From a82d1a6b12f4e40e07c95a11f559e380cd05ffc1 Mon Sep 17 00:00:00 2001
From: Koji Takeda <takeda@wolfssl.com>
Date: Mon, 14 Jul 2025 10:35:31 +0900
Subject: [PATCH 1/4] Support importing seed of ML-DSA key

---
 tests/api/test_mldsa.c    | 253 ++++++++++++++++++++++++++++++++------
 tests/api/test_mldsa.h    |  32 ++---
 wolfcrypt/src/asn.c       | 134 ++++++++++++--------
 wolfcrypt/src/dilithium.c | 112 ++++++++---------
 wolfssl/wolfcrypt/asn.h   |  10 +-
 5 files changed, 376 insertions(+), 165 deletions(-)

diff --git a/tests/api/test_mldsa.c b/tests/api/test_mldsa.c
index 873a085c9..132b797c9 100644
--- a/tests/api/test_mldsa.c
+++ b/tests/api/test_mldsa.c
@@ -16658,7 +16658,219 @@ int test_wc_dilithium_verify_kats(void)
     return EXPECT_RESULT();
 }
 
-int test_mldsa_pkcs8(void)
+#if !defined(NO_ASN) && defined(HAVE_PKCS8) && \
+    defined(HAVE_DILITHIUM) && defined(WOLFSSL_WC_DILITHIUM) && \
+    !defined(WOLFSSL_DILITHIUM_NO_ASN1) && defined(WOLFSSL_ASN_TEMPLATE)
+static struct {
+    const char* fileName;
+    byte level;
+    /* 0: Unsupported, 1: Supported*/
+    int p8_lv;     /* Support PKCS8 format with specifying level          */
+    int p8_nolv;   /* Support PKCS8 format without specifying level       */
+    int trad_lv;   /* Support traditional format with specifying level    */
+    int trad_nolv; /* Support traditional format without specifying level */
+} ossl_form[] = {
+    /*
+     * Generated test files with the following commands:
+     *     openssl genpkey -outform DER -algorithm ${ALGO} \
+     *         -provparam ml-dsa.output_formats=${OUT_FORM} -out ${OUT_FILE}
+     */
+
+    /* ALGO=ML-DSA-44, OUT_FORM=seed-only, OUT_FILE=mldsa44_seed-only.der   */
+    {"certs/mldsa/mldsa44_seed-only.der",  WC_ML_DSA_44, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-44, OUT_FORM=priv-only, OUT_FILE=mldsa44_priv-only.der   */
+    {"certs/mldsa/mldsa44_priv-only.der",  WC_ML_DSA_44, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-44, OUT_FORM=seed-priv, OUT_FILE=mldsa44_seed-priv.der   */
+    {"certs/mldsa/mldsa44_seed-priv.der",  WC_ML_DSA_44, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-44, OUT_FORM=oqskeypair, OUT_FILE=mldsa44_oqskeypair.der */
+    {"certs/mldsa/mldsa44_oqskeypair.der", WC_ML_DSA_44, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-44, OUT_FORM=bare-seed, OUT_FILE=mldsa44_bare-seed.der   */
+    {"certs/mldsa/mldsa44_bare-seed.der",  WC_ML_DSA_44, 0, 0, 0, 0},
+    /* ALGO=ML-DSA-44, OUT_FORM=bare-priv, OUT_FILE=mldsa44_bare-priv.der   */
+    {"certs/mldsa/mldsa44_bare-priv.der",  WC_ML_DSA_44, 0, 0, 0, 0},
+    /* ALGO=ML-DSA-65, OUT_FORM=seed-only, OUT_FILE=mldsa65_seed-only.der   */
+    {"certs/mldsa/mldsa65_seed-only.der",  WC_ML_DSA_65, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-65, OUT_FORM=priv-only, OUT_FILE=mldsa65_priv-only.der   */
+    {"certs/mldsa/mldsa65_priv-only.der",  WC_ML_DSA_65, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-65, OUT_FORM=seed-priv, OUT_FILE=mldsa65_seed-priv.der   */
+    {"certs/mldsa/mldsa65_seed-priv.der",  WC_ML_DSA_65, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-65, OUT_FORM=oqskeypair, OUT_FILE=mldsa65_oqskeypair.der */
+    {"certs/mldsa/mldsa65_oqskeypair.der", WC_ML_DSA_65, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-65, OUT_FORM=bare-seed, OUT_FILE=mldsa65_bare-seed.der   */
+    {"certs/mldsa/mldsa65_bare-seed.der",  WC_ML_DSA_65, 0, 0, 0, 0},
+    /* ALGO=ML-DSA-65, OUT_FORM=bare-priv, OUT_FILE=mldsa65_bare-priv.der   */
+    {"certs/mldsa/mldsa65_bare-priv.der",  WC_ML_DSA_65, 0, 0, 0, 0},
+    /* ALGO=ML-DSA-87, OUT_FORM=seed-only, OUT_FILE=mldsa87_seed-only.der   */
+    {"certs/mldsa/mldsa87_seed-only.der",  WC_ML_DSA_87, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-87, OUT_FORM=priv-only, OUT_FILE=mldsa87_priv-only.der   */
+    {"certs/mldsa/mldsa87_priv-only.der",  WC_ML_DSA_87, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-87, OUT_FORM=seed-priv, OUT_FILE=mldsa87_seed-priv.der   */
+    {"certs/mldsa/mldsa87_seed-priv.der",  WC_ML_DSA_87, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-87, OUT_FORM=oqskeypair, OUT_FILE=mldsa87_oqskeypair.der */
+    {"certs/mldsa/mldsa87_oqskeypair.der", WC_ML_DSA_87, 1, 1, 1, 0},
+    /* ALGO=ML-DSA-87, OUT_FORM=bare-seed, OUT_FILE=mldsa87_bare-seed.der   */
+    {"certs/mldsa/mldsa87_bare-seed.der",  WC_ML_DSA_87, 0, 0, 0, 0},
+    /* ALGO=ML-DSA-87, OUT_FORM=bare-priv, OUT_FILE=mldsa87_bare-priv.der   */
+    {"certs/mldsa/mldsa87_bare-priv.der",  WC_ML_DSA_87, 0, 0, 0, 0}
+};
+#endif
+
+int test_wc_Dilithium_PrivateKeyDecode_OpenSSL_form(void)
+{
+    EXPECT_DECLS;
+
+#if !defined(NO_ASN) && defined(HAVE_PKCS8) && \
+    defined(HAVE_DILITHIUM) && defined(WOLFSSL_WC_DILITHIUM) && \
+    !defined(WOLFSSL_DILITHIUM_NO_ASN1) && defined(WOLFSSL_ASN_TEMPLATE)
+
+    byte* der = NULL;
+    size_t derMaxSz = ML_DSA_LEVEL5_BOTH_KEY_DER_SIZE;
+    size_t derSz = 0;
+    FILE* fp = NULL;
+    word32 inOutIdx = 0;
+    word32 inOutIdx2 = 0;
+    dilithium_key key;
+    int expect = 0;
+    int pkeySz = 0;
+    byte level = 0;
+
+    ExpectNotNull(der = (byte*) XMALLOC(derMaxSz, NULL,
+        DYNAMIC_TYPE_TMP_BUFFER));
+
+    for (size_t i = 0; i < sizeof(ossl_form) / sizeof(ossl_form[0]); ++i) {
+        ExpectNotNull(fp = XFOPEN(ossl_form[i].fileName, "rb"));
+        ExpectIntGT(derSz = XFREAD(der, 1, derMaxSz, fp), 0);
+        ExpectIntEQ(XFCLOSE(fp), 0);
+
+        /* Specify a level with PKCS8 format */
+        XMEMSET(&key, 0, sizeof(key));
+        ExpectIntEQ(wc_dilithium_init(&key), 0);
+        ExpectIntEQ(wc_dilithium_set_level(&key, ossl_form[i].level), 0);
+        inOutIdx = 0;
+        expect = ossl_form[i].p8_lv ? 0 : ASN_PARSE_E;
+        ExpectIntEQ(wc_Dilithium_PrivateKeyDecode(der, &inOutIdx, &key,
+            (word32)derSz), expect);
+        if (expect == 0) {
+            ExpectIntEQ(wc_dilithium_get_level(&key, &level), 0);
+            ExpectIntEQ(level, ossl_form[i].level);
+        }
+        wc_dilithium_free(&key);
+
+        /* Not specify a level with PKCS8 format */
+        XMEMSET(&key, 0, sizeof(key));
+        ExpectIntEQ(wc_dilithium_init(&key), 0);
+        inOutIdx = 0;
+        expect = ossl_form[i].p8_nolv ? 0 : ASN_PARSE_E;
+        ExpectIntEQ(wc_Dilithium_PrivateKeyDecode(der, &inOutIdx, &key,
+            (word32)derSz), expect);
+        if (expect == 0) {
+            ExpectIntEQ(wc_dilithium_get_level(&key, &level), 0);
+            ExpectIntEQ(level, ossl_form[i].level);
+        }
+        wc_dilithium_free(&key);
+
+        /* Specify a level with traditional format */
+        XMEMSET(&key, 0, sizeof(key));
+        ExpectIntEQ(wc_dilithium_init(&key), 0);
+        ExpectIntEQ(wc_dilithium_set_level(&key, ossl_form[i].level), 0);
+        inOutIdx = 0;
+        expect = ossl_form[i].trad_lv ? 0 : ASN_PARSE_E;
+        ExpectIntGT(pkeySz = wc_GetPkcs8TraditionalOffset(der, &inOutIdx,
+            (word32)derSz), 0);
+        inOutIdx2 = 0;
+        ExpectIntEQ(wc_Dilithium_PrivateKeyDecode(der + inOutIdx, &inOutIdx2,
+            &key, (word32)pkeySz), expect);
+        if (expect == 0) {
+            ExpectIntEQ(wc_dilithium_get_level(&key, &level), 0);
+            ExpectIntEQ(level, ossl_form[i].level);
+        }
+        wc_dilithium_free(&key);
+
+        /* Not specify a level with traditional format */
+        XMEMSET(&key, 0, sizeof(key));
+        ExpectIntEQ(wc_dilithium_init(&key), 0);
+        inOutIdx = 0;
+        expect = ossl_form[i].trad_nolv ? 0 : ASN_PARSE_E;
+        ExpectIntGT(pkeySz = wc_GetPkcs8TraditionalOffset(der, &inOutIdx,
+            (word32)derSz), 0);
+        inOutIdx2 = 0;
+        ExpectIntEQ(wc_Dilithium_PrivateKeyDecode(der + inOutIdx, &inOutIdx2,
+            &key, (word32)pkeySz), expect);
+        if (expect == 0) {
+            ExpectIntEQ(wc_dilithium_get_level(&key, &level), 0);
+            ExpectIntEQ(level, ossl_form[i].level);
+        }
+        wc_dilithium_free(&key);
+    }
+
+    XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_mldsa_pkcs8_import_OpenSSL_form(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_ASN) && defined(HAVE_PKCS8) && \
+    defined(HAVE_DILITHIUM) && defined(WOLFSSL_WC_DILITHIUM) && \
+    !defined(WOLFSSL_DILITHIUM_NO_ASN1) && defined(WOLFSSL_ASN_TEMPLATE) && \
+    !defined(NO_TLS) && \
+    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
+
+    byte* der = NULL;
+    size_t derMaxSz = ML_DSA_LEVEL5_BOTH_KEY_DER_SIZE;
+    size_t derSz = 0;
+    WOLFSSL_CTX* ctx = NULL;
+    FILE* fp = NULL;
+#ifdef WOLFSSL_DER_TO_PEM
+    byte* pem = NULL;
+    size_t pemMaxSz = ML_DSA_LEVEL5_BOTH_KEY_PEM_SIZE;
+    size_t pemSz = 0;
+#endif /* WOLFSSL_DER_TO_PEM */
+    int expect = 0;
+
+    ExpectNotNull(der = (byte*) XMALLOC(derMaxSz, NULL,
+        DYNAMIC_TYPE_TMP_BUFFER));
+#ifdef WOLFSSL_DER_TO_PEM
+    ExpectNotNull(pem = (byte*) XMALLOC(pemMaxSz, NULL,
+        DYNAMIC_TYPE_TMP_BUFFER));
+#endif /* WOLFSSL_DER_TO_PEM */
+
+#ifndef NO_WOLFSSL_SERVER
+        ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
+#else
+        ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
+#endif /* NO_WOLFSSL_SERVER */
+
+    for (size_t i = 0; i < sizeof(ossl_form) / sizeof(ossl_form[0]); ++i) {
+        ExpectNotNull(fp = XFOPEN(ossl_form[i].fileName, "rb"));
+        ExpectIntGT(derSz = XFREAD(der, 1, derMaxSz, fp), 0);
+        ExpectIntEQ(XFCLOSE(fp), 0);
+
+        /* DER */
+        expect = ossl_form[i].p8_nolv ? WOLFSSL_SUCCESS : WOLFSSL_BAD_FILE;
+        ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
+            WOLFSSL_FILETYPE_ASN1), expect);
+
+#ifdef WOLFSSL_DER_TO_PEM
+        /* PEM */
+        ExpectIntGT(pemSz = wc_DerToPem(der, (word32)derSz, pem,
+            (word32)pemMaxSz, PKCS8_PRIVATEKEY_TYPE), 0);
+        expect = ossl_form[i].p8_nolv ? WOLFSSL_SUCCESS : ASN_PARSE_E;
+        ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, pem, pemSz,
+            WOLFSSL_FILETYPE_PEM), expect);
+#endif /* WOLFSSL_DER_TO_PEM */
+    }
+
+    XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#ifdef WOLFSSL_DER_TO_PEM
+    XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif /* WOLFSSL_DER_TO_PEM */
+#endif
+    return EXPECT_RESULT();
+}
+
+int test_mldsa_pkcs8_export_import_wolfSSL_form(void)
 {
     EXPECT_DECLS;
 #if !defined(NO_ASN) && defined(HAVE_PKCS8) && \
@@ -16676,10 +16888,8 @@ int test_mldsa_pkcs8(void)
     byte* temp = NULL;  /* Store PEM or intermediate key */
     word32 derSz = 0;
     word32 pemSz = 0;
-    word32 keySz = 0;
     dilithium_key mldsa_key;
     WC_RNG rng;
-    word32 size;
     int ret;
 
     struct {
@@ -16746,43 +16956,6 @@ int test_mldsa_pkcs8(void)
         ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
             WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
 
-#ifdef WOLFSSL_DER_TO_PEM
-        ExpectIntGT(pemSz = wc_DerToPem(der, derSz, temp, tempMaxSz,
-            PKCS8_PRIVATEKEY_TYPE), 0);
-        ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, temp, pemSz,
-            WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
-#endif /* WOLFSSL_DER_TO_PEM */
-    }
-
-    /* Test private + public key (integrated format) */
-    for (i = 0; i < sizeof(test_variant) / sizeof(test_variant[0]); ++i) {
-        ExpectIntEQ(wc_dilithium_set_level(&mldsa_key, test_variant[i].wcId),
-            0);
-        ExpectIntEQ(wc_dilithium_make_key(&mldsa_key, &rng), 0);
-
-        if (EXPECT_FAIL())
-            break;
-
-        keySz = 0;
-        temp[0] = 0x04;  /* ASN.1 OCTET STRING */
-        temp[1] = 0x82;  /* 2 bytes length field */
-        temp[2] = (test_variant[i].keySz >> 8) & 0xff;  /* MSB of the length */
-        temp[3] = test_variant[i].keySz & 0xff;         /* LSB of the length */
-        keySz += 4;
-        size = tempMaxSz - keySz;
-        ExpectIntEQ(wc_dilithium_export_private(&mldsa_key, temp + keySz,
-            &size), 0);
-        keySz += size;
-        size = tempMaxSz - keySz;
-        ExpectIntEQ(wc_dilithium_export_public(&mldsa_key, temp + keySz, &size),
-            0);
-        keySz += size;
-        derSz = derMaxSz;
-        ExpectIntGT(wc_CreatePKCS8Key(der, &derSz, temp, keySz,
-            test_variant[i].oidSum, NULL, 0), 0);
-        ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
-            WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
-
 #ifdef WOLFSSL_DER_TO_PEM
         ExpectIntGT(pemSz = wc_DerToPem(der, derSz, temp, tempMaxSz,
             PKCS8_PRIVATEKEY_TYPE), 0);
diff --git a/tests/api/test_mldsa.h b/tests/api/test_mldsa.h
index d1322e571..488c3a2b3 100644
--- a/tests/api/test_mldsa.h
+++ b/tests/api/test_mldsa.h
@@ -35,22 +35,26 @@ int test_wc_dilithium_der(void);
 int test_wc_dilithium_make_key_from_seed(void);
 int test_wc_dilithium_sig_kats(void);
 int test_wc_dilithium_verify_kats(void);
-int test_mldsa_pkcs8(void);
+int test_wc_Dilithium_PrivateKeyDecode_OpenSSL_form(void);
+int test_mldsa_pkcs8_import_OpenSSL_form(void);
+int test_mldsa_pkcs8_export_import_wolfSSL_form(void);
 int test_mldsa_pkcs12(void);
 
-#define TEST_MLDSA_DECLS                                            \
-    TEST_DECL_GROUP("mldsa", test_wc_dilithium),                    \
-    TEST_DECL_GROUP("mldsa", test_wc_dilithium_make_key),           \
-    TEST_DECL_GROUP("mldsa", test_wc_dilithium_sign),               \
-    TEST_DECL_GROUP("mldsa", test_wc_dilithium_verify),             \
-    TEST_DECL_GROUP("mldsa", test_wc_dilithium_sign_vfy),           \
-    TEST_DECL_GROUP("mldsa", test_wc_dilithium_check_key),          \
-    TEST_DECL_GROUP("mldsa", test_wc_dilithium_public_der_decode),  \
-    TEST_DECL_GROUP("mldsa", test_wc_dilithium_der),                \
-    TEST_DECL_GROUP("mldsa", test_wc_dilithium_make_key_from_seed), \
-    TEST_DECL_GROUP("mldsa", test_wc_dilithium_sig_kats),           \
-    TEST_DECL_GROUP("mldsa", test_wc_dilithium_verify_kats),        \
-    TEST_DECL_GROUP("mldsa", test_mldsa_pkcs8),                     \
+#define TEST_MLDSA_DECLS                                                       \
+    TEST_DECL_GROUP("mldsa", test_wc_dilithium),                               \
+    TEST_DECL_GROUP("mldsa", test_wc_dilithium_make_key),                      \
+    TEST_DECL_GROUP("mldsa", test_wc_dilithium_sign),                          \
+    TEST_DECL_GROUP("mldsa", test_wc_dilithium_verify),                        \
+    TEST_DECL_GROUP("mldsa", test_wc_dilithium_sign_vfy),                      \
+    TEST_DECL_GROUP("mldsa", test_wc_dilithium_check_key),                     \
+    TEST_DECL_GROUP("mldsa", test_wc_dilithium_public_der_decode),             \
+    TEST_DECL_GROUP("mldsa", test_wc_dilithium_der),                           \
+    TEST_DECL_GROUP("mldsa", test_wc_dilithium_make_key_from_seed),            \
+    TEST_DECL_GROUP("mldsa", test_wc_dilithium_sig_kats),                      \
+    TEST_DECL_GROUP("mldsa", test_wc_dilithium_verify_kats),                   \
+    TEST_DECL_GROUP("mldsa", test_wc_Dilithium_PrivateKeyDecode_OpenSSL_form), \
+    TEST_DECL_GROUP("mldsa", test_mldsa_pkcs8_import_OpenSSL_form),            \
+    TEST_DECL_GROUP("mldsa", test_mldsa_pkcs8_export_import_wolfSSL_form),     \
     TEST_DECL_GROUP("mldsa", test_mldsa_pkcs12)
 
 #endif /* WOLFCRYPT_TEST_MLDSA_H */
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 83159ad65..bd448c355 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -36991,6 +36991,7 @@ int wc_EccKeyToPKCS8(ecc_key* key, byte* output,
 /* ASN.1 template for a general asymmetric private key: Ed25519, Ed448,
  * falcon, dilithium, etc.
  * RFC 8410, 7 - Private Key Format (but public value is EXPLICIT OCTET_STRING)
+ * Check draft-ietf-lamps-dilithium-certificates of draft RFC also.
  */
 static const ASNItem privateKeyASN[] = {
 /* SEQ            */    { 0, ASN_SEQUENCE, 1, 1, 0 },
@@ -37001,9 +37002,13 @@ static const ASNItem privateKeyASN[] = {
 /* PKEYALGO_OID   */            { 2, ASN_OBJECT_ID, 0, 0, 1 },
                                          /* privateKey */
 /* PKEY           */        { 1, ASN_OCTET_STRING, 0, 1, 0 },
-                                             /* CurvePrivateKey */
+                                         /* CurvePrivateKey */
 /* PKEY_CURVEPKEY */            { 2, ASN_OCTET_STRING, 0, 0, 2 },
-/* PKEY_MLDSASEQ  */            { 2, ASN_SEQUENCE, 1, 0, 2 },
+/* PKEY_SEED_ONLY */            { 2, ASN_CONTEXT_SPECIFIC | ASN_PKEY_SEED,
+                                    0, 0, 2 },
+/* PKEY_BOTH_SEQ  */            { 2, ASN_SEQUENCE, 1, 1, 2 },
+/* PKEY_BOTH_SEED */                { 3, ASN_OCTET_STRING, 0, 0, 0 },
+/* PKEY_BOTH_KEY  */                { 3, ASN_OCTET_STRING, 0, 0, 0 },
                                          /* attributes */
 /* ATTRS          */        { 1, ASN_CONTEXT_SPECIFIC | ASN_ASYMKEY_ATTRS, 1, 1, 1 },
                                          /* publicKey */
@@ -37016,7 +37021,10 @@ enum {
     PRIVKEYASN_IDX_PKEYALGO_OID,
     PRIVKEYASN_IDX_PKEY,
     PRIVKEYASN_IDX_PKEY_CURVEPKEY,
-    PRIVKEYASN_IDX_PKEY_MLDSASEQ,
+    PRIVKEYASN_IDX_PKEY_SEED_ONLY,
+    PRIVKEYASN_IDX_PKEY_BOTH_SEQ,
+    PRIVKEYASN_IDX_PKEY_BOTH_SEED,
+    PRIVKEYASN_IDX_PKEY_BOTH_KEY,
     PRIVKEYASN_IDX_ATTRS,
     PRIVKEYASN_IDX_PUBKEY
 };
@@ -37033,9 +37041,11 @@ enum {
 
 
 int DecodeAsymKey_Assign(const byte* input, word32* inOutIdx, word32 inSz,
+    const byte** seed, word32* seedLen,
     const byte** privKey, word32* privKeyLen,
     const byte** pubKey, word32* pubKeyLen, int* inOutKeyType)
 {
+    int allowSeed = 0;
 #ifndef WOLFSSL_ASN_TEMPLATE
     word32 oid;
     int version, length, endKeyIdx, privSz, pubSz;
@@ -37048,14 +37058,27 @@ int DecodeAsymKey_Assign(const byte* input, word32* inOutIdx, word32 inSz,
 #endif
 
     if (input == NULL || inOutIdx == NULL || inSz == 0 ||
-        privKey == NULL || privKeyLen == NULL || inOutKeyType == NULL) {
+        privKey == NULL || privKeyLen == NULL ||
+        pubKey == NULL || pubKeyLen == NULL ||
+        inOutKeyType == NULL) {
     #ifdef WOLFSSL_ASN_TEMPLATE
         FREE_ASNGETDATA(dataASN, NULL);
     #endif
         return BAD_FUNC_ARG;
     }
+    if ((seed == NULL && seedLen != NULL) ||
+        (seed != NULL && seedLen == NULL)) {
+        return BAD_FUNC_ARG;
+    }
+
+    allowSeed = (seed != NULL && seedLen != NULL);
 
