h.in | 22 ++++ providers/implementations/keymgmt/build.info | 2 +- .../implementations/keymgmt/ml_dsa_kmgmt.c | 9 ++ .../implementations/signature/build.info | 3 +- .../implementations/signature/ml_dsa_sig.c | 121 +++++++++++++++++- 12 files changed, 262 insertions(+), 7 deletions(-) create mode 100644 providers/common/der/ML_DSA.asn1 create mode 100644 providers/common/der/der_ml_dsa_gen.c.in create mode 100644 providers/common/der/der_ml_dsa_key.c create mode 100644 providers/common/include/prov/der_ml_dsa.h.in diff --git a/.gitignore b/.gitignore index 745edad6df1..23dfd7c8ee6 100644 --- a/.gitignore +++ b/.gitignore @@ -74,6 +74,7 @@ providers/common/der/der_ecx_gen.c providers/common/der/der_rsa_gen.c providers/common/der/der_wrap_gen.c providers/common/der/der_sm2_gen.c +providers/common/der/der_ml_dsa_gen.c providers/common/include/prov/der_dsa.h providers/common/include/prov/der_ec.h providers/common/include/prov/der_ecx.h @@ -81,6 +82,7 @@ providers/common/include/prov/der_rsa.h providers/common/include/prov/der_digests.h providers/common/include/prov/der_wrap.h providers/common/include/prov/der_sm2.h +providers/common/include/prov/der_ml_dsa.h # error code files /crypto/err/openssl.txt.old diff --git a/doc/designs/ml-dsa.md b/doc/designs/ml-dsa.md index acadcf8d298..4fd13fedcbd 100644 --- a/doc/designs/ml-dsa.md +++ b/doc/designs/ml-dsa.md @@ -94,6 +94,17 @@ the API's used should be EVP_PKEY_sign_message_init(), EVP_PKEY_sign(), EVP_PKEY_verify_message_init(), EVP_PKEY_verify(). +OpenSSL command line support +---------------------------- + +For backwards compatability reasons EVP_DigestSignInit_ex(), EVP_DigestSign(), +EVP_DigestVerifyInit_ex() and EVP_DigestVerify() may also be used, but the digest +passed in `mdname` must be NULL (i.e. It effectively behaves the same as above). +Passing a non NULL digest results in an error. + +OSSL_PKEY_PARAM_MANDATORY_DIGEST must return "" in the key manager getter and +OSSL_SIGNATURE_PARAM_ALGORITHM_ID in the signature context getter. + Encoding/Decoding ----------------- diff --git a/doc/man7/EVP_SIGNATURE-ML-DSA.pod b/doc/man7/EVP_SIGNATURE-ML-DSA.pod index 4fed0d9e19e..e94cbf8ca40 100644 --- a/doc/man7/EVP_SIGNATURE-ML-DSA.pod +++ b/doc/man7/EVP_SIGNATURE-ML-DSA.pod @@ -70,6 +70,11 @@ to be set to 32 bytes of zeros. This value is ignored if "test-entropy" is set. See L for information related to B keys. +=head1 NOTES + +For backwards compatability reasons EVP_DigestSignInit_ex(), EVP_DigestSign(), +EVP_DigestVerifyInit_ex() and EVP_DigestVerify() may also be used, but the digest +passed in |mdname| must be NULL. =head1 EXAMPLES diff --git a/providers/common/der/ML_DSA.asn1 b/providers/common/der/ML_DSA.asn1 new file mode 100644 index 00000000000..46d6f80399b --- /dev/null +++ b/providers/common/der/ML_DSA.asn1 @@ -0,0 +1,15 @@ +-- Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. +-- +-- Licensed under the Apache License 2.0 (the "License"). You may not use +-- this file except in compliance with the License. You can obtain a copy +-- in the file LICENSE in the source distribution or at +-- https://www.openssl.org/source/license.html + +-- ------------------------------------------------------------------- +-- Taken from https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration + +sigAlgs OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 4 3 } + +id-ml-dsa-44 OBJECT IDENTIFIER ::= { sigAlgs 17 } +id-ml-dsa-65 OBJECT IDENTIFIER ::= { sigAlgs 18 } +id-ml-dsa-87 OBJECT IDENTIFIER ::= { sigAlgs 19 } diff --git a/providers/common/der/build.info b/providers/common/der/build.info index 764bff539ed..3e8904d54a6 100644 --- a/providers/common/der/build.info +++ b/providers/common/der/build.info @@ -71,6 +71,21 @@ IF[{- !