From fafc333e93c4f4cc16b65cd13aa0059d43f13743 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Wed, 2 Apr 2025 16:05:11 +1000
Subject: [PATCH] LMS: add API to get Key ID from raw private key

Always last 16 bytes of private key.
---
 wolfcrypt/src/ext_lms.c |  8 ++++++++
 wolfcrypt/src/wc_lms.c  | 24 ++++++++++++++++++++++++
 wolfssl/wolfcrypt/lms.h |  3 +++
 3 files changed, 35 insertions(+)

diff --git a/wolfcrypt/src/ext_lms.c b/wolfcrypt/src/ext_lms.c
index b9f00d5bc..edf3a2eaa 100644
--- a/wolfcrypt/src/ext_lms.c
+++ b/wolfcrypt/src/ext_lms.c
@@ -1049,4 +1049,12 @@ int wc_LmsKey_Verify(LmsKey * key, const byte * sig, word32 sigSz,
     return 0;
 }
 
+const byte * wc_LmsKey_GetKidFromPrivRaw(const byte * priv, word32 privSz)
+{
+    if ((priv == NULL) || (privSz < 16)) {
+        return NULL;
+    }
+    return priv - 16;
+}
+
 #endif /* WOLFSSL_HAVE_LMS && HAVE_LIBLMS */
diff --git a/wolfcrypt/src/wc_lms.c b/wolfcrypt/src/wc_lms.c
index faa69987d..bac051a9d 100644
--- a/wolfcrypt/src/wc_lms.c
+++ b/wolfcrypt/src/wc_lms.c
@@ -1264,4 +1264,28 @@ int wc_LmsKey_Verify(LmsKey* key, const byte* sig, word32 sigSz,
     return ret;
 }
 
+/* Get the Key ID from the raw private key data.
+ *
+ * PRIV = Q | PARAMS | SEED | I
+ * where I is the Key ID.
+ *
+ * @param [in] priv    Private key data.
+ * @param [in] privSz  Size of private key data.
+ * @param  Pointer to 16 byte Key ID in the private key.
+ * @return  NULL on failure.
+ */
+const byte * wc_LmsKey_GetKidFromPrivRaw(const byte * priv, word32 privSz)
+{
+    word32 seedSz = privSz - LMS_Q_LEN + HSS_PRIV_KEY_PARAM_SET_LEN - LMS_I_LEN;
+
+    if (priv == NULL) {
+        return NULL;
+    }
+    if ((seedSz != WC_SHA256_192_DIGEST_SIZE) &&
+            (seedSz != WC_SHA256_DIGEST_SIZE)) {
+        return NULL;
+    }
+    return priv - LMS_I_LEN;
+}
+
 #endif /* WOLFSSL_HAVE_LMS && WOLFSSL_WC_LMS */
diff --git a/wolfssl/wolfcrypt/lms.h b/wolfssl/wolfcrypt/lms.h
index 754c49c08..ee4ccc5e2 100644
--- a/wolfssl/wolfcrypt/lms.h
+++ b/wolfssl/wolfcrypt/lms.h
@@ -186,6 +186,9 @@ WOLFSSL_API int  wc_LmsKey_Verify(LmsKey * key, const byte * sig, word32 sigSz,
     const byte * msg, int msgSz);
 WOLFSSL_API const char * wc_LmsKey_ParmToStr(enum wc_LmsParm lmsParm);
 WOLFSSL_API const char * wc_LmsKey_RcToStr(enum wc_LmsRc lmsRc);
+
+WOLFSSL_API const byte * wc_LmsKey_GetKidFromPrivRaw(const byte * priv,
+    word32 privSz);
 #ifdef __cplusplus
     } /* extern "C" */
 #endif