 #ifndef WOLFSSL_ASN_TEMPLATE
+    /* The seed can't be parsed without WOLF_ASN_TEMPLATE */
+    if (allowSeed) {
+        return ASN_PARSE_E;
+    }
+
     if (GetSequence(input, inOutIdx, &length, inSz) >= 0) {
         endKeyIdx = (int)*inOutIdx + length;
 
@@ -37083,13 +37106,7 @@ int DecodeAsymKey_Assign(const byte* input, word32* inOutIdx, word32 inSz,
             return ASN_PARSE_E;
 
         if (GetOctetString(input, inOutIdx, &privSz, inSz) < 0) {
-            if (oid != ML_DSA_LEVEL2k && oid != ML_DSA_LEVEL3k &&
-                    oid != ML_DSA_LEVEL5k) {
-                return ASN_PARSE_E;
-            }
-            if (GetSequence(input, inOutIdx, &privSz, inSz) < 0) {
-                return ASN_PARSE_E;
-            }
+            return ASN_PARSE_E;
         }
 
         priv = input + *inOutIdx;
@@ -37150,53 +37167,69 @@ int DecodeAsymKey_Assign(const byte* input, word32* inOutIdx, word32 inSz,
         }
 
         /* Parse full private key. */
-        ret = GetASN_Items(privateKeyASN, dataASN, privateKeyASN_Length, 1, input,
-                inOutIdx, inSz);
-        if (ret != 0) {
-            /* Parse just the OCTET_STRING. */
+        ret = GetASN_Items(privateKeyASN, dataASN, privateKeyASN_Length, 1,
+                input, inOutIdx, inSz);
+        if (ret == 0) {
+            /* Store detected OID if requested */
+            if (ret == 0 && *inOutKeyType == ANONk) {
+                *inOutKeyType =
+                    (int)dataASN[PRIVKEYASN_IDX_PKEYALGO_OID].data.oid.sum;
+            }
+        }
+        /* Parse traditional format (a part of full private key). */
+        else if (ret != 0) {
             ret = GetASN_Items(&privateKeyASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY],
-                    &dataASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY], 1, 0, input,
-                    inOutIdx, inSz);
+                    &dataASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY],
+                    PRIVKEYASN_IDX_ATTRS - PRIVKEYASN_IDX_PKEY_CURVEPKEY, 0,
+                    input, inOutIdx, inSz);
             if (ret != 0) {
                 ret = ASN_PARSE_E;
             }
         }
-
-        /* Store detected OID if requested */
-        if (ret == 0 && *inOutKeyType == ANONk) {
-            *inOutKeyType =
-                (int)dataASN[PRIVKEYASN_IDX_PKEYALGO_OID].data.oid.sum;
+    }
+    if (ret == 0) {
+        /* priv-only */
+        if (dataASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY].data.ref.length != 0) {
+            if (allowSeed) {
+               *seedLen = 0;
+               *seed = NULL;
+            }
+            *privKeyLen
+                = dataASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY].data.ref.length;
+            *privKey = dataASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY].data.ref.data;
         }
-    }
-    if (ret == 0 && dataASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY].data.ref.length != 0) {
-        /* Import private value. */
-        *privKeyLen = dataASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY].data.ref.length;
-        *privKey = dataASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY].data.ref.data;
-    }
-    else if (ret == 0 &&
-             dataASN[PRIVKEYASN_IDX_PKEY_MLDSASEQ].data.ref.length != 0) {
-        if (*inOutKeyType != ML_DSA_LEVEL2k &&
-                *inOutKeyType != ML_DSA_LEVEL3k &&
-                *inOutKeyType != ML_DSA_LEVEL5k) {
-            ret = ASN_PARSE_E;
+        /* seed-only */
+        else if (allowSeed &&
+            dataASN[PRIVKEYASN_IDX_PKEY_SEED_ONLY].data.ref.length != 0) {
+            *seedLen = dataASN[PRIVKEYASN_IDX_PKEY_SEED_ONLY].data.ref.length;
+            *seed = dataASN[PRIVKEYASN_IDX_PKEY_SEED_ONLY].data.ref.data;
+            *privKeyLen = 0;
+            *privKey = NULL;
+        }
+        /* seed-priv */
+        else if (allowSeed &&
+            dataASN[PRIVKEYASN_IDX_PKEY_BOTH_SEQ].data.ref.length != 0) {
+            *seedLen = dataASN[PRIVKEYASN_IDX_PKEY_BOTH_SEED].data.ref.length;
+            *seed = dataASN[PRIVKEYASN_IDX_PKEY_BOTH_SEED].data.ref.data;
+            *privKeyLen = dataASN[PRIVKEYASN_IDX_PKEY_BOTH_KEY].data.ref.length;
+            *privKey = dataASN[PRIVKEYASN_IDX_PKEY_BOTH_KEY].data.ref.data;
         }
         else {
-            /* Import private value. */
-            *privKeyLen = dataASN[PRIVKEYASN_IDX_PKEY_MLDSASEQ].data.ref.length;
-            *privKey = dataASN[PRIVKEYASN_IDX_PKEY_MLDSASEQ].data.ref.data;
+            ret = ASN_PARSE_E;
         }
     }
-    if ((ret == 0) && dataASN[PRIVKEYASN_IDX_PUBKEY].tag == 0) {
-        /* Set public length to 0 as not seen. */
-        if (pubKeyLen != NULL)
-            *pubKeyLen = 0;
-    }
-    else if (ret == 0) {
-        /* Import public value. */
-        if (pubKeyLen != NULL)
+
+    if (ret == 0) {
+        if (dataASN[PRIVKEYASN_IDX_PUBKEY].data.ref.length != 0) {
+            /* Import public value. */
             *pubKeyLen = dataASN[PRIVKEYASN_IDX_PUBKEY].data.ref.length;
-        if (pubKey != NULL && pubKeyLen != NULL)
             *pubKey = dataASN[PRIVKEYASN_IDX_PUBKEY].data.ref.data;
+        }
+        else {
+            /* Set public length to 0 as not seen. */
+            *pubKeyLen = 0;
+            *pubKey = NULL;
+        }
     }
 
     FREE_ASNGETDATA(dataASN, NULL);
@@ -37219,8 +37252,8 @@ int DecodeAsymKey(const byte* input, word32* inOutIdx, word32 inSz,
     }
 
     if (ret == 0) {
-        ret = DecodeAsymKey_Assign(input, inOutIdx, inSz, &privKeyPtr,
-            &privKeyPtrLen, &pubKeyPtr, &pubKeyPtrLen, &keyType);
+        ret = DecodeAsymKey_Assign(input, inOutIdx, inSz, NULL, NULL,
+            &privKeyPtr, &privKeyPtrLen, &pubKeyPtr, &pubKeyPtrLen, &keyType);
     }
     if ((ret == 0) && (privKeyPtrLen > *privKeyLen)) {
         ret = BUFFER_E;
@@ -37606,10 +37639,11 @@ int SetAsymKeyDer(const byte* privKey, word32 privKeyLen,
                    oidKeyType);
         /* Leave space for private key. */
         SetASN_Buffer(&dataASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY], NULL, privKeyLen);
+        /* Don't write ML-DSA specific things. */
+        SetASNItem_NoOut(dataASN, PRIVKEYASN_IDX_PKEY_SEED_ONLY,
+            PRIVKEYASN_IDX_ATTRS);
         /* Don't write out attributes. */
         dataASN[PRIVKEYASN_IDX_ATTRS].noOut = 1;
-        /* Don't write sequence. */
-        dataASN[PRIVKEYASN_IDX_PKEY_MLDSASEQ].noOut = 1;
         if (pubKey) {
             /* Leave space for public key. */
             SetASN_Buffer(&dataASN[PRIVKEYASN_IDX_PUBKEY], NULL, pubKeyLen);
diff --git a/wolfcrypt/src/dilithium.c b/wolfcrypt/src/dilithium.c
index ac8e5d810..ea0219c48 100644
--- a/wolfcrypt/src/dilithium.c
+++ b/wolfcrypt/src/dilithium.c
@@ -9659,31 +9659,6 @@ int dilithium_get_oid_sum(dilithium_key* key, int* keyFormat) {
 
 #if defined(WOLFSSL_DILITHIUM_PRIVATE_KEY)
 
-/* OCT <seed of 32 bytes> OCT <private key data of more than 256 bytes> */
-#define ALT_PRIV_DER_PREFIX       (2 + 32 + 4)
-/* SEQ [ OCT <seed of 32 bytes> OCT <private key data> ] */
-#define ALT_PRIV_DER_PREFIX_SEQ   (4 + 2 + 32 + 4)
-
-/* Get the private only key size for the ML-DSA level/parameter id.
- *
- * @param [in] level  Level of the ML-DSA key.
- * @return  Private key only encoding size for key level on success.
- * @return  0 on failure.
- */
-static word32 dilithium_get_priv_size(int level)
-{
-    switch (level) {
-        case WC_ML_DSA_44:
-            return ML_DSA_LEVEL2_KEY_SIZE;
-        case WC_ML_DSA_65:
-            return ML_DSA_LEVEL3_KEY_SIZE;
-        case WC_ML_DSA_87:
-            return ML_DSA_LEVEL5_KEY_SIZE;
-        default:
-            return 0;
-    }
-}
-
 /* Decode the DER encoded Dilithium key.
  *
  * @param [in]      input     Array holding DER encoded data.
@@ -9708,11 +9683,14 @@ int wc_Dilithium_PrivateKeyDecode(const byte* input, word32* inOutIdx,
     dilithium_key* key, word32 inSz)
 {
     int ret = 0;
+    const byte* seed = NULL;
     const byte* privKey = NULL;
     const byte* pubKey = NULL;
+    word32 seedLen = 0;
     word32 privKeyLen = 0;
     word32 pubKeyLen = 0;
     int keyType = 0;
+    int autoKeyType = ANONk;
 
     /* Validate parameters. */
     if ((input == NULL) || (inOutIdx == NULL) || (key == NULL) || (inSz == 0)) {
@@ -9756,34 +9734,45 @@ int wc_Dilithium_PrivateKeyDecode(const byte* input, word32* inOutIdx,
 
     if (ret == 0) {
         /* Decode the asymmetric key and get out private and public key data. */
+#ifndef WOLFSSL_ASN_TEMPLATE
         ret = DecodeAsymKey_Assign(input, inOutIdx, inSz,
+                                   NULL, NULL,
                                    &privKey, &privKeyLen,
-                                   &pubKey, &pubKeyLen, &keyType);
-        if (ret == 0
-#ifdef WOLFSSL_WC_DILITHIUM
-            && key->params == NULL
-#endif
-        ) {
+                                   &pubKey, &pubKeyLen, &autoKeyType);
+#else
+        ret = DecodeAsymKey_Assign(input, inOutIdx, inSz,
+                                   &seed, &seedLen,
+                                   &privKey, &privKeyLen,
+                                   &pubKey, &pubKeyLen, &autoKeyType);
+#endif /* WOLFSSL_ASN_TEMPLATE */
+    }
+
+    if (ret == 0) {
+        if (keyType == ANONk && autoKeyType != ANONk) {
             /* Set the security level based on the decoded key. */
-            ret = mapOidToSecLevel(keyType);
+            ret = mapOidToSecLevel(autoKeyType);
             if (ret > 0) {
                 ret = wc_dilithium_set_level(key, (byte)ret);
             }
         }
-        /* If it failed to decode try alternative DER encoding. */
-        else if (ret != 0) {
-            word32 levelSize = dilithium_get_priv_size(key->level);
-            privKey = input + *inOutIdx;
-            privKeyLen = inSz - *inOutIdx;
-
-            /* Check for an alternative DER encoding. */
-            if (privKeyLen == ALT_PRIV_DER_PREFIX_SEQ + levelSize) {
-                privKey += ALT_PRIV_DER_PREFIX_SEQ;
-                privKeyLen -= ALT_PRIV_DER_PREFIX_SEQ;
+        else if (keyType != ANONk && autoKeyType != ANONk) {
+            if (keyType == autoKeyType)
                 ret = 0;
-            }
+            else
+                ret = ASN_PARSE_E;
+        }
+        else if (keyType != ANONk && autoKeyType == ANONk) {
+            ret = 0;
+        }
+        else { /* keyType == ANONk && autoKeyType == ANONk */
+            /*
+             * When decoding traditional format with not specifying a level will
+             * cause this error.
+             */
+            ret = ASN_PARSE_E;
         }
     }
+
     if ((ret == 0) && (pubKey == NULL) && (pubKeyLen == 0)) {
         /* Check if the public key is included in the private key. */
     #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT)
@@ -9828,32 +9817,39 @@ int wc_Dilithium_PrivateKeyDecode(const byte* input, word32* inOutIdx,
             pubKeyLen = ML_DSA_LEVEL5_PUB_KEY_SIZE;
             privKeyLen -= ML_DSA_LEVEL5_PUB_KEY_SIZE;
         }
-        else {
-            word32 levelSize = dilithium_get_priv_size(key->level);
-
-            if (privKeyLen == ALT_PRIV_DER_PREFIX + levelSize) {
-                privKey += ALT_PRIV_DER_PREFIX;
-                privKeyLen -= ALT_PRIV_DER_PREFIX;
-            }
-        }
     }
 
     if (ret == 0) {
-        /* Check whether public key data was found. */
-#if defined(WOLFSSL_DILITHIUM_PUBLIC_KEY)
-        if (pubKeyLen == 0)
+        /* Generate a key pair if seed exists and decoded key pair is ignored */
+        if (seedLen != 0) {
+#if defined(WOLFSSL_WC_DILITHIUM)
+            if (seedLen == DILITHIUM_SEED_SZ) {
+                ret = wc_dilithium_make_key_from_seed(key, seed);
+            }
+            else {
+                ret = ASN_PARSE_E;
+            }
+#else
+            ret = NOT_COMPILED_IN;
 #endif
-        {
-            /* No public key data, only import private key data. */
-            ret = wc_dilithium_import_private(privKey, privKeyLen, key);
         }
 #if defined(WOLFSSL_DILITHIUM_PUBLIC_KEY)
-        else {
+        /* Check whether public key data was found. */
+        else if (pubKeyLen != 0 && privKeyLen != 0) {
             /* Import private and public key data. */
             ret = wc_dilithium_import_key(privKey, privKeyLen, pubKey,
                 pubKeyLen, key);
         }
 #endif
+        else if (pubKeyLen == 0 && privKeyLen != 0)
+        {
+            /* No public key data, only import private key data. */
+            ret = wc_dilithium_import_private(privKey, privKeyLen, key);
+        }
+        else {
+            /* Not a problem of ASN.1 structure, but the contents is invalid */
+            ret = ASN_PARSE_E;
+        }
     }
 
     (void)pubKey;
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index 136735876..cffd587e3 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -204,7 +204,10 @@ enum ASN_Tags {
 
     /* OneAsymmetricKey Fields */
     ASN_ASYMKEY_ATTRS     = 0x00,
-    ASN_ASYMKEY_PUBKEY    = 0x01
+    ASN_ASYMKEY_PUBKEY    = 0x01,
+
+    /* PKEY Fields */
+    ASN_PKEY_SEED         = 0x00
 };
 
 /* NOTE: If ASN_UTC_TIME_SIZE or ASN_GENERALIZED_TIME_SIZE are ever modified
@@ -2727,8 +2730,9 @@ WOLFSSL_LOCAL int  VerifyX509Acert(const byte* cert, word32 certSz,
     || (defined(HAVE_CURVE448) && defined(HAVE_CURVE448_KEY_IMPORT)) \
     || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM) || defined(HAVE_SPHINCS))
 WOLFSSL_LOCAL int DecodeAsymKey_Assign(const byte* input, word32* inOutIdx,
-    word32 inSz, const byte** privKey, word32* privKeyLen, const byte** pubKey,
-    word32* pubKeyLen, int* inOutKeyType);
+    word32 inSz, const byte** seed, word32* seedLen, const byte** privKey,
+    word32* privKeyLen, const byte** pubKey, word32* pubKeyLen,
+    int* inOutKeyType);
 
 WOLFSSL_LOCAL int DecodeAsymKey(const byte* input, word32* inOutIdx,
     word32 inSz, byte* privKey, word32* privKeyLen, byte* pubKey,

From 778dcbaafb28ae80a8478b13648d944069372664 Mon Sep 17 00:00:00 2001
From: Koji Takeda <takeda@wolfssl.com>
Date: Mon, 14 Jul 2025 11:00:36 +0900
Subject: [PATCH 2/4] Add test data

---
 certs/include.am                   |   1 +
 certs/mldsa/include.am             |  23 +++++++++++++++++++++++
 certs/mldsa/mldsa44_bare-priv.der  | Bin 0 -> 2584 bytes
 certs/mldsa/mldsa44_bare-seed.der  | Bin 0 -> 52 bytes
 certs/mldsa/mldsa44_oqskeypair.der | Bin 0 -> 3900 bytes
 certs/mldsa/mldsa44_priv-only.der  | Bin 0 -> 2588 bytes
 certs/mldsa/mldsa44_seed-only.der  | Bin 0 -> 54 bytes
 certs/mldsa/mldsa44_seed-priv.der  | Bin 0 -> 2626 bytes
 certs/mldsa/mldsa65_bare-priv.der  | Bin 0 -> 4056 bytes
 certs/mldsa/mldsa65_bare-seed.der  | Bin 0 -> 52 bytes
 certs/mldsa/mldsa65_oqskeypair.der | Bin 0 -> 6012 bytes
 certs/mldsa/mldsa65_priv-only.der  | Bin 0 -> 4060 bytes
 certs/mldsa/mldsa65_seed-only.der  | Bin 0 -> 54 bytes
 certs/mldsa/mldsa65_seed-priv.der  | Bin 0 -> 4098 bytes
 certs/mldsa/mldsa87_bare-priv.der  | Bin 0 -> 4920 bytes
 certs/mldsa/mldsa87_bare-seed.der  | Bin 0 -> 52 bytes
 certs/mldsa/mldsa87_oqskeypair.der | Bin 0 -> 7516 bytes
 certs/mldsa/mldsa87_priv-only.der  | Bin 0 -> 4924 bytes
 certs/mldsa/mldsa87_seed-only.der  | Bin 0 -> 54 bytes
 certs/mldsa/mldsa87_seed-priv.der  | Bin 0 -> 4962 bytes
 20 files changed, 24 insertions(+)
 create mode 100644 certs/mldsa/include.am
 create mode 100644 certs/mldsa/mldsa44_bare-priv.der
 create mode 100644 certs/mldsa/mldsa44_bare-seed.der
 create mode 100644 certs/mldsa/mldsa44_oqskeypair.der
 create mode 100644 certs/mldsa/mldsa44_priv-only.der
 create mode 100644 certs/mldsa/mldsa44_seed-only.der
 create mode 100644 certs/mldsa/mldsa44_seed-priv.der
 create mode 100644 certs/mldsa/mldsa65_bare-priv.der
 create mode 100644 certs/mldsa/mldsa65_bare-seed.der
 create mode 100644 certs/mldsa/mldsa65_oqskeypair.der
 create mode 100644 certs/mldsa/mldsa65_priv-only.der
 create mode 100644 certs/mldsa/mldsa65_seed-only.der
 create mode 100644 certs/mldsa/mldsa65_seed-priv.der
 create mode 100644 certs/mldsa/mldsa87_bare-priv.der
 create mode 100644 certs/mldsa/mldsa87_bare-seed.der
 create mode 100644 certs/mldsa/mldsa87_oqskeypair.der
 create mode 100644 certs/mldsa/mldsa87_priv-only.der
 create mode 100644 certs/mldsa/mldsa87_seed-only.der
 create mode 100644 certs/mldsa/mldsa87_seed-priv.der

diff --git a/certs/include.am b/certs/include.am
index 90e66c997..e4f6a0e6c 100644
--- a/certs/include.am
+++ b/certs/include.am
@@ -152,4 +152,5 @@ include certs/dilithium/include.am
 include certs/sphincs/include.am
 include certs/rpk/include.am
 include certs/acert/include.am
+include certs/mldsa/include.am
 