$disabled{ecx} -}] DEPEND[$DER_ECX_H]=oids_to_c.pm ECX.asn1 ENDIF +#----- ML-DSA +IF[{- !$disabled{'ml-dsa'} -}] + $DER_ML_DSA_H=$INCDIR/der_ml_dsa.h + $DER_ML_DSA_GEN=der_ml_dsa_gen.c + $DER_ML_DSA_AUX=der_ml_dsa_key.c + + GENERATE[$DER_ML_DSA_GEN]=der_ml_dsa_gen.c.in + DEPEND[$DER_ML_DSA_GEN]=oids_to_c.pm ML_DSA.asn1 + + DEPEND[${DER_ML_DSA_GEN/.c/.o}]=$DER_ML_DSA_H + DEPEND[${DER_ML_DSA_AUX/.c/.o}]=$DER_ML_DSA_H + GENERATE[$DER_ML_DSA_H]=$INCDIR/der_ml_dsa.h.in + DEPEND[$DER_ML_DSA_H]=oids_to_c.pm ML_DSA.asn1 +ENDIF + #----- KEY WRAP $DER_WRAP_H=$INCDIR/der_wrap.h $DER_WRAP_GEN=der_wrap_gen.c @@ -112,6 +127,10 @@ IF[{- !$disabled{ec} -}] ENDIF ENDIF +IF[{- !$disabled{'ml-dsa'} -}] + $COMMON = $COMMON $DER_ML_DSA_GEN $DER_ML_DSA_AUX +ENDIF + IF[{- !$disabled{sm2} -}] $NONFIPS = $NONFIPS $DER_SM2_GEN $DER_SM2_AUX ENDIF diff --git a/providers/common/der/der_ml_dsa_gen.c.in b/providers/common/der/der_ml_dsa_gen.c.in new file mode 100644 index 00000000000..0097fc7a0c2 --- /dev/null +++ b/providers/common/der/der_ml_dsa_gen.c.in @@ -0,0 +1,19 @@ +/* + * {- join("\n * ", @autowarntext) -} + * + * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "prov/der_ml_dsa.h" + +/* Well known OIDs precompiled */ +{- + $OUT = oids_to_c::process_leaves('providers/common/der/ML_DSA.asn1', + { dir => $config{sourcedir}, + filter => \&oids_to_c::filter_to_C }); +-} diff --git a/providers/common/der/der_ml_dsa_key.c b/providers/common/der/der_ml_dsa_key.c new file mode 100644 index 00000000000..f9481fc6cd4 --- /dev/null +++ b/providers/common/der/der_ml_dsa_key.c @@ -0,0 +1,41 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * DSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include "internal/packet.h" +#include "prov/der_ml_dsa.h" + +int ossl_DER_w_algorithmIdentifier_ML_DSA(WPACKET *pkt, int tag, ML_DSA_KEY *key) +{ + const uint8_t *alg; + size_t len; + const char *name = ossl_ml_dsa_key_get_name(key); + + if (OPENSSL_strcasecmp(name, "ML-DSA-44") == 0) { + alg = ossl_der_oid_id_ml_dsa_44; + len = sizeof(ossl_der_oid_id_ml_dsa_44); + } else if (OPENSSL_strcasecmp(name, "ML-DSA-65") == 0) { + alg = ossl_der_oid_id_ml_dsa_65; + len = sizeof(ossl_der_oid_id_ml_dsa_65); + } else if (OPENSSL_strcasecmp(name, "ML-DSA-87") == 0) { + alg = ossl_der_oid_id_ml_dsa_87; + len = sizeof(ossl_der_oid_id_ml_dsa_87); + } else { + return 0; + } + return ossl_DER_w_begin_sequence(pkt, tag) + /* No parameters */ + && ossl_DER_w_precompiled(pkt, -1, alg, len) + && ossl_DER_w_end_sequence(pkt, tag); +} diff --git a/providers/common/include/prov/der_ml_dsa.h.in b/providers/common/include/prov/der_ml_dsa.h.in new file mode 100644 index 00000000000..07f0f3f4ac9 --- /dev/null +++ b/providers/common/include/prov/der_ml_dsa.h.in @@ -0,0 +1,22 @@ +/* + * {- join("\n * ", @autowarntext) -} + * + * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "internal/der.h" +#include "crypto/ml_dsa.h" + +/* Well known OIDs precompiled */ +{- + $OUT = oids_to_c::process_leaves('providers/common/der/ML_DSA.asn1', + { dir => $config{sourcedir}, + filter => \&oids_to_c::filter_to_H }); +-} + +int ossl_DER_w_algorithmIdentifier_ML_DSA(WPACKET *pkt, int tag, ML_DSA_KEY *key); diff --git a/providers/implementations/keymgmt/build.info b/providers/implementations/keymgmt/build.info index 852d9dc7d2e..9fe922a3451 100644 --- a/providers/implementations/keymgmt/build.info +++ b/providers/implementations/keymgmt/build.info @@ -46,6 +46,6 @@ SOURCE[$MAC_GOAL]=mac_legacy_kmgmt.c SOURCE[$TEMPLATE_GOAL]=template_kmgmt.c -IF[{- !$disabled{ml-dsa} -}] +IF[{- !$disabled{'ml-dsa'} -}] SOURCE[$ML_DSA_GOAL]=ml_dsa_kmgmt.c ENDIF diff --git a/providers/implementations/keymgmt/ml_dsa_kmgmt.c b/providers/implementations/keymgmt/ml_dsa_kmgmt.c index 03e054d28cb..376076479a0 100644 --- a/providers/implementations/keymgmt/ml_dsa_kmgmt.c +++ b/providers/implementations/keymgmt/ml_dsa_kmgmt.c @@ -132,6 +132,7 @@ static const OSSL_PARAM ml_dsa_params[] = { OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0), ML_DSA_IMEXPORTABLE_PARAMETERS, OSSL_PARAM_END }; @@ -174,6 +175,14 @@ static int ml_dsa_get_params(void *keydata, OSSL_PARAM params[]) ossl_ml_dsa_key_get_pub_len(key))) return 0; } + /* + * This allows apps to use an empty digest, so that the old API + * for digest signing can be used. + */ + p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MANDATORY_DIGEST); + if (p != NULL && !OSSL_PARAM_set_utf8_string(p, "")) + return 0; + return 1; } diff --git a/providers/implementations/signature/build.info b/providers/implementations/signature/build.info index a37fc68a66d..cd603024ab5 100644 --- a/providers/implementations/signature/build.info +++ b/providers/implementations/signature/build.info @@ -25,6 +25,7 @@ ENDIF SOURCE[$RSA_GOAL]=rsa_sig.c +DEPEND[ml_dsa_sig.o]=../../common/include/prov/der_ml_dsa.h DEPEND[rsa_sig.o]=../../common/include/prov/der_rsa.h DEPEND[dsa_sig.o]=../../common/include/prov/der_dsa.h DEPEND[ecdsa_sig.o]=../../common/include/prov/der_ec.h @@ -33,6 +34,6 @@ DEPEND[sm2_sig.o]=../../common/include/prov/der_sm2.h SOURCE[$MAC_GOAL]=mac_legacy_sig.c -IF[{- !$disabled{ml-dsa} -}] +IF[{- !$disabled{'ml-dsa'} -}] SOURCE[$DSA_GOAL]=ml_dsa_sig.c ENDIF diff --git a/providers/implementations/signature/ml_dsa_sig.c b/providers/implementations/signature/ml_dsa_sig.c index a4803859c87..d2c23abe3d7 100644 --- a/providers/implementations/signature/ml_dsa_sig.c +++ b/providers/implementations/signature/ml_dsa_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,7 +18,10 @@ #include "prov/implementations.h" #include "prov/providercommon.h" #include "prov/provider_ctx.h" +#include "prov/der_ml_dsa.h" #include "crypto/ml_dsa.h" +#include "internal/packet.h" +#include "internal/sizes.h" #define ML_DSA_ENTROPY_LEN 32 @@ -29,9 +32,15 @@ static OSSL_FUNC_signature_sign_message_init_fn ml_dsa_sign_msg_init; static OSSL_FUNC_signature_sign_fn ml_dsa_sign; static OSSL_FUNC_signature_verify_message_init_fn ml_dsa_verify_msg_init; static OSSL_FUNC_signature_verify_fn ml_dsa_verify; +static