Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey#10310
Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey#10310cconlon wants to merge 1 commit intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds DER-aware parsing support for ML-DSA (Dilithium) keys in the d2i_PUBKEY / d2i_PrivateKey code paths, and expands the test suite + fixtures to cover ML-DSA SPKI/PKCS#8 variants.
Changes:
- Update Dilithium import helpers to accept both raw key bytes and DER (SPKI / PKCS#8) via wolfCrypt DER decoders.
- Fix
d2iTryAltDhKeyto correctly signal “not DH” so the parser can fall through to later key-type checks (e.g., Dilithium). - Add ML-DSA public/private key parsing tests and introduce SPKI DER fixtures + generator support.
Reviewed changes
Copilot reviewed 5 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
wolfcrypt/src/evp_pk.c |
Fixes DH fall-through behavior and adds DER-aware Dilithium decode attempts for SPKI/PKCS#8. |
tests/api.c |
Adds ML-DSA d2i_PUBKEY / d2i_PrivateKey BIO tests (raw + DER variants) and negative cases. |
gencertbuf.pl |
Generates cert buffer arrays for ML-DSA SPKI and PKCS#8 test fixtures. |
certs/mldsa/mldsa44_pub-spki.der |
Adds ML-DSA-44 SPKI DER fixture. |
certs/mldsa/mldsa65_pub-spki.der |
Adds ML-DSA-65 SPKI DER fixture. |
certs/mldsa/mldsa87_pub-spki.der |
Adds ML-DSA-87 SPKI DER fixture. |
certs/mldsa/include.am |
Ships the new SPKI DER fixtures in EXTRA_DIST. |
certs/mldsa/README.txt |
Documents the ML-DSA test fixture variants and regeneration steps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10310
Scan targets checked: wolfcrypt-bugs, wolfcrypt-src
No new issues found in the changed files. ✅
|
|
Jenkins retest this please |
…fix d2iTryAltDhKey returning 0 on non-DH input.
|
Retest this please Jenkins |
|
Retest this please Jenkins. PRB-fips-ready-config: "ERROR: Cannot delete workspace: Unable to delete ... Tried 3 times (of a maximum of 3) waiting 0.1 sec between attempts." |
Description
This PR includes a few ML-DSA / Dilithium fixes in
evp_pk.c:d2i_dilithium_{pub,priv}_key_levelto use the DER awarewc_Dilithium_{Pub,Priv}KeyDecodedecoders sod2i_PUBKEYandd2i_PrivateKeyaccept ML-DSA LAMPS SPKI / PKCS#8 in addition to raw bytes, matching the DER consumption of otherd2iTry*Keyfunctions.d2iTryAltDhKeyreturning0on non-DH input, which cut short the fall through check before Dilithium detection could run.Testing
Discovered and tested when adding ML-DSA support to wolfJSSE.
This PR also adds new test code:
test_wolfSSL_d2i_PUBKEY: raw bytes and LAMPS SPKI DER for ML-DSA-44, -65, and -87.test_wolfSSL_d2i_PrivateKeys_bio: raw bytes plus three LAMPS PKCS#8 variants (priv-only,seed-priv,seed-only) for ML-DSA-44, -65, and -87.EVP_PKEY_idassertions on new cases, confirming the parser classified the input as Dilithium.NULLis returned cleanly.Checklist