diff --git a/certs/mldsa/include.am b/certs/mldsa/include.am
new file mode 100644
index 000000000..94868dc61
--- /dev/null
+++ b/certs/mldsa/include.am
@@ -0,0 +1,23 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+#
+
+EXTRA_DIST += \
+		 certs/mldsa/mldsa44_seed-only.der \
+		 certs/mldsa/mldsa44_priv-only.der \
+		 certs/mldsa/mldsa44_seed-priv.der \
+		 certs/mldsa/mldsa44_oqskeypair.der \
+		 certs/mldsa/mldsa44_bare-seed.der \
+		 certs/mldsa/mldsa44_bare-priv.der \
+		 certs/mldsa/mldsa65_seed-only.der \
+		 certs/mldsa/mldsa65_priv-only.der \
+		 certs/mldsa/mldsa65_seed-priv.der \
+		 certs/mldsa/mldsa65_oqskeypair.der \
+		 certs/mldsa/mldsa65_bare-seed.der \
+		 certs/mldsa/mldsa65_bare-priv.der \
+		 certs/mldsa/mldsa87_seed-only.der \
+		 certs/mldsa/mldsa87_priv-only.der \
+		 certs/mldsa/mldsa87_seed-priv.der \
+		 certs/mldsa/mldsa87_oqskeypair.der \
+		 certs/mldsa/mldsa87_bare-seed.der \
+		 certs/mldsa/mldsa87_bare-priv.der
diff --git a/certs/mldsa/mldsa44_bare-priv.der b/certs/mldsa/mldsa44_bare-priv.der
new file mode 100644
index 0000000000000000000000000000000000000000..56a03bf9c1f6a44c7efdf3cd1fbb9dfe78dc046e
GIT binary patch
literal 2584
zcmXqL;u2wEWH8`n<4kDtU`%CZVHRX*;$n~pVqCr;d*YQ%ZHr#y--}^CbltQ=+dlD8
z&CC+-r^h?&REw8Qei_LgDL32N{A){6lh7ic%a0?r??3*?ieqi#iE4)2E0#Kc80Pj_
z%g^1RA&~Ur{sHb^_s_HFf7qlK<7lrGb9_~tjN{qVSqlz3YU+P@R{id+vFC?0#iKea
zlbL2%evDk8619Q%_M(gj25nvw5^jn#2x=-lI^lRjBTdFLFv%pTQGrv6!S&H0&&elz
zZ%ZgBx#vh&CUT4MNHV#psCr4b=XJ3)1Twks9BMrv;VLP{&|uUT$db^~lA>&=>C(_~
zLdig;Q;<oFD`r7&lT+qp0iTd1J}eyx49<Z{5<O3*xlU5cJ>{Xnvw}rIU?QU{=VK#}
zCI(hvWiEk}feZ&TyV>{{jRaUkeOZneCbB5Za7yf9>SJPQlU|U(?XD(a*>F=L@YISP
z34??g9swMZO$?n0f}9<lJ2IIM@j7&Pq$si8ax>&{^HbntYjR1HYRQo_ZW3PMpe(HG
z)#56(Ep>_$3$tq*L!;*fw_F!Do;zxSvm1DVCa9jW@ameP>BJ$xyrETPvuofERfR1D
z!XmjhgqRMr@iwx#@GQ#V-d4!n>3PYBg<)l`mx9C11uAzY_&Ckz6<~4T63aQzATZHP
z<>G-(86lyAQ#@`cs5HA2FfW`iv7v**IO~o<po~Ud<Rsq?jlM1ugG(nmpExjFIiRR)
zE-*#Jb&89_gC#CqO%0tAs!|qQ$qcQ*YK$`C0W69hE{hCjFeJ7tOLY=qdDx<J$ipRg
z8po_<EkP>+lG$964rB;UWbp6^e8^G|BjUh3L-E7{o|!IrirX5bHwP?I(vhCP65!Dz
z)7aSI<{Ql5d$GyIM`4oWi4G67Mim7&?yZ{LOB!Z7BuqA9d9q34<^<M`O#<AL1rI3+
zF*Ukeaq4Ig5uDv-AmHxe=)`ehih#6g!$hUt+0z<%7*&sKaSahDOjctE;^0s?<Z@7=
z<FZSOvxwTwV~LkFI=r_i3aa$QxMV83_pxm5m^{JrkrE4s8Jn_VQ^b^3MHe1tHC@Sr
zIYJFCPHw3TD;ay*5+W9;Je<(t)zETsna2r}Ug1SOT+=f;Hl)Tl={_)Mky*%iv4Qi!
zB!+0F9EPJEiwqb=I1CtODmFK<bZ&5+t)#-jD&(ONkaUQL`G8}O2Wy9tQ<4jBbCbYh
zk=BbUMa=4ak6JXOH#KbClhs+EVCdm<BwtCkeDgY)Yucu-%i@Zw<W}^yO)QeAxthl2
z`ftZJyS|pU-4~X8yt%W%;M$y?6XwgGWPd#r^Dwd@GWX8Jho6^S?{vBICj4xh><$T6
z;U_klTfX00n!2^F;lj(f?DLIIi?^(MW_A5t`!kV=qB#pT&R*9k@sC?_`m$?3-GXmE
zoh`Lw@1hg3pNr>gbW7+gJu1&!S91EH=Z&Yq%IAY5_<kJNv3EzRhSIv`&jLM5zV*1=
zVp3GP#9i4nwQ3XJgf%5QgDQOHTBPk0PLa3UptJ0tPt?VU{LZ;)yJk*y3fuiZO8&{!
z^J`pke@|VeyldK(hm)p9NteF=_bSc0NXmBW>+D63Pe{iUzT4X<`m?Jp?fQj`789fE
zaUO@7-Z9_eYQ3=5cGip6`?lOYl6Nxmiphl6EsrKfPS1G!scrs>mc=20)|)a}z1*%c
zuUan0e&^<Xe=qhZb@?BOrTQAP;`-b;Hy*fW8xqRa|FO5e{o>?vJkE1_mnJ;CI4Ss~
zXpx$MQlR|`#nZByre1%i+FdJX&umYPvg2;;o6@{}gPeb0j}LeJISu(W7Y;5B=XqtM
z{3LyS?j7$^@%t&WLY}zm>-;cCi>l>w>zl-q5NGPJJ)~~x`b3qjGtSn$6})bB@KT8R
zvmZSYEJ}hLXXm~<<nQ;_{P($;v(JjV?LBh(uJwaACs}@3f603I{LEKf(XPTJjofpc
zp7(du^-Yy?f1K1@UNy7X{dkz;_C1rPG0NWNIsZes--@}|WR-6Jx!s4RG(HiYeRI*N
zljX}Z5BxeaeTR3y+q$-i%S3McOM13GPfnuI?4!i3Th7*7rcIE4%Q)9Y=at7B%T;Z=
zZg#sDK4O$u+xo`g&+>3~cb@GDCYE*!TD<-xw-$daZP?-QZ+ELrYTOm+-!oE;{yA)5
znfb6-aOx5D>1TA7teffmC+FhSD~7j>9M1>u5U35w4mf>6wCMSn^<vXvMI*JmkGmXB
zb}tuaka;Y#+-BuImb1rRd2W6XF#D(2;f;xNPEU_=nEmKi!r4Vn9<85zb`6h?NN`T~
z<vT{9{a1Hxnp!={v+AW-PVX)~&Ll4vIX3Z~6D~Klx9Uw;wOD80C7xM+0byQe-$=Hp
zN&h<Tzq@01l4|p>nGL&nY}(Ikb`@1z<5S&oiEG=gb9dFel8*j-5z!Rh#+eiG>GsR}
z>>Xx1OZc9iFRNtuU-rT^bkD7BbwTF;-YjXRFOINB8l02nwV1B)bWh8I^`*Uq>f&2}
zozB^}FnFQh_3P@&|8tX9HQ(wl=sMJHkRm^yJM7kJ!5H6XJ}j4eW8%eK*EYsBigt8g
zcsQ@RD(Ue)o{ukz8ML|9_qJKA{}XE;<MBkiP+F-?&s#6l-OZxz$C(<H?T3DFEbUy+
zef7zfeZTUL>%Tp|_2FG_b>9o&?7zP+IDU@3cCx{TMIpxS>#zOY6UMvATRY?W>8YXt
z&Qh#-N0%|Yw0e8r*Y@v^|3BHQSY13al5(c%^I3Hzdb--a&FxO`F1U4S#*W$tfA6g|
z|Iy2nqxo^2<s2Ud``E>DQ8RydK1;XmZgE!Fe|LSt<0&Vmf8m%YzeGT-I74ser`x+%
z+}rZ>V$jh!f7m&i7mDw{7Pw>9KK-5|J@bM`x*h@PC9kIm+0PIC?0u(N;Kp?3cJA{b
zHsz0;Uxjv9FSZb5iV70WShrNKtvE?v@z!@`<`A(Q)*pYoSI&H%-6uQe!S<r}%eebR
ze_Y6ncGo%9YW_o_YVo}+&&TUls~Be6i|uvzIblI0S5}ynQpdNjJq=#TIstbo%cSSH
z8J)QIyY5HP9i9y;%sZace+v}YCih<4^>NsRbp|(o9br0lg(v0xV!PMAx$kHD-S=|7
z`bT~L-mG_Dr1`j>-n5%#9x?d_?_}lA-*mP$CRy2fS@*t7x}kN8Ic2%2O7tl${#m&<
zYTkF(ay>sN8t}Y*f627V48jT4@)M2Xbj~tzFJ&zW75OzY*rm*+yynII??Q)u%5LI5
zEqtMP;^ki_4a#0Fs8HM_xT=4fSNrUM+O)Q-_v1hNKWP8OX8Fj}B0al)ddjLN4%VwS
zJ)5<&iHpIQc|RY|o~F>(GrqsiXn(hj&u+t`b+eYs?hvT{voz*L&>N5N!p*lA9bmj2
z^!HWlp+LtbAI23+mPH-cmltv0x7;;R@6fIZv9%#Js~aSlAG}^Y!(j3Ect2b5uqT$=
z7Ay3YZ%XsFKh$n4-6go&>*_mM-yT0!z6XXns=toem4=*uxj*qj&cs8}7bdf;o86M<
GcLo3+O^g@-

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa44_bare-seed.der b/certs/mldsa/mldsa44_bare-seed.der
new file mode 100644
index 0000000000000000000000000000000000000000..809ef71501e7665459d25cf92fdba029f1f6ba44
GIT binary patch
literal 52
zcmXpoVq#=4;AZ1YX!Br9WoBU(WKnSE_^iQlLe)HWTF}yKOZ|gxU8y*;@Va?J!jm+H
I;D)3(09sNK2LJ#7

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa44_oqskeypair.der b/certs/mldsa/mldsa44_oqskeypair.der
new file mode 100644
index 0000000000000000000000000000000000000000..4669c183e65869ad2d03c71ff6780d63f267869d
GIT binary patch
literal 3900
zcmXqL;<sR8WH8`n<4kDtU`%CZVHRX*;#Xm5;#aWeJeHkeXnH?GWcTsZO<iY%1>b~Q
zUG?;fZ%O`p+FQY1)Me)<|8zImFFB%7DN_tYj;{O}wprqaZpf*v;f9AN{`HV#{P9xh
zmtCj4LSn!p)AKE@hI%t@883geeLK^_aMyKJKSE5Vo#vGKo$_hHb#p1VtTj)f1PnCx
zPOjd|G1VbOILd<Mpi9vN6TJ&8nllgNaxn!kwrD6hXfbSZJm|#Y?ZC;osaJ4o%H%DX
z4KAIM8w-M13Y-{HrOgXP4l4#|I66BdTrm(7v0##7_Hka8aM6fI@+8CJ4GlNl*c2Fy
zRLrv^x8`stc)7F%L^AXWJNQg$^E|aALBh}{x`X9`2$S^EjMHjN7f<9ePjH-a%(vl)
zBKI~{Cl#$j+k8%{DBLvZ6XHx+xQ%s*5ywR~K1L<2IV%{sx93Q+waAz^3T^HX-q4$%
zrY5X7p|inNa-pHbQq{-HeD4UTN{b~lt8p+|dNCg1;TBhr5^U))X*|=^D1EZ=G>f7V
zyOz{)ALULT0adqC4F%jzS&<5y5`q&O4he7@rA98|Sm59j!otC&>GNny3xh?`Z5AHJ
zgFXii=_+qlnZwkY#E_A=gyp0g(`*5ODQ;W|8&nuM8oCXbggFhl+f@ZcUA!FB9&Awb
zmhg~JPFZ5&>mpEa=@4t9$V5rWo*s?Hq-m_mlX?^cixQQT6x<zqoS2SG%9K_TaGo+j
zV8Mii7Fk{ga#%QWub8zduE;pGB5}qs6-n3DWRZr+Drr3JE(Z)6m>77Z4=F?_F>xwP
z@=!2PkZg)v)^bLH<%o#i>>Z6u8VV<w1>9jPVp%rffr#2djl^3lT#HRKl_V3KMN;oD
zaosp%s30+c*{D^TwIi@aS74!Hw1m#ZX`KN~yo~0WT*6!;j4Ip{awj%Tm}1s8tEp#_
zTgHNhf-VP+MJ6qelmZi&CU7XYFgf&eb!Z&iR?sQNbws2=fWu43g(=0%Wj2d~GlPee
zyT%lW-b)jBI@B6?Ci@6Cr9>Z4JY&IeV@g1eO98`9Lx$;%7ba*bX(~i7D3ns@RMP02
zz^25+qB_UGP0HC<MqTJMgKO7@0L3XijRJ|>iziAPcbvkKz+z&wutk-_AeVWE$4!Ua
z$xJ%RqA3%dQi7b4CNfM65lQG#(mY@m$l%JRq@=>Lz(<%vp?O-Xh@#sWF_uF|3=T}=
z5Hx8yti-^fuA(f;a9V^>kcla6>gIR1U#h>Gb)Z8y-7AE7=G*YP+bu^DTKR8<CcS&o
zcUdg^q1)jorE88Am#%0w*Pgt+<DYNJ(qBg}{$Co));90<kAj6aCWwBY$j@)^^v~>B
zm#6&MWmufFZ^i8yoJC0{sy{UXU9!}y#k;>>c(_no-S^w%OBp5Xm*4Pmus2(&|8`8g
zyig|Jbi&zC>!g!{t8Bx6$`)81kVx8aT5HM5Yk%zYIkqzXO;Yj^&iYv&uWkRoe-V!*
zU$|8w|Ki5RZ3lZ-m9upHKB^;OwzKny;zy>8Br`L`f42{8f4s1BgF}+oZKqmm7f-$k
z)$3CGRCeiIuT6*yo^g2Z^@r+5j`(YuCmxOW3uzTUAu4<O@jXAgDZDui?oT&4Mup$y
zdHf~zck~T~DiN)OTxqX(mwjA!vNN6t$h}D4mc09i=Y+lImQLeuu<3eWcvAYA=hMaZ
z0+)8F%$!{4mm7UI@Rn32>*U^_$9eZ&%J5X|+;8)t+)qlN?8<VP_D>u1r@5EMH8RJ@
zvUi!z6_L&1KfCvWhVItN53>zscMEKj%+)i9*|K-LSKt=^_frcE|MR@wrx#WgKRa+D
zn^)_--f22<JLL>Lckt<OR=TK*c3B<dS9fR6oF@~c&^1lIT1?exLCNnfi@GWA1@`3y
zbDu6@%l^8m(=u;v+M&pdmHvw!O5Em8E<3_9Gl0M4_8GtTH(m3-Hdd7B`2Ni0yCiz9
zU(sE2=HAm!)ROF@7U%V}h0iRAz46P)K1ky1)nhKfg|hQ~Z8<eLJX!OvCjO|g-(<V<
zf2z~_P+!(i@6IEy0~-<zWxd01vM6uWm;JJQQM+bbyEOaOAOGI};(dADNHwG+{MyI+
zbA&@Ac`i(xV92j?GSwsT<ix9X506HjT+6ijN_PWSxSoyq1<8OfD-Hi~#?)~hzs&J3
zzO61_H94$w=40DT*{{|8nFY6vcih-?#H~}$!uR2U=Kj}L;yDub&tREzCfU}fZEa1$
z?|*H-T{O+r-d^yMIOYGy<du@~oB7@~ja^RWizL!)v|Y0G8<Nax_v?E58O8@+ubOG0
zER_?*P#hjtI$e0yp;Cpvd4?Np6`zD0`Fl&{BU{8<Kb!yQ$G2p^uf7;6w(Q>13tQ*N
zJ=0a%Cu7F$e>dc<rr2W(>$l(jWd{ew74@F_eR}iPh@57tnRgza(=}Mu@?!m|hP#u>
zohvWj-XD2v5~G7V^H#<aTWkBK_RKE}xL~!Yw6kDklWynCDK~droi8t5WwhtYe+Ngc
z&u?~>^~9tfcxW48P`ZA-(vg|}9Nyg$DdRhld|qpQYDk0x>q@Wo3m*>ebc;|go32?u
z<<9JEql=Y}!9TKR2u17+tg~7w`fN>EORrLHXson_-CK?&;<I=6emEkt#U%3qXP1Z7
z?ihKe7?(QfTGMXXx64cAI7$}$wc<6+@zG8Ds&hYU$+eLFkLzDcdi<=FI{HfI%Dg?c
z8R;31>Uk9G<*Ha`S0_I!ci3wG^epS0V>Q$F3LL&{YJ2I-BRBimfj=@MQ#aq$;8d2}
zyMD&U{s)I9{n~wJxpef(qmORwe9&_6^45g)ZBKoJr)ImE>!~z0?RZo8<XK1$NAH0%
zYLN`v%2l>b=3dn1;vCLBLwZZ2?J>t6JJY5f&ME2j_gOU2{OFsbwv&BT?Ic&YeCaK?
zS7dx|i8$|tl4tMPO<z3kyn9YeL{9n89A5#ppBvvSUZ*5b*>+LD@z{E+<qUj66^5%b
zy^T~kKb|RS->bP{NBQGeF4ieAZo-z;E*e^!e*ZOWU|}<iVp-ntxQzeN-V1YPl{hX6
zI1;rh?M}urH;GzS!>cEQzOG`}Bj9_jlIKI#$*yU)FLbR55ufMFG~qOlNmZ=08jtVk
zN1lwiTQ?ehGe2=`$5Jmf{t2sQ+}GrKudDQrPm5*$3x-=36aClE)_pVW;*HE{?zLaa
zYAVd#PG;MCu^ic&-m7(NmEQXs`?k-neIv1~fOTKkhuq(BrPe`;Z$8RqED?!$FStqR
z=l4EYbKNlau8U7|uBBE9EsR^z9cXa%)8}e|WzVmuoR|7~>+rKB%XVyW@?QBmc#ivm
z^q7(<D_F1PHCU|<+`~O(=8MHXD<%{%rnCK?ytJT2&(mbT(B0n#Hh&X*AAeERn`rwy
z<IoDe)DxZRg^t@riZ=;4pVGd2<D^)tV&?p^E7pw~^Pe!<1s*mE$!tBbdR^cX(}&&7
zn?=566=bM3-rw;!a$#$l{d{3b&$OFwrr!**n|SE;tGcwt3H_H#FK@oM%(+KRm-V9^
zq4r;1*|IkNOP3QKJGPy7*cTD<eYc1af0oAii{78w-&ReJ2%Bf5l+oBY``nUGJ14Dt
z(6YJyM?#Zbwxp8GX6YlVRP2=!%;y?zcx3(Ph?i%Huko~%ho(mK*1q2yboj>H1^Z6*
z?O@rv<mFY?)fZEbeov@rwd#0x{)y^m+wNuD?h{I!wLYj7f0!k}-5QWK`~4i5rJO(b
zWG;)pSBc$oKU>&2>0XG=3*$r44i-6)fA~8z#UFC#Rxc2;VB2wIXQ^giMf;nRbN~8!
zzGg4FwR!pJw%sYygX&MT9bK;GyU<)c#&(&D(YDTfGb67}64eTlC0`@URrh@gFI0IQ
zc)C{P<EoU6Nmq~VSnZROv;0SCrQfdSR?h+^_3qr6{e9YreZN0^^r_Jcx^UG|!TDH*
zKx)bDHRS@`wX$=+zMaP|(tTBbj^4U!%cr=^HSZCq+I_<5h00YY=kQZE-z->Xu|o9S
zc@;(GkgOY%*qdJL2-NwX)tBz}U+ar{f8!GdoyymfADr9s@SI=gk-ec!!4C>Py?W!o
zV9^`8Uo}$yN`2d(y#6_FMdYn!&0FIdW_o<@)6gl3q5PquzqVJt%PsxPF=wvTiC5)e
z7M%wznAsgCFBXf>l$*UGb@D!g)wX^@Gu~WU{-EVq>$&Lx*K&=$-f>My|7UwgT(V)N
z>>T4G&yv`;E_UZz>Chc|_o7tQTf_hVlDDyFOmw*}SJ?hl**L>kK|SV{m(Ierm0E9d
z{v7HtaC$N?e3R(u(`M1jGGs4Sueh+G`fS3Nv<>%o*DdYSc%JU=(i3+!a_uhp)2A1I
z-8iv0m0M?v)M+-^&e?g@uU<;;^=jL&Vv=9Q#Qx0%rGfpS6N=BW>NyqPtv@pFUD)~T
zf`sYGc5K3%g>M?`YG?4Iu66U4Xi@7l{MT@d#kO>o@rN!+EA`2jS%3OY&v;ZK!#BnC
z@8mmDEIO?oOCA3{-*ThK`D&BNq^6c@OJB%;757`@tm0|1%U5Z7=J6-bWqa5+waj>R
ze(}lPFYkA+zZM_&d|H&>{<%VzB-Ot&Sl)>apH?;hO-15D&Y92m^&el~k&*dmo!AA9
z^kYv?>^?U~o~L2KlufQ*1#e|-xn5|&dQ>#qLig~VCGXdr(Q&Yt*OfYF=3=E_#~JCT
z7*Fy4p85Qt_TO6zoWy3>?cMF8t++AxyGbC65wF?F143(fybizO+9PuLM~r*wxocg0
z4COPKVg=(Yk48PquUz@aQ!FZ3H23bFyS}yo*3UT1n14txEtWMn+~sWlc-kD}n1&VC
z-SX$R{jZrmZDV@Tf|N^)q5P}OEerx(Pkd7C(P`kzRy(%P<FwC}<xekK9&@!R=-TkB
zfs3(t@<!|YX>6wr4)X7;>3Or0hsnrM^$_1yyA;L+J7(0Y#rIYTGBDe5r5{jl^Kp6}
zTUk7JmPP5AUz#o7+&f<t&FS9}%h9>~Eyon2D?3CuCmcGixjJ;O$*-ps>s5pgK2a%?
z-S|`c`kgsDmIYdRh6WY(vhoMsn8CmP&N9a67hY-a{@<VW_h$5R+w!~2lF$EnPApHI
z@#lNv{<5}>K}$~V@>wVTV(yP*N0kZg;{R`khn?rCaa7=`sau}xVJi5(Q!><YA4kb6
z+s&u#R_Tb>R9(=EIjQ{X*wGI5^b*bE>u;{+$#&xCFPt|gsoi5zM}WMpdGzra_e~6|
zpJp69CVi)1{jbXSTaSIq|C_ze{i8Ge+R7vMmPtH!=y7UU=rC1@y*8Gk%f7!lC(~{j
E0BNn|^#A|>