OSSL_FUNC_signature_digest_sign_init_fn ml_dsa_digest_signverify_init; +static OSSL_FUNC_signature_digest_sign_fn ml_dsa_digest_sign; +static OSSL_FUNC_signature_digest_verify_fn ml_dsa_digest_verify; + static OSSL_FUNC_signature_freectx_fn ml_dsa_freectx; static OSSL_FUNC_signature_set_ctx_params_fn ml_dsa_set_ctx_params; static OSSL_FUNC_signature_settable_ctx_params_fn ml_dsa_settable_ctx_params; +static OSSL_FUNC_signature_get_ctx_params_fn ml_dsa_get_ctx_params; +static OSSL_FUNC_signature_gettable_ctx_params_fn ml_dsa_gettable_ctx_params; static OSSL_FUNC_signature_dupctx_fn ml_dsa_dupctx; typedef struct { @@ -44,6 +53,9 @@ typedef struct { int msg_encode; int deterministic; const char *alg; + /* The Algorithm Identifier of the signature algorithm */ + uint8_t aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE]; + size_t aid_len; } PROV_ML_DSA_CTX; static void ml_dsa_freectx(void *vctx) @@ -86,6 +98,32 @@ static void *ml_dsa_dupctx(void *vctx) return OPENSSL_memdup(srcctx, sizeof(*srcctx)); } +static int set_alg_id_buffer(PROV_ML_DSA_CTX *ctx) +{ + int ret; + WPACKET pkt; + uint8_t *aid = NULL; + + /* + * We do not care about DER writing errors. + * All it really means is that for some reason, there's no + * AlgorithmIdentifier to be had, but the operation itself is + * still valid, just as long as it's not used to construct + * anything that needs an AlgorithmIdentifier. + */ + ctx->aid_len = 0; + ret = WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf)); + ret = ret && ossl_DER_w_algorithmIdentifier_ML_DSA(&pkt, -1, ctx->key); + if (ret && WPACKET_finish(&pkt)) { + WPACKET_get_total_written(&pkt, &ctx->aid_len); + aid = WPACKET_get_curr(&pkt); + } + WPACKET_cleanup(&pkt); + if (aid != NULL && ctx->aid_len != 0) + memmove(ctx->aid_buf, aid, ctx->aid_len); + return 1; +} + static int ml_dsa_signverify_msg_init(void *vctx, void *vkey, const OSSL_PARAM params[], int operation, const char *desc) @@ -107,6 +145,8 @@ static int ml_dsa_signverify_msg_init(void *vctx, void *vkey, if (!ossl_ml_dsa_key_matches(ctx->key, ctx->alg)) return 0; + set_alg_id_buffer(ctx); + return ml_dsa_set_ctx_params(ctx, params); } @@ -116,8 +156,26 @@ static int ml_dsa_sign_msg_init(void *vctx, void *vkey, const OSSL_PARAM params[ EVP_PKEY_OP_SIGN, "ML_DSA Sign Init"); } -static int ml_dsa_sign(void *vctx, unsigned char *sig, size_t *siglen, - size_t sigsize, const unsigned char *msg, size_t msg_len) +static int ml_dsa_digest_signverify_init(void *vctx, const char *mdname, + void *vkey, const OSSL_PARAM params[]) +{ + PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx; + + if (mdname != NULL && mdname[0] != '\0') { + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, + "Explicit digest not supported for ML-DSA operations"); + return 0; + } + + if (vkey == NULL && ctx->key != NULL) + return ml_dsa_set_ctx_params(ctx, params); + + return ml_dsa_signverify_msg_init(vctx, vkey, params, + EVP_PKEY_OP_SIGN, "ML_DSA Sign Init"); +} + +static int ml_dsa_sign(void *vctx, uint8_t *sig, size_t *siglen, size_t sigsize, + const uint8_t *msg, size_t msg_len) { int ret = 0; PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx; @@ -147,14 +205,20 @@ static int ml_dsa_sign(void *vctx, unsigned char *sig, size_t *siglen, return