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa44_priv-only.der b/certs/mldsa/mldsa44_priv-only.der
new file mode 100644
index 0000000000000000000000000000000000000000..81fec03b65110013c2cee6dda09e99701c6e6689
GIT binary patch
literal 2588
zcmXqL;*wxuWH8`n<4kDtU`%CZVHRX*;$mTG;$mR=Ue%Ttv3cR#zB{Yeo>VuQnsBpd
zYhvJ}#C@d<i<aHanIy&d(d9$af~WmnT#DS5mky;GdGoAtTl{Sar$KYcM;<Pd1>U?4
z>;5mkr7_7dH+Y*%?#z>s8;?h?%Mzb%%~=^K8v0oF?xTe=?^Ki%8T=)Tb<KtDc>epk
z#X?`%@#pRc{~Mbaou>%~O0;pd_i!)PQPB`mHga32z<I@?VWyC)iuy#3_QoR)g53=o
zmrd9%wK$3hIUZinqAXyfv>>zDLqkZ+C23K@jA<EH)B+c{WpcS?Eu5nIL?|oL%u9ho
zE6KodqS(Zn61_5lJc~M9t~3?0m=_4BOjvA?G}FU}X?sJ$GLMN1I1)`bcsg2zry0yP
zD|)~o6f$jMf>0WZ0TXlU1c~juN(UX2UHqo7H7+pA^*-UC<j&K{CdkR0Gs&bwnt4)4
zhp&PYpWsSOPZw4th5#Pb&L=Z8qjv-_2=)pws3kf$O%P+^oHQY_Mbq1WZT6-DCzX~7
zE-8@;95a=iP6!!J5J?TxND*mZNnprJVsi^_NO+)<%E98qGR>FCLTds8ldwQ;^D<8t
zmq5jZo!lE8T$c1osTZVdYm7L?D?F7!VUf?11wKridR!if4}~<nMO>!rP`M@2dc}n4
zk(es?(%wmjdS)qfavbUrP}NeAbc?p&Q#9dfoYZn>NiLI0!J@WCmSw#z5}J~SbvT@q
zPEJzoc2hmXF>#Vc;9@2(DZ!vqDg_b-F2YL^nP+qaOh~z`WOz}@;mM)`L5UXT%?&I^
zJ05RiVKj13P-S2cNa`{v6yZ?0?3BaY;ld(WD6qn{Q9@?{N2WK21G5GLlj9_X39LLF
zo}CjWOi<}L=w_%eAyH_j=8cvKkGJ$Bi*+8FVURG1_2woX1=9(F!Y+YEiYlU6B2zL$
z6cihja+O?Fden?=Fu5eExOl0k#Z1vz;^C^Kn$m2f5^^k{Nkl_LV3N|39w~P&&Xt_r
zX1q*`5~rNtY!Py~WYVCxP~p)r%}5o)S(8*FIdmpY(U3gW!8s{+ibH3FQX<DDmJ4bH
z(h3<020l!}8j|9IT!xJ*4xBe!CdpWMJQB(Y<j|X`lB;CI@R)@m@tE)A9j&ttG;;1V
z=+WRwXi<n<QWz=1rYsN?Da7Nw#NiAFr?N>Q_fj3f1sPlm9XME1QXF(-W~!X%@aZ;l
zjN0VswT&}if@AWOL?(4dM;F$}i5b)Do8u~(-zOw2`@xqk7+-OD*?XpgNxQQ>eBB+N
zpM1|0`Y(O<mK~c)kNc%@92S|CcjRlel)dJ!B`f$2zgXpVYHPl_8TXlMo3Gsb#CoKY
z<EzYtFLlkkU9ETX7YJyl2A-MP$LJK{-J9saG5f2Q*~5g7?OD&`Ee`B?BzWrT&s9@v
z6@I_`|IT?;=e_Um7#?;7)}8*+{nC7@^n0#AL6;RlF)Q>=Hm7;ppV(F8qWIY;<oD!R
zdr$Kpaw@-bI89eP_@Y7YmY-8Mzx(xPrugly&HX*>bA4<tF3#BgUi4Pw`z?z1_FVZf
z<?I%j*5-EmGf5wk&Ayb>)z7fpdHA(tj+Umtn%(>2b51yH>CcQk_<UXY*>?in)3sLq
z__wmD^F!y^$x|lmX?S{PQDUh5u|)!>Zdn*!m^|fdV$h_-Yo8x{T<Pw;@#Is{t8r@A
z8eivs7yFyW)_U1+!MYogOC1&3ymv}Xo>OwwdGe*KZOz`|-f=(M|E_zYU267s)*<nL
zo4-pV;?BNxojxzBsPA27hV7F{VurVhGAGV9P_k@39w8T}rLI3Yqr_qHY|+Vu<t>WW
z&-$FXGh;Km#`G=g&Ut;__HR{F`RtXy&WP@``;@b{_G`K0+E*-p#Ix7LD_(c~%=&eX
zSf}mf?}t~I&wISOB$AUou6gPCTPtF29Lh02o8RShGP=3;=>DiDxyk~0v2yKs=FGb`
ze|b5X|L?rruLA4;#IFu^e&Qg!E%7MpnTMU8o~IliPi#2fdQP>L%X5yzj(Z2%vy^0e
zO8wo~7X-7uOP+OcPhWbI?eE)@3RN#VKDo5%*B|3Zy{}u#e>WUC(r=u%aBgJn8WrES
z?<d8oSE$I$DLlA0VM$5l_CLxqjw?#+a(AxyEZEe0-B`HnoY=9q@-IyDKCAy;@?i10
zg4mU&@8y?GneTG-V#y*ma|!l6{`PhicS1_iY+rxfF>l&a{`Xo_OJ;4BbI*QVYtkRA
zxOQ2qpoS=;SCq|;kK4<2f4^1}R!QZbH9PYAo4k;$83ijfN>;3@{It$;>gD3ru!Z8C
zPmJ3c#hv}RcP~Ebxkc)g)t*x4W4}y~9^CePSI*|=3}V4cUR@|rUsCq&($Nz(hkqV;
z_W$=Ot#eaf{MOSy>?e?Lb>;7UoxTpwMW$|@f3+uP5$o;7eMJeCwH-~D3)oa79Bwe^
zN#1|McKw7&q0OG>dE1wn*vOb)jLD9E+nBoV$AhR{X1{7hM5XUJep<c#)Uh|4UmyLQ
z<7<5J@6?^2JLY|}xNO5;bJ<iZEH!d&#%sH?m5gUj*8E=N&wBaxBKF*#&%Zm@{5x|f
z=~6V)xwFRqbQK@0yR}l_(D4%uEhPq98V=m>7uvo?V2xmQfsoeqC~ZZnRrY~i-;1{G
z4`Yq7-mkS&Vrsd?Tb6(8=N~HnDfdo6XxG;E|1ArOUhyw=c-HCuTzb#8oEJ3}Dx3T#
zGR)!h*}E^LwRKx9*A~lHpEuMw=C3k;qZbupa#)?Sr*3s1`|4|FwySj7wSRSq3)yzy
zgFNT_yxZJ-r*^!Keeq)VL-q^uG0H}rb=*gb=dJvIe(TC#EomxpR(E<9t$8glQ;wk_
zH2-?p!URsqJ10#xzP@poGx^)6=U*S%n!e0CCMlA`o!|C*<HwhWyGt*r{rDTOs!DhA
z4ii5v-?;(S<tsuvyA)EkX6!g9z_ih!;nga}#JKRh$sc@pU*G)9dg)^R3#qdktlZyh
zn0DagHG`#J6>KV{11o$>AE>WASbgE*ea?MX^zX~BPJb}_m1`RBx|;`NZnB(9v=MqB
zxc+h3v%{v$BGs$2>^y$_oIk(uyj%b3Rlh=&7aq|qvoKtB=O}O1?gT%XprYFo-v3*9
z|ENIal`rSE&)?-AEx4j%lR(Bh_owTf`rG-69{yf-jbW+q-0#NBSDrrHc9zq+i|wPH
z#g2c9)o1k5a)UA=%DefEoKsC3-fR<QFcOWM+i`o=*}1t50>{f6eyZ-!-&h>*>_^%Z
zwjY<Kw^&X&T)E|k`}A@**9|KIbKm^-k6hh(aruh{-xxbHr1@fvU%%iL`tbSA<s)W?
z-X(laS!Pudw)(@$>C<y3I2MM-$jRSoIX$DuuIh5E`BLG?^GS>4)}@($IrhGJvQ=~F
z;(yl{O_%e#c|UIA14F;`qOJ)qH4Z&LWho+D@abRFiK6!v%F|9QJE3yKOG|=V<ofAX
zi}wl7T59-&|7Q5TEnBATONcQxa9DLu<mQP5hmBINetq&{$6=QpPm(t7c<b|f>RoP6
TmsVMI(H+j`Lk^m(U$q?ocy^>5

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa44_seed-only.der b/certs/mldsa/mldsa44_seed-only.der
new file mode 100644
index 0000000000000000000000000000000000000000..82d0a73845f3ad0e74d8b0f8fe56bf81e0718e6e
GIT binary patch
literal 54
zcmXpoVPa%3;AZ1YX!Br9WoBU(WKn8RNSB@!vZbhTuk6O@t8-H<xOt?-=bm;`IO%44
K#lN9_kr)7DO%PcC

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa44_seed-priv.der b/certs/mldsa/mldsa44_seed-priv.der
new file mode 100644
index 0000000000000000000000000000000000000000..d20f7484dd504b7a15e0d0886548725696c8a080
GIT binary patch
literal 2626
zcmXqL;<966WH8`n<4kDtU`%CZVHRX*;?go`;!<N#V4rDbaPfV)U1{YW`>hqf1k}na
z)g?{7XEdMV*tYv6n*>V}7sK4@wANXhPv4h3y6Vvyt;+Qu|32E$JMq@nzP2qBZA7(%
zj?M5)ej9MQk~hNn6GNYAysEy<>D4z`S`}pDLOZ6UnEPK&>D>3|^qpyEl4ge8Q|q~B
zAd&X-ru4`2Mn@|=m{>Mhi`l+hk<-XF|4U|hU7N|$yBj?f9_Wi}-%0v8IZiy#!mEkH
zgH46QBVp2(Kw(x5sU5wYTQnxDNa1O8d3>z1MU2md$$@*i?oE$LjG`${78z3NeZs;)
z42DccnAAj^d<8TnC>R<s9!%h7%xPfANmdJBYH;;h<{-04l|wN}#nVr*-9y@gNv17@
zWzmFN8#+ZK{XErJB~CKTTGD!FiHD<7Ba>-CvRc;_fkXwDj>U@-m=-lkZYh`}*3!u2
zsI+zBC5}KL6UWOt1UVFqoLo{FJTfP_2`NoUJhZLg(Tv{9YMd=fT%0?3eKw>ptLQOK
zYnjO+IQxX)Vxb8<Vq856I#W2@Shn#dZ0NYdqBP6RNzuvI(@j%FJxN%Vm8*r-OTcXj
zTZ4>Alhjfl$!VP`YKa1FJqIN`WF&K0X7qNuF)>ZxjS))q5-DOjm@2L48)K2n?AWtJ
zjjwZ2gO`Jv%*@P2A%nvXib`&YO3p=0?rH)HIUAMO4lC)U7zr_MVvL;T%3{iKcw4WC
zK@QJUp2Z#w$qoSw3Tk&0R2ba~A36jc65>4~;K1Xo!ep$*bb>`nnd5<2*Q^b?!VVnH
zN=7agxffj~TxsL<XkvIYBSUE8M9vAhCk<K;v^2~)=JQZs;*Dtrx3*=RIF|aDEg(ij
zkjce!_M(g^qX|I`t_*4hOm03`PI%7QG2w_p7mp|}r+J@{n=6O1s^UVyh6$;Y-HIM+
z<ho1?Y!qr>ar5dH$Q5=A3^wz6xXkr|5~Ig52BC=s%9|aSR;1o`Vtc@r^>|vM$COlO
zrOZ1@t+QJ?BPCLtHz;(k(2Oup;S%o?bktSZq1q{;AmTVtd69~uxT4@j7UmWoZsnwa
zw$u<MC#R+cj-`P&*$kB#CJL<deZ-RHVrJ02$#cfB0?8#kQOkIf8T4jPDd<wrO;Xcw
zQp*t%*1IjiA*iU=wV{ylpw45Lq{mY<xGf4CL{gIuI4)#UY+B?pWrL2QK(ENOLLm`W
zL3I|P>8VGU@*<Ap91tjIIp8`|D5zmY$K@RwjN%2%hXpz$xPm7+1RqnFe4ug3gb9-;
zu_|?NoM1@#AbI}2xuns_^;|Yy{c|>N@zRXRz0@dRKi^kbBJ~~f^4B6W53J77TWh#L
zwEnNqVeYnGS$@erox2CmeJVX<|Nrow+8Bp`#;cP~-sucuU`a_+UwOd!Z0xmX$6Ho>
zV7j&V({=SVK?a+r2AdelvwbSr6%llPC-+55yM%u?LyLajjM1GJA3OE&57k_e0+k=4
zEGi<RtCt#|eDHV9X4~-hUmmq9&c32<mshPkFRUj0lI5$Qt$TBCF&vlUdY3EqdzQ(%
z?$+weSu?JQs!95D?tQ>kIaz1ks&<=Wt531dSh*#6LWQu#outn!ELTIjCjRceBbya0
zc2Bb7`LsV9w+cR==$CYC$&S?=^`&gC+#$&owOlPJ(-zNlDgGu_;$|waXwJUq0}tbl
ztWa6~@K9us*o~9h>>}3wK4F$x_p#4^;)zF}mtWRcouoKzn&JC}>tE`b{o{Q7vG>>S
z2+PIiT%X9_?NM2I-MHcFZdSpd(|a~^is*6Ob$O!S+TzD~i(8>0QEO-VoR$Z#cTc@w
z7~4EibievnIn|R#Jyxvh`SU8F>g@DMtJ#mw;||&5c&Gk*XOYmmR*5$02QCl&t4nRw
zzc;<J_@4Oq<kH)b{}p&^c3jeV(-C`wnInBmk#)>5vDH%9MKjwQmYYWHoah%*b!>{n
zrKi(tu1<^%4}1APD&^;i|5{PI&heg4=iI29e6*<Ixc|We%1-M)?a;5>{ylc-uB-ej
zW`9~ATQsTdoIud!yP~40D=ZGpP<Qv+c#pOFrrCA=uf};kb3AMN*elCLx?Wkg9a;a=
zr{7s^|B{R^o1b4|KGG_4l}jQt@ZZMhzRI`k?X|nEaL$-~dZoYNxksz5KIK}y_Scch
z{`9}`*B6t0Tm7V7eG;g)n|40k{KmQuw#+M@O_q(^BgM8whBxEWKJ^Hxv`MGTlhd^#
zllD4XeR<Q%GqcC%OKPjh8S@KqcBx&(*+!Rs<%CSxu27oib@E5ii95GAPd%P8`^W1S
zM*DU<W^7~ZeL4Sf{ojd?v=8|Gbc$Z|=7cG~+0Ba`sf)B;1<aHTFjNt!4ohFM^wi^}
zC(E~7?7Fk$|EYI3BJ6UPUfFCZy6801oPU$kByL<fx2e}xBk4%B<s&VoJd4OPrnhEp
zIyhNnTk?v3<`a!71b<E~(!ChyAUxsMa@*Kn=MLIlS-su6=i*J*V|6^o_S_Zx71SK5
zyL`nu`yCOBT0~gOfA0LpdeQ6Wi(0uITP*)H$ZoReJ(7IjrD*)WZ;hL59|*s>P%6v3
zBm0i<HqMPrPnd)xPRr?@d-v(cl3CKr0uTQ!K6teC`EHlziSrnkxg?$>wYlE-6<z4o
z#%I-;yXiXL^;EkvVo&Gje&TaU5&64Pf7^?SMInn_<2HyeeP8%MEaK+jh^S{p%em$o
z|F|j<BG(Wi7nm8G5dPukvFYB?GoDEu+>-d#_V^2tYm+={+~lkjwkd2@eelEb)ydk^
z7BiTq&YGFI?h21wfJts^ma%>hbJh~6ziYZoI9_&aTd;H5a!2#}=Z7w?f0~fN_OGC^
zVavboxgBqgO|W1wQIXye-sW&g^36gs!T(AoJ%;wl3;oZf7sph@ww}1*5an>c!}fFT
zm)YAi_p{%<8K}N&`lkHE_cALPgS0OQJ#kp}O0{8ELt^{V-nv50jNivN^k?WiUv04E
zp5?Z}|3(uMQ-2;2tGjiCwVeCo&j$x;MZ)tvcD;IVbaH~o;~!b+o9=|YFt3kHjw!$N
zczJQ~oZc^MUb1(|>|5?DpI|oMc<vWn|HQk-4)S>d^S{e~nA(}t!}2}lLD~gxugYl!
zVYk_Dt!KCx@`im4r|Lwvi~joqUOo#co_PFsy76m9={v4bcNR}G%_*F{?74R8RNZxr
zTpETSwB|8BYSw?SB=yuJFMcD}t<NM?T(q@crMPYKyrBOmg;)OF6HS(x4c#?WRz6oG
zu6(!Vaj~@J7q}wtUcd4FrGwXH<-cp1g?RUc&OXiY)sX)RPn<+#-K+Oemw1m&iEZ8+
zx>EmNYtzk@6CJ*t`Ps3nh|_HT!lN~>CSO_Su}W{^WPRy0yLP_23*;nwRqyY&Y`R}n
zQ!{nbUUhBTviGbOf4VH(a<8tk%wBow>-@ishy0iJ2u)bb{OoUKmPcmJ;R=JfmCG8J
ze|dS{Z*Bymz*`-4y_i)eE`+~lUHW`}FZ=TA9<0>`;%gpX@#36xq_2g!Bq}kHPl`vr
z$M0s&G^aI_xvz-i+)(G6y|bM6>fI)eubsDD+IlzXtYC}Z<5R5u&q&S2xcQdENdU`Q
Bny3H(

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa65_bare-priv.der b/certs/mldsa/mldsa65_bare-priv.der
new file mode 100644
index 0000000000000000000000000000000000000000..07d42314eb60fa6697b6b1644b9a430c3c0de975
GIT binary patch
literal 4056
zcmXqL;=jVg$Y8+D#+lIO!I;X-!Ystn#DC!D*_usXIn%v#FLwL>dm}!t()9M{rR*VY
zJJq(f^8DP+^{es<pO7Wrx%M3b47=_Xh)kAeS@8XJrf&ZC7h60pX*}Ei`_SZd=GR-z
z%YtsU&R0AB_M!DrR`19a?w(}_Z^u2lP_ECT@MhV|4Tds1CLi^xIyiT$)?Fb#KdJD&
zd=`P{V$Os+88?fmg^7zNDWr?KnyIyhC<_^<vlyutn+dkMCAtQtbR;S?6{owkaU{E{
zRB$jVHZ+-wHHJ4DG^m$)m>IR2mKU(73y8CMWGI$1goim5X#};1v<s;!DhHLd8HqEy
zB}f#dmz1)KqzkuIlsFn21u!uNusVd63#l<NtCzZ|sId!W1egRX8JeXSHwmOgC^NMt
zmNBZbrU;fQgc~(E3uP3WC?_a8vlN+E1ZyZL1-W`8JD8e82&bu~3OSg!wF#sfvp0yU
zxkr?V7MC~&Dm7-LxHYGlv#BMA2D%kH3NSG`ny>|hgf^QC3bQGcrE+8_G#7}3I0>tk
zCn*X9m8J@)F)*+?Xs|dlv9>XrySld)dW5=LG&-~emNJTp6;!kYXQVS4m$sCvr5UM7
z6u5?lHJV9SG#eI`IR+_|h<60BizKJ3r<RsGwx+i>6a;HD1}HVKvNEMaFjlBHg$p!>
z2o{(paxgWhI~1BT2o@HFv#|&=Sadj*aioZt7zQ(oi=?wNacBgJw=*ybg)#>kiH4gb
z3o03zh^HxuG8G##h8Qy_uoil-3pJ;ixfqoui7~k~h6y)zXsElh6bhuXH<|{TnMtsR
zh?cOnb0i2VXQUX3ClqH0ngnqK3cI%(3VSezSriwAC`Yh6FsWoXi#WD8MYIP6s;fzu
zh$XgE2&)E_D=8G4h$aa+C5fgR3MI8NvAa94Iw)7TnJbow8H;m7s2R4nCIyFuHkXJC
zh?X)Ll(3Zsd9;VPIuw*kG_#f|6}gBTWF#cGvo@+Gb+k2#YbZ3kgcye_F-nAbq-2D!
zho`%wsVca+v?~W$G`59yFqgP1geI~YGPINwHn;}`I~570sxWw{voNQ#nKKu#m!>MU
zH<pKl1d22|SD0D^h@>SJhG(=nFo=n%D=`U(CzzWHM2M6av$H3Zm$@f$m<qaNl!Y~x
znVYn@rG$2vHM^7qRwRdM1SPt%NCX%=hb9O!ursr=B%2tNG>9uRHH(&-Fqs;ahqkJ^
zJ2|ni7P33Cgq9bDBs!Fb2Xr(mu(z9ZIJpG~xwn<6JDDg7h6=Nk8%mUx8MmiJxCWXg
z1v)YW8K;J6NEj6~mPeGcw;P2RHnKV-aEKVNvXrQY8)Y=ATV#lfGclxzhAOhVsi&K}
zhY5(dl(;sgq#CBDF=!|!3%Mwna<n9hI4X*}w}y)_C<X?zo203mr<$b{8(Ek%x}|q?
z7^$*2v<4Wrr85@@Gd7sGNJyw8TSORom`4~Zilz&wGzzl2vl$f>i8dOzdt|VsNi=g5
zC5NRmrkOHYv?!YxF$9J<X0V961c!w*ha{MZGn*wexG1KF8Mh}HmKQh)bT}}&NoW)@
zItZk)vZ<LHrL`9Xg{BoTI;W+G1veM7mqip68L_%JBnGqzDz^m(cc?fwmAX3#w>qU3
zH7GTSsdl)8v#13$X}CqGDF>RCGzY3Tv!<n(Hn22Sv<3*5T2zF$2s0(BG6WbZu?2^Q
z89T9>w=%PK2)C9gF)%P%v@oiuGqq%xMJSk;1veCkxrGZjo0TwXI5sGj1eFJ-39u`<
z2%4y|xk#udwncD=B&4c`wi^|MBpDcZ6sZ)LTO?^PB^zpV2t>3QSd;}fiiiq126_ml
zvKJR6ilsP&8#bjBwU#z{B&4UZw?rhgJ9?Nkx>_)@HB=}xs<t>3sVgvvHX3LYF*Pu&
z7dm*Ph@_So1#1W}h^QqRin|9Esx>L4wip?62&reVdoWp~Ie9QSixz|>r5cKg2^zb4
zs8^Inv}Y*0sI?gzrb(DpB!>xwSGXrOgt?Texv?gfRwRc8rIo3gI-9n%c?6jXmXv9@
zWf&H+sdtz*87Hkcc{|gz$A1cQ^%<A?fCv`HvMl#oRc3C_Ha&i@+Ni1K|1uBuM`A&&
zZ&Wz0W@a;&P8Z>xP(0;g>v0){?S60e*<KW}EYL{%|Jqwh*>OdRr)SYV{o+kCC*NAv
zv99mwv3WOpv)$YyeY0m=4hzlaX%mPo+IY>ZzpwMvm&}8au1ms>8OblV)+u=HrM&Cn
zRUMWcF5DL{eTl5O`R`z{>%racG`_r@mh!=2zhqv|MpJI<tFyOc-dYlP=;)t@U0S!h
z3M(dQ*?a#wlkm~AmB~l##dQWp$&C!lW->*u;HkW#6aH^PZ_A$*N6)m_7Cw@!3^dMu
zRLlE5^~04Oqr~#ef5!}^r0Ze@97>i>h&*%C@YTO-8~Hj7c;-dkyEl7b^X2<GmaH%S
zyT7_~BkI;SonGGftp6^&cXo-atQJ1KYFChkiKgLAwZ8LG0?d2l++<=G>$aROGk+lC
zFL<JMLPbx)fjdlB&+>eBC_l2z!J{co;m@p|Cnt7`yRGkVP2K(9|3h{}rp>R{oVup7
zMD!&N@Web=ojgxs!C~M1qE5<%v#PS!SkBwaHQn|yOVu&Q73KQ1JF30XcAd8p^W^<>
zX~WCnbtjGq{N;#qIXYML#oLtMMLVPU#dQ9;=v~XceP~{)hTEEk+75}U4crT#t`xi3
z%qY2XZ}`ST%g!=6?&nWhnKQFG)-73Byn1!7^0s+jJ$dD;7bV}5+}*qJSE-3k%vqk9
z8j&Zf=RTP7yp74Q;8d0-pX}GC32xE%t$E{Q=QQOmOl|T^-C~hz95&&?2TKOgsQ-5=
z=kCgm44l+%+Wlhru9q8{7{mRJZ@e<gqm_BSap`u~3PJUo?%XX8i}bVZ%}%L5JLAdj
z{=4f_{i<tr<=u)1_;0suVs`S8*8PVr345+KzGgG!sJw^M>(Kr?n@tbgsjIo6edg2G
zn&d0jm)!pAb;|Ov>_%PTC$?e&M>nfz?EiQ^^rh3Z`%BC#FU)B#__FMjiSX4EoL~QL
zn7FNE)t@UOA=~N`cDqC`np3^!Rm=iCCGF--$C5+mSe%|F$IJ9WtMf=g+@e+XfBo<2
z2iiY%F;AAhU@(n6CGh0dySmvYzN;_HJGo1275{$La;fjz&)(Uw>_xrNeRbjVpYN~T
z{Cef$>a@ec-bX(t3Of8TJ{oJPU167-^Z!uJ;;)a-P5vDCu3q4YRSXl0Y@{~#kKadM
z-hC-E`-Rx|i-)ea?6chQ>3(XXOvnS9RTT{Jp?A2SvHoIt`uQw>8gI0-dx_zx<nUvs
zq~wymzSI96&zErf(t@mo`|Q{*Ie!m2cuql0CiC;%quyGvVTUUoJ<9#7=~Q)d)6_jL
z=Vh>csolNm=<Ex8LBC9x9(nG2He>O5eTkl^L`$`rXr4HegWnF!{W>Mgb<HWk#uXmL
z{k2UqYGR|SS?ykYGrVfCx%}+e30K_LEk1Mjs?QnO678jT+D}ZdZ#@5h$5}laxr4fy
znt5#LI_}f&)*GKIxH9LE<kZ~cjoTs*`u>%zy~NV^LrZ?i8^@Te$c4`o*F0Hwx?!Kz
zTb65rmRp{$ami2Rd$H@c=GIlk=@*~rzkQLmVs+-CmxlLWTYt|k&@0OIuCKa2<wJYr
z8NExo7QL^tF6W*W{Ly_=_{N4)9luQ?Qm#aZSR7u?VVSmn-Gg5%p53n79CPmwzf8wl
zg(;TydT|Bo^f%Ty21h<%eVL;oz2n?D{lmRlcOs?;U8r;Z_A1Kx=LhB=%7^8IZfQ+8
zy!upumS3klPpWr-Z_v|}J4eq3UU}wpWp9DId!N^XmD@Gd*2TVXuj{Zf`#Eii=7sot
zzc=$UUM~8je$C_FtFBoLLHABumYAHIoO{n>r+M=AEl&j}-~KCgAU)z)#r-KWte6<r
zO?|Pj?Lq7Pg-=>nN5@1PXPZ6s6jT)ccvOOMk8qa%%?;MVa}MymigMa~aoIVa4;!<X
za$f`$hB>`4eIK~v&++ukWm*g6vOm4tza;#g=WM(0%YClih*wG3Co|=gN9yq(Z|+?U
z{BrQlql;<HEF9;Ak7Y2v7R&i0>8S9Wuex0E$dbNA&d*k5yV~t`-kKp+l6l1P`>Q*P
z(@TUReOn_WzP*{LlJsZm{kxI|`m*A;{)F85#5PeYMpJWvXuHGYrp%j{F6^Cn+t}ve
z6<r(YEjEH7o_DmYeCIF=`e)tPQr(+*A|l6ke{qelzEKWqsM?yN^2eWU?yT*ssukRO
zUDdfpeU|}W!>WYmv)1Rg)tQSWFkDgl6V5BLVW(OvkL{)YY5(1Cs9iYw|H}9FvO}g9
zbI$)wu~_l=^4nwo1E$7*W54@RA%E$v(|o)f$;F#CRup{rf4}#L=)$NycB}9D+*!@(
znX1Ej?o?>oTGhjzTX|h&JZ!fI7pP0l);&HW*zUt8r{_}AR!bVgD?cl2<YUe=FSx&x
zHStS)&fU4(nTck-n-(5e`LaBD)w1(8ni(hA8>jA@6|hoID!C@+Mcq$VzSCQqGBVb#
zJ0Vl`vtY}PReR>lJ|o@C%`@)`L(FXLuCzr?;gdKukEPe<cP!tZxcI34@6PWElQ$cv
zXvh|5-7@sO>~w2ZQr}FuK%LC^Z5FSO=v_NLrO`Iu=g-#Ld-xl!-C7+g88c<ltgWY)
z|JV?h&#X4%<K9Km+YdbuV{kVUJiX^KGh5R1mt~i-ie=;L+?+Gg7CP21<kXE_J1;4&
z|5Ss9=d9ps$v<jYWpaB0y%pyd3#G5hW0><W_=)<~9>WKh|M$pu967Z<BXYWQ)WV$K
z+stH@-*nVfbg+vh&0P7mKWXg?MUS7HXX=9-ISRgT$WAbLV|st)%bD+1rx{L_SKPI1
z>W@=`b871>iq)pv{Jz7S<&&9Bgvw3Dm5=OQB}J88Q{~TJ3!Z+rzI99A)%Ox^uRYry
zZc*XpKK4j&)7CumH!sh#Wk2`b%k-M-d;$CKY^5dB1;26ja7w(s_*`tZ_x5QST-S9u
zsv5!*OLdYMx@MTq;GVQn=>Eb}8_b!nMYJ7rIJ4)(8sV2g|KF_K;mEL}KDy<ep<&>@
z&SlDWuWg?Cmgp{iaLvOi)-AQD+hS?t#4D=Xx6eE&_e?F&cFM86;p`iJ9{8{!@!MPh
zHeXx68Q+ctByKqU<=~@pRzlXZHFs@!_IXQ#|JnUFZz|g)?Tzj0QM>v`ru^WiMemBe
zcP~1#HPqzh#<{MA0mjbm6SsWX(yj2!rh411g<2UBPtRU*_SmHtV>*SS#&QeO-b1HF
zJ1<_7a7;SawC@+MpzYar%I^;C>oAhtw(;9aCe~Y9`2_ZtpZr<yEqv>hfMwd5Y%1P9
zKMj1Zt^8zv|Nhq;xp$Xhc)aU5(gn&Sm9<>VeJw5RlUiEO-<kK_!P05r90rSc_X$Pf
x?6S7@N0&|vyDxS%R+%%-YIVFx?f;u!Z(48a^{nIGp>n|>alzJN2{EZt&Hzs1p2q+H

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa65_bare-seed.der b/certs/mldsa/mldsa65_bare-seed.der
new file mode 100644
index 0000000000000000000000000000000000000000..53011bcfdfbca2c2a699ecaad75d4769740fe9f5
GIT binary patch
literal 52
zcmXpoVq#=4;AZ1YX!Br9WoBU(Vo}hJ*I0Uc^}5#|*&S5Bx_mH<&*JUw>@2@){&ya4
I@sEJ*0CDOP$p8QV

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa65_oqskeypair.der b/certs/mldsa/mldsa65_oqskeypair.der
new file mode 100644
index 0000000000000000000000000000000000000000..4c43bdfd74aff3836b0a116a0dbb0ba76be206fc
GIT binary patch
literal 6012
zcmXqL60cxlWH8`n<4kDtU`%CZVHRR(5>H`i5>L2g@_EMErcXv!>b0Yye=G>uc|PXA
z`j=V>hfeHQd7+%9qfr-e_h!=6Emwb4weQUCpT;+5ZLz#p(ZA_NZ5sp_ce_iT_TJ*?
zz3z&rsqUtE70UD8q_QhL`L@*GE#$n+r2414<sI?w+XL&Rp7iJ+y=f|LzmRQ(l!$$0
zsNE60zmZA1nZuGCol}ETnp{Mb)ssz1B_dJ^(ly+TnG}*b!ZeIR89T%bDxB3yHJDTr
zn-mIL8A_Qm7(~j1nUzEt3LQ;a7z86aEDXyVh1tWLk~PF4MA8}CoJ$)W3shSp!dpX<
z+#(ds5?M>lgjzMkJDi$IlL|RnSc}C<+Eq(iU5z~0Ef@mX1l$r+3^ELx*;1IyO&Z!A
zm|2*ND@qeXLN&sY0z6WaoYPrNEf`q?i%QeOT|$dJN|_iVOiY@B8d5rhoEg)_4N}9!
z4BI-?LY)QFo0C&ZUD%XO)ma#YCD@83ic88=N}SBx+|q@LN&-bS8Z(^Jgi9L2lfzO}
zTsvGPScJs{g~NqR%nC~yRl^ch)0-*;Ow1bu8yy@>gGHG{n8cU@A`%PLSXvnh8<|52
z9V?O<LX9hw)kVWo(-TA8S{cLG7@UPt*)zl~+|rvH!i&{d#N7&oOPrfcI2c0`os`_n
zOFPUMnMJ}Z+{=U-6iSs+S;dV)1<cKY)soVa8yv-wSi)1=gu@ycL!ASS%q4_dMa&co
z!di=2l2nR}9oyO!l#(r68G;-u0>q3xN<@-Vi=9GEoI^TN(+l0qBLpmx8jV^UjFQvR
zG74ETL>gTU#Y`JH+>_c8T#Fr)n2THsG@4C988Qr=lS;zH*qkaDjZ4xU8%;t(n$y?{
zn$pBdLlVUp8<;}G96gK_oh%wuh0GZPTapqw*e%$@LRl>W%b3K&TP;}90vpOrJKUU$
zGMa+jEX)mB%Q{-h6<ZmN(<Dk%3e!|Y0-4*wo0I|?iv`qE1=Y+0SQ-Tx0*s6k72Va{
z7{oJzSd`U`Qd5iCf|Oar(u@+AObi4y%GjOSG@L7xG6IuZSR9l}-P=tS+QbstGn9+i
z7(z@;3JuDcEf@up%*<GYQ(2W89N1aa%v8!<O41sNI+)xt%9x823eru*o7^%OJ=#*l
z6ikcS)5B7l8Uo!tEL0g(+lv%9jFT;rm6*#c0wlsjmD566%3Z@ef&){{EG$YLJ=DWY
z%orU@3yngX(=19OSdzrdf+|Fe)yxITOPwN2-AYYO105{b-BOxU6q^i7g4;~m*wPBa
z$^y*G)S87;9Mj86Se(U-%1gvOl$2Uc*~3x;I$R|LTT;yn*i$q#+S*)1+?Cx*T3AI|
z3nUx@ox%eWB9h%r&C4Ui*qDVCf?SK*71SDvG#HXZ63UWI6@>-Oi;LKmgwvafOPXB*
zEEJoJI)Z~0Q^Q$GOG?ZXA`;pfRoU7S%ZpqslEcMYJw!`H3)2eKiXBQqBs7|XS(B2(
z6Wd)i6ggajO&JQrRn1it$`!&hTEqf^jm<&@SUpVGofDkW7>XR49nuv=RLmO0l3ZQc
zTf>C~JeX3|4a>_CQ#%Tp4VoQY3>Y)g%`{v@MN~4{1)Lk185B9fHNx9NnblZ|Rhdmq
zP1q~aT^xl|Ma4>;6iYoSRGbPU(t{I<nM_-pErK|Ln*$Y1RXL2<5?C8cLWK)6f+Q@$
z*cn7r%T3ctG742$Ta*h_+1gV|I}DW*Ld7zI7)l$JL`9QD+>J|16bgbP%8V_<Sc_On
zTv(NZJX%{N8q?KV4U(AI#hg6CTwN3xnVHN@EfPC~l~UUS6dW=HTNT_*lrqwrTuY16
zD_mLKG=vojR8$jEikX=*Oc|72(^4H68JWc^S{##^6v_p{!i`GUTOG{>icJkn*wV#Y
z0t4Mmf(%uJ3KQB45=_I@D-xLmOEs8;&4Zd*)dW>cI7~`495h%HI4aDQ(?T6nA`DeS
zTFphxjNFw?8pH$D6GI%-8BHUE#mYh*1j2*VO-ho4l@i3nMc5sRgc(Gb#l=I6%bYrb
z1w9&5#DY0Qo19C+!=o~MPicHQVt1t|&c7|W?RM<ti~b^xPtV_d@bk~L-EZHj{W#r|
z@tJj3RM6DV_k?ZBy+cy-7N}0zx^eHLNBYktT*E(UEy&`!S!!!_@4Cj9HAyE+&&Ik|
z#n)(S8Y^zEJ2QFas~r(ne9gXEZF*2AlW#DYZS!)Uhn`$@YyX)&JGbdy?R>M%L5HRG
zwA9^P@KNlvaMxCW)ITZ-4D&v+%rr6<Zqv^^o&G~lGFndU`mcGh!sbt+HaE{v_;Fyb
zz-NPNGlGSFJAcdG{O3gW^GTd{+b5X3vGLD7BcYyf<o_;*s)waNcdw6S`qAg}&{J1D
zR`h;I_K~hBdwW)Y3le%#*1<bjdC?QKt-l@pzXbQmUY47`ey4z%;6&Z;>+)ER<jR_#
zkoDqzzJ8StKU4hC`lautecEovxqPAeqV)^5+&J2jqo?;hB0XVGA|q2)5AT-FUp%3^
zmYhqmT@h&({4T}&nYTuDn?&v!ImT%lLgMCrPUAXkEcyA)?~@Diu1?y`y#3%NHroeF
z&+PbqsPL(0xvG@kgV53yehsoLY%Hrk%#m)Z<7B(1{O6Ehu*7z&t5&*>-JK?9SWo$7
zZLN{_mp|elTUywfSe#Q+Ze>>?dwKu1T}Mi?I*WAPbU$-He>F)g;q-!uHzn#HxkO0`
zzF)wp&h)<b?Wv%pOYWUsc%;a!au+NAB393Dkp@|r%nt*qt{p19*Kn9^4Wq-`%$5FU
z{Ll5AT)JLwcX@GV^Md-UPp@=#buK;`d&{kTc4KJ5t#uAe^Fze0F+?lBeIt5ScgqX&
z&A-I&v9=@}`|IYrENb%OhHsUcjHiA(Z&zpMOZZ;6_J*l|!}dq!it9bsJS)>#y3=^Z
z>$|zC*9^ROF>pA&&6)4ocOvkB=As#=)Nih{nEhEd%t1`&-T#BrXUM%jsJ794>imb-
zQkn&QCL}+c@Mm#DR9da^d!NJG*ZKuJU&-I~b?cY++BZKYirL>i|Mb$8=j*-%CMHPV
zFy6s0yXo}yf*ltVH&5Iaovhy}^uqG$pB+E;JnHYiy{^JP!1&aI1;2ky-2XBApX<AI
z9e+F8Wbb}$$oaN<{oILu`Ex})>vu5uTQ^&G#BY4~{qDi3zWQRja?YtvJi)R&c4jxX
z;;cxo>LoX<PZc@yODip5*t5{)?mK<u1II&D-M{3WkP|9b*z{BCrD5=)bD#7NT6H`2
zaJ#-*dob*3*{x2sx7LR&W7a=$nVEU4{m#WBW<g~;?bjx@PO=d$;9OJ_ab-#FH@+z+
zlpiXcnEd4M&0n(~-QD`w`*gaF{b^3OxjSb(-}OJDd1r@4Tumu=R@(VB)e|nb#w=v{
z)4lx3;lP{v><o7mPwR2a)azti!uje)!7-V*Jl*>yx4v^4J-pkfr+NR8neahVtB@I=
zj8xxhq^emhQh2g`!c-%n-A<eK#`WbMx%%Y%`v9pY8@O(8Emqttv8RJqagXWUzxSA`
znyqDGB93*ter7w;z21MH!for64+qaoHM}Az944@TqK}<RW$lk>`%?=URYiD~+*g@&
z)>66R#<FyN$xC}?JiQ|LGOw(D&6k78#uW<JUNn2YyEjRx;$MaJZRg2WzayOtEDo_A
z-ul=k<9>^)_D9!sB3b{}9Z)`6XA`UU^9CQcYgpFZ)xq%(BW}(MC|j{;gTxE5(od&e
zSLyYi*#G_I%nJ+F79WpST=%K?+44`bwzHd;`<P7RiL!gWoAck4Hy<xwbGf_0Qa@U;
zh9fae?(KO6cDejrcb3P#f4XnMj0i4++Vd;UT|cnv$kSViosL3cwMX8|E8Y37`)=#X
z=fOAcUgJ~zJM&Gn?4q}U)_prnOl>CL*<p8Y)lDwT@L$tpVjc?Kd|z7@e!(l>=tr(a
zXffB);>Ehsi@6ug|M*`Z&GGV`od)aY&*D6vm0^BdW8>MZb!L-4)_0!XuwnJVM<?(3
ziRQ*}nPl@+&lg;+<|Xpfw5egw_C~vurXYj%Z&rHmEtD@Rn}6AOcADDubHQJKcAr_N
zGec3!@Tm0vxLtM2{B7ly@#`)9|MQTmmU386V1RyieeRK0GgolN&rSLsl2<Rx|6#8^
z-%7K_Ma5U6w#|P1{cF=)hb0lKT0eL$@cy({Xv5rjtD|?!ZdEgJ@-7W8Ea^|r;J@Lu
zaps4NPFLG2kB;BCp8m<hdcW-3;|lR}bDy1;_X|I)SlnP!|KL!i&h$-uQ`UUhvGjL`
zE6<GuDf+7(_%>J0<PhFdu{%Tm{N0R?X_0JO-wGE9ss?{~A^qx3O!(s!EKA-<_}#GV
zyMEj5f5(f8X|@^*b2l9jP5Pp7YI>AojFrWSzaPw%u2%keTM|?r80PwJ&nLAz9rr{!
z7guazK9Rb|q-0x>QI30nx@K{zQg!NTW6$PH;kU}1tLht>C$-5qPV{<KyhFU2!+i3M
zJ#KG9K6!oa+_&reNhy=6i@C3r%kSEi#jBTW-n;6&-_639L$SYlW@H>r*Hb*|7-<){
zwNPnGsdi$}_1vrf4^8y{<vHse?+n2w>lX7c&F}jVx9mVbJM-)S&$Jomx361de_cb-
z=AMA%>SJr&6vS;FO>#W@aC6|xZ|73)-@M0>{pq+C-{G1Lj^1-0KYv^p5g?b8#K)1i
zI&IyA^mzt)cltc{-`{lbU;-b<StX^l$_K*u7D{WV*fzZ=>G$~)U-e*PM%<yru54ac
zKDC8%%hw)}JJM(r82W$hwry_Ohj^8)oxXdVJx*0^(W7Wl#lFvBuNPLinI8TjKJnbb
z|J4i4rMBJv;(6NQ4d01~Z9Gys-6FFT^m-ZoY}>R(<8$D_V5{=Af>ND9_l1tUFu41<
zWO;F>w+hdNf>Y*NymQX0otWBEcfi2&<F8Ls!Y7Nx$6ADlYAoJauY6+N@|52D{$dl(
zPM`HX@s)hqrOh8i?+AFSr}2Mr(r*1{vFA^mYs#EcE|I~PQiFf>2pJ~sy72cymUagB
z`sIl;r0(3+nx$=gUgMzEuY)!d+IjT++kVLWve=kgI;)yh{GafV$oy$$ua>xnok(b2
z{G(;<(zL1jm-y|Nx36)2_Nv%Pt@)p7MR&<=4f)`+?Y`XN)2ve46sLH-@Csmlrm(Z`
zmPEv)cf~r9DuFKw=8HIR+Ba@!uPlj|Kc2JU6GP}MPe(mv|M=p6`wG80xXxEuwqg@+
z>W?pLF9`f=z7zGO<MU%zX;0DHv3u?IINZ<ZSCLgt_WdGxJNxBIarvT`TTeXYfBB!Y
z{-eqvu8>tXZ#FSHunD!sa4*$*sPrjRMooYJ4x9A3Y!`O#l{2e7%Vl`CxN2rnozRpe
z#XIX#TS_V|Ib|%5ni;08Hkj~wp&n!9ZWh*0iq$fQPMgRT-;tlQ?ZEG7{;f?X^c&h2
z_jJ2wE-yR%u#j&_=$3nhuI)?fi%XWjV2xOzf9aoK|0}0&yE%_K-zmS+D%9%ZeUDK8
z-JfeM!<}idEFb=9F+1KjG$~nj{r^epKsNtfZtEIZKU`npTDkP90C(h+mP>C!XNtC(
zYc@^1`tik_o}^{$CM6~lFUNHpkc+cDS7^?B#=C~)SRT{e6K7}sSUoA7U2p269STdG
z`QAG0oba*Zd~uWYpB%m5)qGzrXg3J2$$4GrF)iB9dhv0aDqEkE9b7HBMrWS7&9Y?Q
zA+e*rTHS{G=#ga}zpM9jHZ*QH+q$pw__t>-c555oPrPVg{G~a)+{F36&<)W~7gF__
zw!ICT61ep2ghXu)&dL6UGxqI_-D}Q$!uMita+k!HEr%y;t9W#5qW#xbW}ny!8qVu3
z==&Wkqc@XNMIx7Nl1{ap&eT=m46omx|Mt_I>!6AD`B%v*vu7|pVYwW4Cq?wvZ@I&Z
ze0(x>CciuO&Ca!D%euJ%*{2L%-(7Z;=S1EVO*VI*jh8iZ&l!Zf{$BfY)rU@Q77pWZ
z-<xkT1->N}p7j2(@uSo<)6jL-mq&b2$(^~oQIWA;IsMI&n5CKg?%WCU{4=BH*(jxF
z=igi#a&7Zj$DK=<?=eTWR6grbd?wv<<GAhIm%nH0whMb4UO2sQpZjMAvE&<EFBVEH
z_}WswBhN!c-Kb;D7q4G^zpI?vB;DgJ9`l%F9gt<*AHG#aZSEcx)A<)#_f*Vt^v-x0
zp})-Z_Gz24bHCm92~IMbtoVDAd*mdcq}WAC3kAFK1-$3){lF+?cIHR+WK|vo75Njw
z2b-@YFJuf8Da%(5zV`X1f1>O19WLpa;t_fe6erBNTe73UrIFvHKSWmMOvkJ5`2myD
z?%oM2^S-NeT%Py92ZNi22e?#!Oxymhn7e#^zXMnN*4<)}$KM<FZQ5hNC;O~Y((rLv
z?uJ5zlX~T8>u$}|_qMfZ7M{`4`Frod6WQvqX|Fp!EwP)jZ_zU`?f81dE6X;l{5>=G
zZ(8SOP2rVY(hfe~nKs+TL~neVQxKO|F20UUZ>jQbi}{61QxD{ZH_x?H(AlZO(iZYz
z!Iewvk9?VZG_JKJ;K#~ly)P^~|5|REx9i6FCD(V${{DJqdi8;iP2%w%ZmfK;Qf~U8
z=$5u!mjZhqEUUY5afhg1O;FJpN$%5IyDDegF_?BUO09C@vLJ`oUsvRJJz5gR&z4_k
zTq5v;<)->X$H>&S5O0p~TMmcSoH{p6JAW)pT>kaT<*a2)L9DF|=Qc%Toc(5C85ubH
zX4IXNPo=hm&VRgbx?KLDGq10$()Uf>#sB8{zl-&$xu>q^Km0GaY1sxD-q60EQtI)3
zGVa|8>=sV94{**;y0}i#IZf(M%-Mgl*SxS#*t<?Xbl&I6Rl5zIWmv}a=AP*neHv2D
zpqt|?++|o+m-OhNU(UJ9A|JT-h%a9wm#3Dj_3NtV9uBSVGaX}J+o=1vUQsN2;C_KM
z+GXPB9T^GpVs5Sa?xE>i+ON<*<)38-Q)sdK4&gH~&F_`D-!uj>7z=fIbC!3pU(ONS
zdhfvzQwgo#CpU?db4sTF>g-Q&pEUo@{OEwRMa8o`D-3@5Xnr+dF;{DtKFPC|qo-n8
zuhg#(b*}`bPGx!e^m$Zy^URFYxhC9)A1-N*s_2r@Qm;H%9$e*RU)ht&XCB_}Bq;3g
zQoY;P-16eP$#zR-&J7CP`03iEs}rjiGH0w}<(yp9zeiihpi)>m$WGvZ-?|;^%anyf
z^^5c7htIc9)O5Cceq!&rmA4cuiv8^cq_!#bzjRHrKm7Qf+k+c3w!Pe)(KvPUWjUs*
zR<D&7C#M~hY@K-Qa9;N5Lh+uS%){1ATU<lt9laOxZ%?58AusV4emiR(ODN`ks-N|8
zr?XJiisz+$#jocq3!K}-x?!{7-OgJ6mtD2~;ipbLoAEJs#j~3aA2`H)=Xo*niSmXw
zt*2(bTOvL+&Ng<+cbBb`XYwnW@rfP_+pS?xpqBO7!RXqL1I2<>$5mU*nhWM_J{56%
z-H{IlWjC_l*{4o0T6B{C!k4UECAlT%wm%N*oM`)~>8X8J(#J0wtGeDDF!>>D5H?Tj
ziB|5V{S!Ct-=zQU=(EYMzx<L~^HSm9Ghc(tIr^!ub(X%{`|n+EmS9Eo@{CNiNk8Ml
zUzi6MmK$v8W%G&Q?+TRVHj58fyy^E_H)pYmqpVZU$FGQI?%1)ePyE%%9n;-KopP4?
z^f<h`XWr0|?fbXM<;SvVf8M{p@Z^ra{oE(=JsM3jgBH#Ez4%f2l^w0VA6DI;6ZWZ-
z`A2)PUih!2@1`C~_$loApY5Lh45!(`;=7n<^c71gsm_s+%VkikKbbM*&*{_2@6SEj
zseHV+M3=!*?l<ci=AEl{?|69S_GMnP1<BJr_usjykX`!bWv$$@_~_YFu4YDX=uJ%A
z8_o4;CU@!ni%S<PHoR$*tv|8jDW^{Hgk8J|Cl7>_wiOw%Xg{BQ>h6^Qv2AZcW-45-
zWaxd9wAplP{p9L<Yu9;~7dQL!ZrMFA=KoX8!+)6zOv`q5eTmPk&|>@Fkq{Ure*d@b
zmqV9duh%V&*}}ea>8Y8bXBWCoQdzM(m$${trN5s`^oc@fqvOT9`QH_-6-0~rt>q8B
zT6{0zPtx()oO-VA=BA8ojzX^;pI9ooU-~$y`tm!|{?}_3wsKz%JU{t;;HlPxjR2bI
BdFKEC