ret; } +static int ml_dsa_digest_sign(void *vctx, uint8_t *sig, size_t *siglen, size_t sigsize, + const uint8_t *tbs, size_t tbslen) +{ + return ml_dsa_sign(vctx, sig, siglen, sigsize, tbs, tbslen); +} + static int ml_dsa_verify_msg_init(void *vctx, void *vkey, const OSSL_PARAM params[]) { return ml_dsa_signverify_msg_init(vctx, vkey, params, EVP_PKEY_OP_VERIFY, "ML_DSA Verify Init"); } -static int ml_dsa_verify(void *vctx, const unsigned char *sig, size_t siglen, - const unsigned char *msg, size_t msg_len) +static int ml_dsa_verify(void *vctx, const uint8_t *sig, size_t siglen, + const uint8_t *msg, size_t msg_len) { PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx; @@ -164,6 +228,12 @@ static int ml_dsa_verify(void *vctx, const unsigned char *sig, size_t siglen, ctx->context_string, ctx->context_string_len, ctx->msg_encode, sig, siglen); } +static int ml_dsa_digest_verify(void *vctx, + const uint8_t *sig, size_t siglen, + const uint8_t *tbs, size_t tbslen) +{ + return ml_dsa_verify(vctx, sig, siglen, tbs, tbslen); +} static int ml_dsa_set_ctx_params(void *vctx, const OSSL_PARAM params[]) { @@ -223,6 +293,35 @@ static const OSSL_PARAM *ml_dsa_settable_ctx_params(void *vctx, return settable_ctx_params; } +static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), + OSSL_PARAM_END +}; + +static const OSSL_PARAM *ml_dsa_gettable_ctx_params(ossl_unused void *vctx, + ossl_unused void *provctx) +{ + return known_gettable_ctx_params; +} + +static int ml_dsa_get_ctx_params(void *vctx, OSSL_PARAM *params) +{ + PROV_ML_DSA_CTX *ctx = (PROV_ML_DSA_CTX *)vctx; + OSSL_PARAM *p; + + if (ctx == NULL) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID); + if (p != NULL + && !OSSL_PARAM_set_octet_string(p, + ctx->aid_len == 0 ? NULL : ctx->aid_buf, + ctx->aid_len)) + return 0; + + return 1; +} + #define MAKE_SIGNATURE_FUNCTIONS(alg, fn) \ static OSSL_FUNC_signature_newctx_fn ml_dsa_##fn##_newctx; \ static void *ml_dsa_##fn##_newctx(void *provctx, const char *propq) \ @@ -237,11 +336,23 @@ static const OSSL_PARAM *ml_dsa_settable_ctx_params(void *vctx, { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \ (void (*)(void))ml_dsa_verify_msg_init }, \ { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))ml_dsa_verify }, \ + { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, \ + (void (*)(void))ml_dsa_digest_signverify_init }, \ + { OSSL_FUNC_SIGNATURE_DIGEST_SIGN, \ + (void (*)(void))ml_dsa_digest_sign }, \ + { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, \ + (void (*)(void))ml_dsa_digest_signverify_init }, \ + { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY, \ + (void (*)(void))ml_dsa_digest_verify }, \ { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))ml_dsa_freectx }, \ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \ (void (*)(void))ml_dsa_set_ctx_params }, \ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \ (void (*)(void))ml_dsa_settable_ctx_params }, \ + { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \ + (void (*)(void))ml_dsa_get_ctx_params }, \ + { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \ + (void (*)(void))ml_dsa_gettable_ctx_params }, \ { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))ml_dsa_dupctx }, \ OSSL_DISPATCH_END \ } -- 2.47.2