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa65_priv-only.der b/certs/mldsa/mldsa65_priv-only.der
new file mode 100644
index 0000000000000000000000000000000000000000..bdf04a2cade148ee20c46f6ed8b23c10ef3bdee4
GIT binary patch
literal 4060
zcmXqL;=jSf$Y8+D#+lIO!I;X-!Ystn#D9dPiT?oWG;5K&p^uXuJ$i91Kw}l>i5rCn
z?=dmokKHco?6Ius><yozNzy)Sd^;7t&r(~G(RTB_36ssMxBhi^1l0|ma(EUlv0dF}
z-}g)U&HsOwo+h2$@{*&V#4e7pY|^nq6W0g(y?-!&hga~v*2~O08dq}NjLE7$-uw5!
zk9AE}EPcV@0m~iL+Qgep%h*#(0!jsx3(QLdN|Qa9LqyesHH;IR+|AsaBpRB`McUh)
zTbzQ70$kJzoCMXJQX(`&RVzF)GF(I)QVkRn8&piyoH8=XlLeK_*uqssgGvNa%|#O0
zO<mZW1Jli16_X=0M2u6+S(F_tB2prR+MGho*-cY}mDLOdG|G+C9ZSlSJPcjK-8G!m
zGKw4n%M;R@nHU<F1)7@KlG2&moQ%~HQbjTn7?}$zSd%=`g~gZ^#f8lS92nXXJ=6=+
zoRc!jRXP%bMa>=CJs3)bMJ!xP!adki8&#W<9E({hBE(oyQytlrL)<MCJ(5^djFN;L
z10{r&)I=><(ilpW9fMia8%<bU932yq(^(uFG87%!8xxp9E0mp57(~LE*a|v2#5tUp
z)f9ru1cO7|nvFZunJYwCgV>6K919vH1k*KG*owkS5``=jIT*{+*b6!wSxhXFOiWBW
zL_&-?B7{pB(+z`~3mS~o961!y9gE#V%M;rJ$_pfzTMX14#LQJV#FPR{k`yaSnvDZX
zGzuL#ijp!I+5?$7B0`nISOl3$*__myQv}<JTZ`G<RFX`Mn>~aa8X^>hJ4DLMTonZ?
zGCUevo5c-E0?f=BA~@1m9Fy3URM|sR*qFtd*vdoPJUWsMHN*>9m{>C08r4KZL(5&1
zMAKXy6jU{m70lC_4HTUd1Kl*7m5R)m#R}YmLWKk@l+{!X4H<=1IFvJ*I*K(ij1q#}
zT3J&%S{aJi5;8PWLOPPl)eM4)%#Bh#%ESePiv!q1jKdAhJ;W6f*fk8*jRh)PQW%WX
zg+m<D)me=c5=|UA%u<39EQHFG1U*~|T^tpfTZ2r?!~@%ki!&4r(<LklTf>!=9aR}r
zjWrqrRLj*P8bk#}0z?9p3d&td)EZdKJOovW9K+L684@)jno<oN8yVSJgdI{t1)EtF
zofw&nIm`<JS{;=nIv9-2992{u%L5F{N(|Y<GXhk_Sw)IN7}?Yd!wX9tof#XPMUqv^
z*_m8Kj77}bjFXxw6g`4i5?X_c9F5!@k`>C`oK?$B-P{9=4T>3!0^5{|MAOPx4NC)@
zoWtA&**z@El)~K|on2E^1(YNd!qN<#ncZ8>QW+`=GfJ4-6-tyUBuq;iQi26kn44PK
zn<Q98T9aBujg&M5%7W930)h-%Qrr}UL;?a_1x!*+jTMCp+DubRQ-V4IlEYfmHP{M_
zN)yFhDw@i}9Zi+PG*}!9Qwz)**xe06ngoMgjLOs-l$0HnlA9P!5>iAmLIo4k6+}y0
z8xzFajXR8lB!rn80s{<FT?NX5OVR?9ObUwK1DqTS%sPsiBZ|X2!ZifiLxV%y64Z?x
zTihB16%;fS%358*8r=%gok|VTlY&{B1uGf^n@n070z}0OB!pDdJ;Wr$gp$NGn#37Q
zSUuWGGm4xzG{lq@ni8B1RV_G#!b~I_(^$+K3pGN^I2eLhn1mY(T!j@BDjEze98y_D
zotj$%gi?x<6_Oc}Is#G{l`4!y8A8&X8;n94nG95f8k&TK#l+MKTZ7C~n9GWpGmI*V
z1cQ{tnKIbTL)#64g(3=>!$b?24Jue1Gs2r$Lf8UY*%%{&(?Ww(6^c~?6`fKwN)tE?
zmED+4nUj(fQ#i!iR9G4_f;dtF3tWU#7z+#&1td(&-I|?E+So&!3X0X4+0+t@g4@Fc
z*+fj66kIrx*@G21Dv~oagbNdd+n7UHQbbLQLz)~K7|oc)Sp!89%{3Z~i^@6}*c)3y
z6Iomu3o6<f8;lD|!kUYW*b*Ea+Ed#^g3R4hL<HN^%mrImRN6BPg-Vq?jFsC&k`z?M
z!y+7*P1Ie*!VH;|1f8xdinlqu`!YjOi=cn{eo4<?N;}pZouaasXLf+9r=`X8uWzTW
zo?^tn8KIRwcLMuEx8V2BO%4{VulC>YHfz?|cXywx?!3acFe9VrW#Y8*%8v}C>4#bF
zzFDNTt(;RejxTV*fuFIxy>9Xc3mtZEGdb86J@r)Q`BT?k{>VL{a44kY=&t$qoaW`<
z77@)#X)`SfKKk(AA<z8}yTq>Dk6HRAxOv&{oVY8@){%Yz3p7usC)_aY{mLLR(f-M-
z&o}d#vTK*-X@6bVk-6CGcu>hySEil(f(0h;j~Tq*bm>QsONfe^?)52}s&xfC<}XB-
z3*CJsFSDVoKYo6|!_N=1*cF_YKe?`SB0X#R_O~g*mB*OhcinUod-=ycC6jHAJDY>{
zTKk6$OSfp6=%1au<itO<IZ4wwx3yil^hNLKXQ4?y*rkitPbrT!clKu8T$1;-ZC9rF
z7rw5?QPLK-?O)A&ow;tyw14Nf`}%GQ`}A|yZQbkQ&Son46U_9N`Y*mR!~1aMWih)8
zMzW`SzJ*`$$~@szq#6G~V^hGAd8dx_vH1JG7RwLqzbMGnwt(m0-j^!Yq35Shd}?-X
z+3&J-T`x`r>)xwp^qlsU&3V%~bv-HX&yUaiGuz)Lx}UFc?GyRz#`{|u3@X1$<SeYR
z3;yU}wO4QZzA5+a)xZBMaa!q2;g9fh>v!cc9&7M<fACe{-=lJS1+&%4YPY3z9@}{B
z^UZj%Inlh?uf1ba>SdPCV%2soR<!k861TIsnVZQdLpMSF(Df$~`VnvXo^HME^k~U~
z?ahDKpYa(~ZhLYfam$RaNB{UY$F+W#z3%FVxY(XctJqG~Zk#GO?Rmu6{f7^~SKL{w
zAhW?hx#jqa*CNYb&9HX3l4!SCAUx_t`+b2jraTJ{t%;u&IdT~uYJ2?ZY#Fnk@t1{m
zk6GBBm@)oba>px=U)zDv|I!x|LCz4zMX#?(A4y&t@;Fzb@gd8DXBoC@+pFKct>FKA
zjMGNRl==RJU)Srl?F>CHXf@~1My8cJw!L>f?)52Gyxv5`a?ASV(l?XK8$8@Qejm0I
z6+6v+=f{z64f&6{uBaTzG!%KbL1v-kW~JU07dp}|hfPXsJAL9z%BIqdKV?@aHVNG=
zQ95}pdQbA2Yfkl7Z-0>P->~$`obJ^Zcrs7id>(s^-_rB!)U}5=zOPhgp1t_V^R-_?
zUxhy43SM~Ed!4eQL@JlS{JSjThcC7+pSAS(dy9SHzfT>XB>eZcghcyFkv~%AB8lfx
zy#Fg+oxRa7QzWA=Tx!>$h`;Bbo;tJOP^DnSRtDckztj>cSc*(;-*|m?`x4&u`(ElV
zlluG5{f`j4K<Qg9rr=NAO7?2=os=8b*?rh9!^9-rB6_mRJZy6G50T9#DIE!$mWKpH
zd+8V*wKkui!j|XtV}g0v-_8}~MU(R`KmXNVy_dBobM}@C9(NXb7Zu%PXbzpe?Tq=X
zr!yCyKIR{GWLb9!*Qzgn_pueSuCRW!{_z8$^=G(ZjO5Q7>wJ>FXBz2ebMOV<lBT^s
zcL%5Kdd#SFFPN{zEkVd?@gBCvjD}y>R%b7eEP3Y`tkdPblj+{iJBt?l<gw&<^~&Ti
z+sbd=mNxv7t@{?9TEEPzL+7~P>iZXdngr^ZHdQT`Y3RPlyTWZ%aY;aX<k?!68STBZ
zYT`sJl27bjEM?ff?dkPjE)~C{`c|KDI#4q;`*Eb8hLId&*k`*?HQnaLJ9;_mZF$Rf
zM77jbD9?)Us;=v9UMKoWMk3Svx71^XNy+iQBn{8aR1`AfabS+?KE1EqNnhpI7M2y;
zvi5FS?H%zg>YUQVXztZjJ)b;I8KqVI-`@5wTEA1}GWSC@#h%}nXYB7hB@-oM`rz%V
zx*$He+1x*ORR}!ZJnOZ*RcCzlE=9@IFK!VxC$G5IkSDY0^V0U<-1#<6_6y(azsr@r
zb<dT~vnBbfZy&K=6!74un)4gc9oN0vEuz<aPc3#3t@+4tG$PXJ@s*jfOIGxhhICGS
zC?+%0aI@{PD&a|LMHc!Gzv%s~o+16lY0AflnBuS+yUBCkuuJ@B>u{=9n(<5cz1yaJ
zcX&#ylpYH!9LTtQ<bCAcv+5^xrc6C;C!Y25#JVeG8;!Ux+k97ySTs*`Mf8+yF?`SO
zt^PPCa&P6#kE~}ts+HQT=el)LY>CgV7{BA3yK27KoeE$7i|w@j6sMq#3cbH;4;A@v
zuMfC<>od=sFPEiH&6*bZT~}cibKSbik_lOL`wKSqzWuv>c3a0@PEOHfPxEIzI$O<E
zygZ}P=G2Uv&(w~$rQEdI|6{rg+cAq9dK`c5@a{i%<}F(pYka|`hpMlHJS5A`_bgIf
zaQ~6Yo`Q1C*vEMhdrKLf`JB~#xb^cQ_X~@*T`zT6`KnuevgDQd)2F_zc_J60uc`K;
z@LRL(NAVZWJc@fxtv<h;-}_<kfe*||zvGW&G(<5R`foa;D7I$G2EBCm4<QP{oBR@a
z7HhnG`{TdToHVbg;XmvS%e_3ponz85btV6f@4kyZ+8<<m$Y6AM@8ek-$#wjEoHbKD
zZPi+j+08lN#_xUn&9#}Qzi2pTe9@l5p3b&CZ+(e(O<J{%`W~+n|04dZP!VL+3igto
zDrw5Bvit8!+t7_?pM<42yfyt_*DI3uo6plG{{NJhGrw=};dxV1yD48isp$HVn=+d5
z3o2Dt6r2_@ZFfJo{rrUdC11{cymk1qY01V-@6?~K<;q&UU|r&-*H`Ww4qN|x`Qh5I
z4Lgmj8y|{Qx*e|6$X#5_>F>v}UCqpE|BbGkLs35S=6iqp#qHvi=6Y_o>!sr<$rrSm
z3yWfoO<th9DEyj1F!LFQ&1M1~=WZ1n*c!L8IUHwTo}CnY)w0hwDU)MGaIsL>=ZIgW
zCO3-`7C)_i_uZseH%qG|l*jL%%tVn#?o5%p-u7F(51;zjPC~wDdRg<9$#K)qv++#*
zC0bz@vmi4_Y03$K)fY2cDyC`Au5P<qYO{}Nf#>piZ9|8diYlyqo*Kn7z4ixoO<S1c
zJ15qteeZ+Gjoc+1O<MjLlOJv8e|2ZyleJBg>$LlWZf1O8+Vn1^@~lf%c5GGfr@24(
zBxcWuHLzsZU=R}ME2LeN)AfeOOe1gBp11cBPNqukJNsZ$bZMQa>*a?x+yrcHzY+_0
z<r4FE^J=XbLP~w6Z`@aVwRwim|9AAljPQE>NB11Ur}pfv|89T(@cvn`Dam<z&ll(l
zDK$%6cDW@mtJ`z#_ertEbKRL^1Wukl>w14*)1;ZrPa~g+Y}k7yCrsaS@hXusE%~XF
z(zeg~zkS~n%Uj!hOxzCMxYBotdD*2G3w|8Ebl7A`!z;#n>sTMJ=31hZ7=P-f%!Hzw
z@2#hlxBQCXR9x4dZ@Do#eZlz^O$#D_A7BcUc3waA&1#WTg{AG{anIY@B+QoYnLQH#
DXBVNw

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa65_seed-only.der b/certs/mldsa/mldsa65_seed-only.der
new file mode 100644
index 0000000000000000000000000000000000000000..f7e0ba696cb37f659e33863dfbf23549bee3e5d3
GIT binary patch
literal 54
zcmXpoVPa%3;AZ1YX!Br9WoBU(Vo_>PI92=Mzt#Cg1uL|9-eu2xJICVw4)g6#&mD8<
Ls@6XJWTO)R#yl1q

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa65_seed-priv.der b/certs/mldsa/mldsa65_seed-priv.der
new file mode 100644
index 0000000000000000000000000000000000000000..005825f555001a7f09b2cf5158cf6b3dd18504d4
GIT binary patch
literal 4098
zcmXqL;{V6Q$Y8+D#+lIO!I;X-!Ystn#Q(~miT@dk0>_=jW|=1&zxte(F*5qG(BSau
z_{S^HiSGHF)^kSZ#h0}#P5cMuIn4bwE9%(qDg2FDEn#uXwq@S>$(uf-=%xFjkb;|q
z|C*-UU|;&aTd{b1i6Z9%2lm4oa^qxLH~R)@&R<;_SUI09ea@`ULFaYccfYwacay}`
z<=yh4caAjg*dQVu)+i(W(mSo{($iVnRu>n{_<fxFuWYA{_Vc*Q|HLXvM4gnmOh2?5
zX(Sq|yNV}Pl!%zMDVR4lWEcws3A+dwu?vca7mFJhI4Ur6l$Nn36fg%cCAlb+n>QK?
z31zr4q!~IUGr5~KGL@Gxw<<WhvU#KgiI+K=Go-aMrkW^aXov+BC$gzKn~DV{r3#m_
zc7!xnu%tMcv6ZJ=FtQkkSu}PenJKY#xCbV-HZZUUwHrF6FmW^}D_0m7rzA5sq?xFN
z8Wb0+sF$>)sinAgh_VWZ2bC8Esu~5br!}QmG>L^4mS>cgIYb0^6qgvQD@q8qYq**@
zD3=?SF(?|i7gU&<6gruQm$oE_rM0;ksz?|rl%$zCcvOfPm6(aUi<T7&DlnvqD_A56
z8aJ042N?u93A46|2&$GfNu-MenTENkSXh`O38hCAs28OtvkSAa8CFQJB(X8MHYGO~
zCwLUQr8c#tG$^wPIw(6am$W35IftpUFlDGIv8aS(h`AP|7aF&V6^od<35j#C8@MQ`
zxwV&vIx<$MurV-~q^Ktpi+M1p2XI6vJ3BasD}{x4G&Gv42Du6~qzD_ExM`TF8keXf
zH<>6Ts3j={au|dZstPwdXEcYEq>6KRcqqD;C#YC7NmQ7nWT+&zxhjVVs|vF^B%6yj
zF@>`h7OF67uyGW+v>60BrWO~Or<fL(F=@C5DY+C2gqk_BusJn|hKq0rsf#hQT9}Bs
zH;cQnYZR-oG^w@(iKV$X7rTiRG9?K%JE%saGnq4+rAj1=yF0O)hBC9OB{`(FHb*e2
zm?trLct{v}gqf#{sH+x<urss>D<`&P2q+pBv>Pd@D-^3|hz2V(lnO93rwFNtNN^;I
zG*xgUGPspCG>Mib7nmrErx+Qzn3M?_FekV*XB3%;xH+4MB!?H92{8$ZBsqi%77K*4
z7!(z$q-r>obrdVR83ZW_s41$JnKKq7a%2dGDM_S=8y1>1J4+}jF$V=O2$hDWHiem4
z2qdwUnrNsd79<IqIt4hEu?V$P6nLbInK>qfvay9KI|~N7nK}!&F}AueF$OsVCJCe@
zF{+j&ml!rCG_iY#3aYrVSO{taHz%<sm$-<jwwsBU21`f?6$QB)m3K4=s+6*}v~+|r
zMTE2{B%~`U6p1jnvm~iC6?3>c6{-knlqv*8G%2bHh_^?Cx3;w^x{H*yl!%L{hpQ*E
zmx!0EvnEA^iyKrFvIrTsn<cs{I)w>2v!%E(yDGGFm>8C)r%E`OwJ@hQ2OBD|BrqF>
zo2MuTH8O=cF$5VpF&hMSB&v9XdQ=EXhz6IrBq=zXnX9?DhKEY9F|}qCrY8i3h$|P0
z1Ua~77#cYyB_^`4rz*EAG?_4kC#Y8lrKlJ<iIll%logZ<8?dvKs)v}EMFb~X6bq-c
zFuA$}3W%FJ3tKb=rZuLBvLzQen1m@+bYw7_IYlU>nQ~~Pvy`@U6bU*gh_N-hvkH_s
znl&qMq_sMQhX{BCGkBO6F|)fhl?5t_hC5U+vappYCoq{YsCtApg&PP52#N~`sR|}I
zvKJ_)1hOZj8Y+ibD783?Brt>)mn*S2s)?{Er#A(e3OE)TF|fO<r#3hyJGF|WnTHgX
zDzcSVI4iXl1cinhdnj5s3Wf)UnK2j}gew*_7>TA<Fl3Y!xVH&gFfx{krb?(Ph%$+=
znmQ=9sU@cdg_|`BcDS$vsA-gPxF@g~G8u+esH7_hhqjp+H#s+CBnBi1859?~x-^QY
znpFrjMs$dZDwh>XFr_6IGbEcZMu@YD6>6jzB${%hmX^Ag1u_+Dm^-$IMzn;MG%+=m
z85yK-G%AK!6eb9YI<YAPBnborhy}T&8K$aqxVMX$i3XKRG>EViS1^?p3MaG+B%2l`
zWw5--E!Z_<?zu@T>Nd^|_r1fib$RB&4_oIo${jj4XQkuzS-*dNy{paboR_rcpj?j5
zi<oH_Vvg>cJe5U`TP?$veOqieU(b!r^K<JXjZarS7s-6e-5fQ`ry_n<<f}CTu_l#2
z&#rmVr7_vp;!4BImm8M_DGM^OnNIzhKkxp{e+7k$?Y0)pR0|97xHc_jJ73n>PrCE&
zamD>&`nO!vyVE4C{oUk_I<~{-1w}cU3UX&u7$kY<7nPapNUyvrBWlK+b!{WV?Js{l
z{pW0ccklN-rPJK^Chhy^Sfl-Oin(o}%<Y&X9W@vAI(vPuJ3T5Wx^qoqTYS(}yQ|hB
zUj)k=XIL=xFL$?IDw3KevikMG5P?&zPpnsQ3EaB$MrN7F^IuWQDrLsZ<%haISo4Xv
ze^C9gP08gT?=|r&>-L}Wo76UCh8>gLe0lwIUbZXE7%WbII;%0k&Zk+KB}p#O&gjK_
zh1f}3SEnyXc-A+Cvv(d>ew*>!Uklitd=8l-&?w80_V2EO-5jleTII`12fadWpZ;*Y
z#`bl&{?;hbQz55Y_<ldx>fw3KarX4G(pe_z_Y;!UweD=<xEp=#-OtaHWj4<J|8d>n
z+{*AA4c#aDrnl1V4^?M<x)OSNqElj9|1))+oL9`AvC9Kz@f}K<w<g_hxzwqSo72B6
z*Na>fxu^f|2e0Xo@Al2jh$;3u6@2cizrE85VUfW6SG#6Cv=UvTAgk&io_F5i^Q>oH
z)`godUeTGM_n}2zN59M8<^KM+C)R2hhj=&n>ECS-)wVV*P=CAAI=8-kPw(kTto%l=
zy>4#5nCEz)@>|Qnqqz#%f^R)+)~?@fcB`^`+oqMqtM3TT{+AZ2c|3M@TWVkQ2mOal
z-&Q&$Y`rG;v&g*flBkept>?x=iyroh`Ti3%;A*c4-?iU)o#tJuyR93WUrA>lIVdc!
z%%M+BPF(Oqy?IOI?$p^=jFLD`R~kDVD0QCv>x6?Fhr<rD_>*Zt+`b8_MP4T_%ImGV
z^5K7USoT9ll|`0YeWS$1SG`a2R+&2WWc%(9$G=UBTYUS~PrD}(uT^5SGv4a@Wa)Sw
z_!|8%%fRYl&!i6FV^`TO_<xzVx93cNzYAA>)K?LapYcpGVbfkmI`Fs~unFBvtY@wl
zt?KGIDzfE#^!ZrUMppBsi~k*|KjcuCr^uLHdHu=cI}5U8ov&HD=-k&^+Pi1U!ix;P
z>la=5-Fj__%A1KH_Fw#ym!DFfv)_A`=(oMw4qlS@cRWDrkap<F_S*~+7EUX+m9u^+
zfBabE@x#b@;v1VYt}bPrw@ksmmU}l_Vo}W=gNu*;8p?#tbQFARY2jA3Zo{94_m|(u
z{g7U8xIpIVv_z?GjJkX~uDy9BIpuRxkKl68MBx_6=%|ag7Foo3Uo%VIrK){6?zZVQ
z|2y-ucU(8oxwP`2==Rm01e;$dOjHUvprdYb;o$8L?y@K51T?6dJ!sZg=<;~Ygspvl
zu1@MrYOMRt_PP1VIr|su*A)M7kqVo<QfNiVMk`Lu9g`+KYV6)suWRo$`CE$d+$!DT
zsf{)vYgse}HBL0%PFTG0X@<kf@}?hF=Dhb_DtFwJvpu5}Y?AvXz2R?NL~k)C`)U@(
z%f?2t?f<O2Fk$DH&sicqpVum;bLjhTiPhSab?Mrc=OTBLWy-%c2wr7~{KkHH$8E<`
z^R+m+cQ81vmQj9gduyWP^v$a_TYuKf7qc-<60KrdZNF_!@`*3gm-`&LBXr&@BIcFZ
z1%YSfLC=o_s&{rYo@P^vo6CL7{fMKE;G_JX2mSi5%|H5f-eo1x>xq8MEvu!bn;m{J
zHDK${EppkDzjM4Ox?4O|U3BV4-h7+vQ2xlnk5sombyRp)$X~6kGxc5oucU6|p4n3;
ziShpbB2yt_>~(uXP;4gKQJHi3=NVU}T{TNIQd9d^@#}`F!lXT`{#o1ZEcN7QnCqD7
zR5|TOwbBjK9}ky)IhUUE?eiLu18H{{j9M-BoM&6;tWp(o=XUt1&j<5diiCcauw1N~
zXU(<kdB<w5!rFOfmoKnv*{PS7F~vCG#%o*C`;MQEvCLmFJ4sdW>iy_EsYWm1zb}_6
zt?Y1|eo|wTsYd6esGRC!p02&!y~&DKc845D%l_b(Zpjh2?qj3Ls?D#Td^omTxLJ#7
zy~N~qJ0^!~uHfA~<IzKFmwmyfFW%3S4VgUUWWTWSOEvZbA`<^{0xwqVQh#x|@Mwij
zxbJ1A9ODTu&oa61HeYs#`>=|p{}ZjJuZ-e8T%Pe^Uz11aW#J9`ZuG=TFtqW>)G~d$
zcaP)QB&Q`4Jfgl%{<C7v8+8p~-<sX8j=pJ$T>9+Qxr)Uac5*!Y&Hm?>yjdN0W7V;R
zF;3f<j+a`pZwwcH^x{TFnS}iTr-t}gBfHnnt@sbd&*zs}o_5}kTQ%0<^gheTiumr%
zLyi((|4uYIbK>vZ2-VKVrwp0ZogeZt-B@#D^67@E8LdlnJ{vE+zTzswtB`jd&)2s2
zTx4I!@L;KI`hM5v6Pv$;{gCMX?ehJ16_5G>+hZ?Ut8ZilO<(l&^Ea00*Z=d^)}Q}7
zOZMkBPfq8{KmFFWt3FmqZ+DgJa5DVNa!l*P><>*DMwJ^gZl7Gz<#P4=F)`(eXO<Jz
z&YyaS^GN?`lZ3jt=HU%YTwe-TYc{5||37h(`;Ak=r?VgRzecZL&S8AMR(2<^h|I-(
zHEKp1noOrZf4~3BuTw>QHOvAY9J@}~&iE$(fcyKeN3F$%H9hi;Q+}?OXIRgEma#~)
z^ry#`)-BR91%>wKKDo#D?_XGRZze-n*hj|~2cBqfD)1a=OkmMDaH;q9)iT5AtA7`o
zCeMGT^JvzqfUml-`5yfTnQ!$}KG90tDX1)aH)ZM!#}##!+os<!vE*I<+V(@B`Whv7
zkK0>p?lklzUuh3{xM=A^>8GxmJhBN3xgK;aENV%tsa*Uh?zo8;@9Q^yn;9P$zq6h6
zFw}33$$@<R6o+kQFSq3v?YzV3!d3e~xLT1p-#4D=b<I8nZi~|IT}waQZhkYTEOIA@
zZ)@yj_VWsghMRW3c%Pb*<z@10wY>X6{b_TiGk;ci5i8~x8IoN6+d{6k&Y`;O@2&gG
z1NMGeraJLN`o&8g>lceYNuSfn`az06QuMcp>zuY$eeu6pvqUNjj%<Bnme1cZMN9tv
zs#U9h3ExQH9vP;l66;)RQF1qWx8#un>B0MsuA9Hk`{{L)Yvr>OCi=PjZ#`vkA;D#`
z(dK#FF_|^f&RU;Tn`%0_<D)~8q?AZRY5V&{-n$qNhaKZFtyR^o+O$n%>(ZH(f~zD>
zKg$v|a&j*5)4X9F_tE-(`iq?_B_?lG`|<L?-k?oe7340Ko_e^Hy)*ZHK!nj0#+94A
n%TMtOS}SF##GhSf;KILkLTAN=n+&@?bZ3=k9X)YFVtY0KHD#Ir

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa87_bare-priv.der b/certs/mldsa/mldsa87_bare-priv.der
new file mode 100644
index 0000000000000000000000000000000000000000..c7df0f9397d84d549937e33281db667968d4de2d
GIT binary patch
literal 4920
zcmXqL5;kFCWH8`n<4kDtU`%CZVHRd-5>`0w|GW6Wf;ms#oSL!cZcN^eHwK(G8>T=1
z^3}1-TsC~O+eOjOG669riSIPR4QtzGN}rS6pY!C-fx~rQCq#eunPnX}_3at{h1#Z>
zwKEt`ANn*kpyRyM@3_L|Z@)Hud2)W$qwc$+nSShxj!)RWYE#6*55ij(FqiEM%J1`z
z$Xx%1jk8m7nxW*06p5`FK}Je5mgHVBaJsxn@W2$!=xGWK5=Kr3Se-2tg;;_(9J^+*
zaYV2<#2EQZ+2q0EsdC0d=)xfuC$S`k?Vgj_S`I1c`Irdtuq#b6YngCFKtWYekfSJR
zN8kek0i{WTvyM3~-jOnSg6|@Zi7Xp)98D4gR<sJSF-<gaIO$}lqSzI%sHJBMOAAMu
zr;(xK2?I_xm5T~KA`?<2OgTBXPJCpcIC(;1j8X~%M;gb8R*40v%tv&U+H+JCy&PS1
z8a4b5E;0yENfNTqQ+CW$nCQYH=)1^)F~megMm_I<T8EUTpokbx#G+Ov3teTAPKj*>
zfeoHL96HRd4R_pl54z|~Q4y4yEVxL`r^|%x(J{`+LRvGIOuQrD6(hu>!q}$BlBaMi
zbB<ZUrDL4VDh^GXdR#nsotgNUW~7KrO5n2Woxvo?Ak5mu!g|{+>%or1#zm|u1|BYK
zO)`!d5@IRJ>=`Frx&%#f1DXURSsOh)bgyjVWD?++!cugwBSVGLZPE#!NEMy~O07yA
z8X`L!XE+HaD=2X~b52z8TDYwD5>ucegV32{DU24HGiSIY?O;(^+`?(ndXXvj@ia}D
zZHfyf2|Th;Y!G0%aAKl|g~9Engd-wF0&bctoN5<mw6M54a2$7J@l@*;a};pRb=Z>H
zX;3tgMMH9$#)Bz_liNB3or4&sCc0>7T#zt`XyCbM<m4#A**Q(c)2)E%M9xE{pc6ZM
z1vaKIHWx4msj4)!hD_6yoHFsUL`I}pQKMR~$CMT!v5o*SCuT*Xn<oO8kGDMBVW6m#
zqI@zjK!BB5rDMXR0)>-?lNne~Gx;<&^&FVsqof|-E#Y=kgORJnP|8wkriT;Lu|N(n
zp-2u-7B&qPRn4AhI?7I}g3f{|lM-)FX<$+}JgwxGU?6mR0>_yahZ7zhlaDDX85G_U
z%ZOB%kZ{0bAycCaD_iseU#9J?O2!N_EjovGbg)d)O>7G2Xq%wy$lKLWcx4Og2{%3E
znSwHgO+v<AO=`Ilm|8^^bUs{`IdO;Xlnp(LPdF-0(cxgr@$krKR7;RK!XfPF7s8ft
zLZk46fKS2+2OeiF1|v@4i9HH4TsR$b1v?pMiusDTXvnzmHLOUKZk^C2P$2E$=VaD#
zMj~m3#3bdz4$&QfLd`k{ohC*z7zSz-iHLi8iA}mZAyYy_K=BZVKx4xb3l&EJ70Ioh
z4I&QB(=r|$Q}vc;Tci@m;K-#S>cKqKHF=TBMV8KPhQccbjLOPfLd=<h$0zm}HC<+!
z=;C0M=;Elt#L+Q{=VS|G!wv=~1|jDr)`&%gJWCmGduXXRxbcV?DhddREOcaH(+svq
zQ#r}_a9V?dM9yLdT^<R}Q*43JOE@ohC|z=E<d~+Stk%lxs4C*@bz+I9^C4FS5m$wS
ztPWdp6HU@?w=~Rln|N4)L6DW_(TWsi^S}kuTo-fbsIVt4FiKQn=e%X&lCr_!GKX)c
zh=!LyThk=Q*&8|(r#BqZ&`4}^4OVcx*^+Z+iOyw}Cc#OCXFOVkwobUkq3Sq^C50t1
z#if%$NhM{1<^usnC6kHD3<3;_SqujYrU)pVY;X{ot~<$sO<F`C$f!tpN5L(J9u?J`
zBN~%Jl=wU)@~&{S`s^r3RA>=2o4`HQwR?uD@`8lP5-Gt`csQ1OI5;qHbxv?J@R`Fh
zL3ugnY%!J_O)d)Usf^onBN+H3EP3X*v`m`jB4XIc%$mBufm7sAM;C)nw+5@il$HsH
z7$QzIC@HB%FzI%4C^CDdEoxGgndEwh$*ZfQHOR#1q=M0frkoCkuE--A!p9vwER0Ti
zXel@8dK&TFQgCDB?37{&V&TkD5fo%_?@f}(iC)yn)!^VYBQw#gDa0)+WkcpIp@0-N
z)l<uOQv@aon6yZ7^6)ejxHt)Nvo^Z03Ceh=HY@N6{F>pRvix>qVWFHuNk88cx2@}D
zd8V&m(n-?Xwdm#b*Zi~2wRW!BZGUy`SN@5O$?|T}MfZ-S{xjdUMEUocg@^P-&Ng_(
zA76Q2c+DKQQ<jgfi~ip;=a;;byt!J|yYg3D2X1O`_t@VOElt|d9(8~H^!qV06+g|(
zcH0?ReYLSj-$6dnV29`DS*sbg-|IY>bkt3iLp6zaeV=8c@>K3{k^fT{Ft5|&=8t)4
z?R=WQ;K@YMXR`(ScdoE@s7*V4&t)aEy6exYh8^#E<Zkmk+;MTu<cIsGt@zW!5FM=3
zys)iLSWQ{(K>tNCIhT2Fu57Q~^X0;uE(Hw+{l*uz6AaJYOuP}I^<>8D2|LzpGyeJ@
z!`1t1XOh^I-mQ$g<W?S96_FC$u;lCgX{&xHMaeDM`;h;j{h4~czVmx8XKhG5G+A6{
z2HTUJ?QA_^qUV_=*PMO$^7SqA_h<4Xu3kUT*8Y(5g@EqzCz@9AhDT<9)@ix?XidCI
z`G;dSul$;xlqJtL+vD+~!}hD}{&Bkn>%Qm<{`srYN-uEFmq~j$6nB?*{5qo=<YN9_
zbGqxn$0qEKe|M?bTvxqr<RUw(nEh?I-kDb8*9k_}2C+WVUb6pAo;f?tNAs_lM5@ex
z-gEo4HZOCiir*OhtU3Gl!<T9QCM!O3`4r1|*UU-j#{abH84uX6+sQZh<phhpUM4*w
z`vYIZK{uoAr#pMgH!-A}%)Gf-aZ>7w{`cqVcVGP>%g-XZSt^J5NdJSJ-IJEId|~8q
zk`r|Fp11N!%(jWz!s|~*Xq`MByzpLUfkdYgH>1}FIhW$a*W_MU?foZmsiQ}#Zf*T}
zg;U=yt36xY6EOX-`2&BsS4|gP8ox=t4e1kq!PUFtM$6Qs)syU2@|!FQdC+#_A7kZ)
z)>}K0_tge%`n<^aOIgePv}Ex{wco|duI%7r5}5M-WmLz0zS&o%2Bvkl^{#8Wd1>-1
zG3Uwp_DP0y%;!x-%fx3}3tC(gmaEq)ds?n{*?7*MEo{mMpT})Bvikp;Yh9b!hV$_v
zMX_ladpB;Hw&o3EZRLzF3Y|f}a~B`C|HRjxaVS1hb$<8p&+qq7I-u_HM1Aw-TXh%Q
zcy~GJr9?&g@LMnls`k}qZ_9EF-jcHVGS`BxpJ5!)(+dPs!e;O)hTWLr5*cqV^_3}d
zew)quFGk`oW)$x-a5Sh~{bi!f$5&_9tezvYTHwe+iJyL=)w891u02}Z&*yg2=fsy!
zoh#=uoGmMJJld~SSMBY6BlX>})tiz(?XOCh8J9U<{%F*c;4R{A5mTDKe+e-8w#nR3
z^wj;Hm8`bAx6k>#f8NX7P91IK*$GGNQ&&Z?6m4FrGAT1DZll@CN+WgG)q3@@*S8(+
znfpUzv#s^vFRgiJb2M1|G(}Ul)Vycexi$CKE2YH0w&r&%<J<O}N!c7!c5y+$e0H&4
zcc%NlJmYxe*UI-jXC&U6yx^MXF+J{$jr)s*-r?&rw_eOUenoAr70U*b>o=E4{E5Hb
zfA#D%ABMkf=I=cYr#J8!v*f(#7S`xEc<{r9j}zW@3D2rK;PZgH<U_-qlg};si#7Lg
zpQ^sG^2{a6kPN{SYnT51(Qe2*<^5t^*BeVNestS<r!MK1p_+KT#qx>aoabg=e#yp}
z_r~yH-)iR{$5u{tJ9eUf{_)c<q%VFGV7+wEP2<Fi)$yX$bLBh3j#*@89TeqeyUz2%
z@Z>Jn6qN~wr(KbmtQGX>w{v96*PbQW1+!Tce1hB9FW5cIefOm6)Gfn%ckF(ZWG=Kk
zV<`6`+U?*4`va$fpM80srP$Q${p!c-&=*Zy4_NZfiw39$9FUplbK!)zt>4K>HFZIC
zZ};|0kx&kK?R}#w{eN53|6ex+j?55QEyL#TWPbMyv$pK*j2n_}4zFZ4pJn@Y*Ynl=
zYV8|o_g0t8`TLZOdFQ|Sf>o1r^A1+Xh6YU2C=hGPIbW1-$KU9azAvz1YDDH@pB2+i
zFSwOy#<x0VU4_Y(n@lU@_DtTl=~+qg1&JSF6W+Byc3YD7O1dg<%H#dlb<g>Kjg448
z)!@UC&;L5yug;xvbsd{c*5i)jMQUCB(^|U(9DL&DUHf5t+Wl3y;G9GE3(9WRzOGN2
za(VBODSdl)tcVKw{&(w@dD20XOrxC^p9?=@ek|zCiJ~R)Er#rl^F7YDubs5$%Yn3G
z&WFV#{W8KL)6TN2oMZQVxqsprvqcHPr8Cwh1TUX8Gq&`Oxz9QKvo04*SMSK~VER7M
zz(H+6-D{TD3m4}GE^O3Q6F4Akab~LX)v`sRXV<Zw+$Cm^_VQTe&T>o556@~?jaB_C
zr4khUj!*d#azrim-u0)?HR2z{u#`PvJtBQBq_OF~!uDUk-z+dT+$I^mnc>EoN3+-(
z-_N`BWmlhb>f)XqB9$LnBo-IEnpNZ2oAJP(cV1Gw`qtTvW+wG=GoJc#*)mJ@f3=$%
z+V*UJ^{vxQ^-qOE%KqNndR|V`dWoTI-p7u+M}Bv%{QpG8{Me^}Z^ok2i<0^ezlxjs
zm3LYu_u;Oc<?6n!Iuc*j2n0)hUgcpPdG+?W&nM)kNY}q+s1y(|ntt-nR7NhIdiP{S
z^`}vDF2-+JqT6vLqk6qkc!*Z$L$B<H!#85ntXz~^dRJtgePp_siAnX0{N@Gra|)b)
z>|*-L=}@&G)}HHaWg1swM24HIo{ewEg<yB~R*lp5EpEz2t>t1<d{Jrpb$jmdQgJQI
zfJtjA>dK@3KD<47TSiIN+Bznc?hlW4WZDbI6?#d2*fe>T!R(wqeT}v4tGc|kju#w#
z`q0?GShwIdlUGj;%M#UW;hRaSnpI)XCSRHz@7p)+`8jX*s-s%-eIABh%4pk~?e(%w
zY^vMtG`{#L=ih66h_vcks-LFQUi6W31LMIxeL|cM<20mY+Bv`J7*C5TJ2{=JAlYGd
zZP8!X*>m_8E{lJ*|JrkrHihqRmo+G^-&Dw^V=vV9mofgHu)KWv5fkUxX0j{&8U8D}
zzE%6dpj-TEOO$<^Qt4!-$?M$m8K>JgvadL+F4QH@Et(j$R_Baz>8HypY9BLfa$2=V
zaPpkvwVTd&y>)HbmiBb!r6UXK4nJ+L{k2=<rMlfe$C;vMt$Aasj!s@<V)1-ZX8WvD
zjnjF#-}L0plRKubAbGwuSI*3|gl)yzKMC7x4x9V&aQrza{Z#G1s;np5`<8CLeB<53
z0G0zLO4{yPj=tU#S|Tp@@hW(9<w(p@5kKm><IR=w8UG!&3maw?pD-?Nv9>PA3A>}S
z?XXSkwb`)`XX#Adq_8N)CoFECarVh2-U^RyeUhkRI%2i*zh2StS;-e)u8H*6#5uvD
z(lRn^QM|fO$IR1j@2srbus+O;S>`6sZ=Lh$-`6(X<I8<=r_OuNB%LXTmvZZsK21Kl
z<6RHux{pNxW_1ne(@M_Wvdwt(uqXbZdWqIKamL@0OPp+OiW{ys&l9*<^>4as+@^pd
zoR`_pJD&>>?Z5GR&v%i=n)ojz_fIgpP5ag^RotU%Zy8gN*K~6F$I~)N&v(eKxHEzG
z;;f6+$#;C2BW$fE2ABqFMEMyMpG`hFX}9nchewIN3y){KxT0O<^ut(e_G0PV3;F#{
zc|7RlHg<Q4{!`2LV&?PX??v|tviNy+N#0U9_F=`V<tn;NJGZ%AdGmtd@O_cP#rG_Y
zBYjTZKFY`9`FgFt{NBtx7lOAkocKDu-IK9o=>hTe^UgEQzHxf#@1EK@Q#v=UxVyJ_
zO=IoKj;LdsP9EXS+cWvd{2Mk}IsQ`9?1P(YY|HfoM63KREs&iZ%;V6h7tQ|UR=Ve;
zoS2YHN3+(isNXF!L15`W)?%3*Q)BzRBOixxeqm~jdmy14e)kMh<DHm2i`Q-bA!O0E
z#PghL*Ba0H^G@0?<L^0_CjLyQBr;w;+I52D@5AQ{80EHYIQlQSC)>~N=OUIhmlFPe
zQ;yLxDJ~b?Ad<ju=)djk1B(NNQ6KijT+%zXq-4{rr5o4x1m4z4Yr4+BQE>aK;c<uV
z5dP10Q{CR#oZ8YDJcZ|gzO1w!vy*pB)YJ#QQCnhITQv5(k7Q!8aELrx#=gb-XSm$0
zNoS88Vx8#|VJ-J%O3E9CXm1Z4O*VGR8vfmn^v`&P&i)`HKPPb48nz!SSL<0fDW6=E
z``vto<ea?Mifb4|HYu+=s8Px^le2jK|Np#dj4#RrQk@x$<^LX>zU6y-+0Wa(p@kXo
z4t<RhYkqCuw?DA;i<?20Y2^8v%M)gB&wRb`OU>tb^CM5lZLnSxeQknMxzO9AOdku5
z+BjalT>kmi1=p7?!3!05(kq_}h;9+M8CdQjBYeX{tXM`*-edZSb1ct}*S>TK{_6VM
zu`oq=uh$$&DYn?<DOcP!_MJ&gv3gbUax!C!>Hc+woV$5)PH&p0J0ma6m0QT<zxngz
z*&Ns1=04po_15=CoLkTH9y5jFF#C@}zrT3@<5_p`-|d^rmN>;Oo2}OP<#gFKPZpUY
zDiZ^Cg)HD*;az=s`_aAr@AglSW9@4-HFS2rrkwlfhl0qi$fWlH2{Zh98=C}cXRp1^
K@wY(GFbx2L){yT2

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa87_bare-seed.der b/certs/mldsa/mldsa87_bare-seed.der
new file mode 100644
index 0000000000000000000000000000000000000000..bf0dcc7c36efae130dad78daff8a0dd8955b990b
GIT binary patch
literal 52
zcmXpoVq#=4;AZ1YX!Br9WoBU(W>Huh-z;cyLrCcRZu|L(UVZX1``a~AH(ofmV>0u~
I!q{(W09Eo4TmS$7

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa87_oqskeypair.der b/certs/mldsa/mldsa87_oqskeypair.der
new file mode 100644
index 0000000000000000000000000000000000000000..d81717730772c5a64627466dec075f3d9fec57d4
GIT binary patch
literal 7516
zcmXqLl8s<uWH8`n<4kDtU`%CZVHRd-l67Hel645WS}SdTbH>`#yJAVF3JaZs!x?g&
zGGpTBF0{NqV|w@B@0IGStS8;uxLm4Yi}`YHgEfy@<gRplndN!2*jeb@y*s}r6<!Fs
z5t+~GX}>bcBk13;Q?FlU?0=YF<;-MrbFtt?mltx97d>D6xwF$oXXnFT3pykEz5o8P
z^s_e4nzXmRwVYEkaFK#X0~439qRYi4tS8J^Rm3tFrzc1Xrpd6dB(r24nV^}h!RYCd
zuvn<?$T5d24jIhGX^kcg5&|8Z0u4daG_HuTcw2B>+M;q&rReqyMMhDL2MY{67YGV?
zdMT==OcZfsl$hu|qu|Uo50-^FX9QAwJPMOlc%2-2g;#WRC<!oeG6*yF9$-me(3lXQ
z<TYbOtB@;$&o<9RD{>q-QcgE?inu2RiZL8=&=g=!3}W)QID?T#IQ7v2Mk&TliK7!v
z90<I?<T!JQB8y3<jESG;A(z8uO^YO)cqEc0d9Vo?w0N+kKH4NWsi}vfiNQh1Aju<f
z@giMjhX#qmJpxAxlP3twQtO%QrYB?E<#=e~6N$9R7F`X8Cdde-D!6n;YdFq2zz|~M
zqioQ5%OP-)iq;I3B1M**+naJ&HgMi>5a3~Fk+SGiWM#axB<IW&pAG}hLk5f@k`pdV
zB%R*SGtnStv5C<ki%AYn6K<*SdAnuJX)xe%Z|yN+y`{#WbVQY5IfILaV1i0UryIvX
z5vC3?Jr@=pZWRR<$AFeetc>ivGgK4=h1qz_iX=LHSU7VYPZ4bC&^h4IwnRi=(w5W<
zY6=bwxq@s82OJof3@1Ke<7i&OA?cv@gh5wgS;7;g1OW*bk*N+!9l28s+@81zN(p5~
zDDW+r(tFd0?}<snB{toFWh~CeSdvamJaM8oQK*GWJ<VGq^N>@3lvtu76Q95oh888m
z2!^6$HX(_rEDVgAGnIT*RtC-x^Xafi5_V&fbSj8B;>f_Rz_7&7bB039F---LzDWx-
zAF8z}OzChwlsbut%Y(zflc}}QEaR4hk&hTJ;}U}=AzvPk07XaMQznd!3py3HOpw{a
z>NCTUdqqGr(?rGPfkJMYhuz!)nbM+__)?fMt~9wco3SvPcE(s}IxR>!AmkLIl69hq
zHR?pdjV+o23j@0u6c`w}l#C{HPE&X=Aw#6Yr?EjmqP_5lLkqJq)2tn>4GJnf4q6i8
zDgv4T&Q3v!%X^tvi$aV76f8TgsBkD72V7p_(8-kG;^z5yl7fh45c47)7bT@65!C>T
zj>$)I9G4kJF)4OT5<Gp(Fh!-PMX7CqN=BrJkAyRq6qBaZbRQ0}oDLy}i`x_%w-_``
z@o+F}QFO}+>?pj`G4U`*UxZPY^i~xP<(7j>0v~E5O;YJiG)cY9lp(=r*y)lrN1*ML
zNbeH{w;5Y9yr%@pFe^-QGq^P)mva%ztd<-Gx7+{|RvtFa$r_46mW_={3NoghoN7ga
z8U<c$91#p{jWZG#Gchzcw1`+VHCnJO@(AKmn8>8!=E%azxy(Rl=ftKqpI{ap=9#%%
z$_=x`c!IXDrZ^NyDQGB|X5Hw>on#i^eIlcoiHFNP^^}p*?GBD$w^U_OL61$n3Y#^U
zx9BKIy3KLmy1b1?#MGzfNTA|oK>@V_rp1BGVx5U1O<o>(B1WFf>Y9m8YNrka1W07C
zSh}7NNqe$MRY^$ju?FYiWtt)?fr8EkK8tu6+$SmuaC(~Y2#f2TS(Mu#(wHLF!0f<r
zf{pjq6b6}@EKMw4(bEhPEtC{hCo(T)VK(gZSjL)clp%4P@zFNVCXQSdW5JmoswZbO
z3Z8Hk&~!R@NF`=NV6zd!MTf=*Vhj!j0$eUC0b*GvITBAPsd`QbWIW`#_=Jv-NM1l2
z?}Y;?3@r&#n|e7olbBdrT{?8mur)O~6nLuj37UC6-lU-@-XO%5C#k}qC?>=t>X9hX
z>7dk@ydm&WNAC;?UIoPoLR(n4wqyvgO_X6snrNWIt)VJC!H2<__l!^`r?Oy!%A^w}
zE-ceJRW$n?4y4SOq|#!R73raJTEb<K8<&7);hiZt3@S`q#}#HynK;RSi)VT&v#DT;
zS!$%f1Rl}W7NblDH9_eEoRc*)xP%j$IaE0}wM;qIDZ4!G)}9Map~_1W(%<cWZq~_f
z^iVl`;q@*}ljmh6C2tp=ocvjJ+UvRl+aK&ZbG1HjapCld|3$xcrSD;#>^JQs<2Suu
zb#wN+g(=Tjuk5<u=!zrlyLl7JV<+ujl+hjOE&gQ7)MX6ue~Kk^6M{1@|CuK^?ZW0j
z*6+VoF6|3{xJLAmTts-R($!fe1#VM4c<24DyJ_3IXT#sERh7;m%egNVW$-AzxDd0<
zWRp<irZvUI(-WpYby-s`Z}v1!RP=DA+%8AEWy+^sNZscA9y8}n$qTj@tks8>8!JCm
zw%M_9W$o`-A@B7iJ3q$HVSn`Euuz_U%ZDtcip<0LPybr;Sx!Iwjdy;UNp{69#e$Ye
z@t<UuSOz}WZ+3vmVf~w+Pqsk<b6B^05q}iJyXVukU%c@(4h9?NaU9V7+<aFdQM2>j
zm6P8#S6p*Hn)vd|F}1$=9hGM{G-PsI_tLYUU+t}PY>_di?erw(|MOdpBr$$2kEu^|
z+_1_{eSXBXTN?xU-s)-vODM1Do)n_&oOa>XkIrT3d+Vhl`{r=Z*!TOG%&+2;e5wgH
zt`~|n?p`^$YVxZ8AMYof5dVIBM!Kt9(#7lB=jkUd)BC!h$oRaJkEG<XWjEDch)!Pc
z;@g(1J;z$6N$p~MnAQ6uS!`Q0d-rWui$(7GuZ5K#X<pGZ4K`-F{OOFPyovSfwW~fx
zWtSJTom;boXJ7Wqd3P8zvP={A7PLBk<jTJOPGax!=t*{|E$3cnHJ&T&v%A`TzN#bW
zaoiz)`!D{ts&B-LnCR%w(Z0a?`|Gi;tae$+3nw4yTui)@>vQ*yR)OX2Z<*e^BhO!u
z_D)H;e%xsP-D7UNjPkakc3Ia0{~g~qd-{ZZ4}$9KvbRcI6g+#hIdgWyTdSJeN%9FT
zI^lm}l$ZK{@!G8SqgdrjIXhp{+tP9?VYlKm?T2UL7_KeVShb<1Amu=H=t(!hJ~fqR
zQnrN?qzc~#&wbUhM6cFCabtwULh;4HhKgL=S*P3gF~>R1=I?Xa%@p@4=aFX3>$^;^
zKKE66`Ihfpx!%-szr%|K$C77RD3pD1FU;uUU;2&9p*v{9oe4E(()Ba`&$#yLbwEnt
zar>A!mcwb@Ut5Lv?7pkDS}Z#Aw!q`I-}{Y*4IAgZu`8Ro`TAxJZq^TiFMFRZh!0$0
z6wn~%v^!w6-tMda+vLR08~FFNIIk<*t^Fk`XWCn>B9}${Q~VgFytrv@>v*%eCA1=9
z*&F_*+e};DK34v&d)uVbzauK)>g2255~&TLo5bB1ujU2ciS4PoYBiy3iS<#AQ!Zke
zKlwtPqZKAJO=a~^d;R;;jToW1syd!sm-=1apJP_Cbt<k)s4;4sDscPynN?1;M^f6h
z{d+EFTEt)|ce$(UtT^K-ZR>r)$602d+-z4X=`k_bQ+dKik6#z+0#bTTWn~t-Sw0GR
zpu_evk0tt1_N}jrJ584CDVRICIJ*2!Ol&}Zed5fcPaD|}PX185?3C-bla~MZeYUCb
zZZ~<G@GkAMTg*4D$DxuRw39WyhaR2Wy|y^vbl|$EOtYe!O2-e$dfNz|zR{GY_;YS-
zwCXhGe-^Fg*8g*=Gmd<J`rK<iYsbf9<|d(=m_pQg7CyT5+3VY_t>xdW-oL&YdFhgx
zu<2x<$i+V<r(8LZWx;YPXjxQ{JyXviM`z}|K-Zur3l%IbOxU5{Zl>7KB6!udY<KGh
zJ)xb+{LWh|5;j(P{kp*Z{uLKf@wWa`RR#ULUzTl9)BM|IEXFxmLXznn-=!~XFVcS~
zl=9!(am}MD@ZM6f*d5xJ@9j!6a!PZwV=DG`l~7pKchknIR_M|FyZi2@6*843WOF{S
zT<aWs=m^*Bz=*w<mRG$ym9<B2gW1b{;T8WiC)Bv`FW4{mKkf4Rx6UmFOO~?j`ph^d
z@si$^yLm?Dmqo6Z6z+H(UoX$_o9%Y>lpTlbUR}DeP;L3UX_i6Dw4NSx)|x-_>x0L8
zc6@(mnlvjzLWL*tlpfdQ%iJ4xbA{iUBDo>{V7+aDcmDL<e@`!ad&W$q+DO6u>-*;t
z=D$jH>(xDOrB0P$nRV@pm>}m?hDR53pZ{qR*|6DS#;U@asQlBeLY7slBj2ZVo#F@<
zs?U4%!*MkuU!Q_4Lk3U9udOM8-+ygo4>JjPm^S&P)V9C~7q_J8ue=)9yI18L<Jj*l
zJyXv*vu4>DvHi*h(i?IEpItq)=`y=}@zU;ar+16n{~Q%bdd>8H=?1?kj*M2G=eKhm
zsXDRi0P|O_E9VPeZ3v%|`$^)n=qg)zXU^VoCQXaDk0%s1akTCUNOE`HarMjG&5tvC
zHMrPYikd7P=A2veH?iiznW;0g{ub+q=n5r-oMfAJCiG&k{#VBBZNE74ru;3xzl1OA
zG^_1DeL3C>@z0x<^d5Xr6mjEGde9r5Ht!EN;v5Q>EGl08F6#a2nP1vj@2ZPE)}Ob;
zI{w;)-P<+1Ua#M4xAo<(4KjRces^3PwWmZ&7T!)zv8g&<JH7bWtW(bw&RMV7erJzZ
z;!B&8yMOwAcVRz0<1gpa?4LPro|_)nzE<Pqb)7J|fI7>(Zoz*cb(4PB7f7@JTlIG1
zuA_-PsZY!oF~+b&EWP9_xA|Y+!lkcD_Zy4n__w^?@A`S`F^lDq|L!nNy`+AI>rKq=
z+KE38uZoH&QhuLvS7_n?^JjB^*!WEo5)_<2H{0pc+Jzea3>7l<u1;%zeYq4etuj2<
z^t;zr!6=vT;DCkvrg@uhdG~YJFLgEy;t+Roo$^>lNy2TxHkX~(K4|TTtDo{~+q90K
zt6o(YWjye!IH9UK_v`1(?skig<=l$<U+vKAdw7?}KFoB%g6RRWOKu6=oN!q<<Oq9;
zdpgG_Z~6VKDmhIz=Y5k%TE_dhbgI=4*0wDl?l^xr_SpaRR_X6`S<H8Ctag_DuFxJL
z`Sh-KrTV1(nXX|^#G8&Qh#H;#w&ZL69cR6#^?#pa#~eLclJqg{@yS2_pAx?$hU`6}
zR#@;nMPrW7cj5m0E`w5oZi(vSbLxCFbf27WS}(F}olyFtZ>QKMZm#*&-96><Y1!Zt
zavv|`eA=)!=8U1|X~S39v$eja@Ru{lB_446yxZB&^xxsPIjcfeFOJ=HY`SyuN?FYi
zwOh|w?mnt5udj^{d1rX?qv#}tABz@lzhWs{_dZtiX1K7$v)`J1?q$<%C7+FzRE&GL
zrB&sqty56&7H%=2{o86kK2_HK7j?bNQLbM6X-M?)w=-i|GB>8yFXf7x<Q{r|$9cn>
zSC~(&iM@D!X7s|ug8>X*ggV`{n~HB1Oq*);D$C+TSb8|`w1|COCEBmuYb+lmefhTg
zv2|y%@G7a?Qhm<lMLHV7ku8%FjXiDcEq-~-id=Vk8hfJs^Xk-9Mp~IpFYj^{TG^J)
zO@1u6xaY~lN{5=m%*wNpO7BGN;EcVbwEm9R#Z^;(|Jc1Q;c??KpO^~`nh!kQp5;rp
zf1Xd@-M2#C_`!?pebd@JXU5$8@+?Jut7+4(viaBZ7L?d65&yX}UhSc-qHL4vioDNS
zF=uu>&M<hPzg&PTyIJ18_FdKSg$_HjGB3DD#QQGs<aHNFJ9K?#YqbB-&0ptK-!-s1
zV9eJQBIj+r@9YfwykzeGi(j4ayT5&jLCH(UIdi(U>8%jWYmWY7{da58nHi_tIAb-R
zeHA_Eo%Xpcv0J10doq*JiSkK)=i8SxEvpQFwnOIowD8mOxOsamwZFWauCMsA_@=*R
zeut2!qHiQagn8WI__fcuEFT@etI!^7x32qPXC!Y-?v~GoP4<;MH$9mX@~Yq^tL?vt
z21Zdk#>)Box<0>Vyu-IOl0lqrCd0Aifz^#i-_Q8+x~`^sC3CTx_w_H&wBi<Cn<<yb
zyLEojwSYvIUc(J5@6WnC;o-7?RMXdMINqN#WnTBpZQWr(+qBhxjydkJF*!S*e|Gef
zt)cn<6L%hc_lNb>^p<yXnkFg)KX85eVEa?;BdqUCVj8MhG!}J#O1hf4)J{Xw;$10^
z;@h+TKfO-8^5)Mux89BCDwZi;y=?0_vrO2@+C1(?2Me=M(cGk_Z>77QO}-}RC;d}(
zpMNU<8l~{Rwe6o;GT%MAd2rSy-^BX|CT^K}$d}LAXUS6UDORV%qLie<1o+x@s_gx3
zGhb=UKA<@DIVS_#M$`N2L|166dhspOthu1;{bg;x{7cqhht|IAD)_#i<v{(vr<+vU
z_u6t_z5Yp0C+ELfK&#K997By&&sCy}Pi8Q!JJPyfh4$h6ulG_CowQ?aPXF@bPMF2Z
zWiwnhhjPhSS(Pob_djy^!L<5$%ULVsF9d~_R?U#Cig6QZ$+kZjlk(ktVO`Xse$A5J
zYe~ir4;f!lmhyL)w_mD~&G_EShA)?duRjo#usGN#6xm&KKq6(ziT~A=iarxB^2P2r
z=eSB{zEeZEtJ5|M8Rv=Gs#bkkr@352g(q$~{58m6#r$<X7wq!_)z|9AY`L}XILm4!
zhcqFsnhhI7rY^Os(4Xt|WS#hotA!5=SI@R??X%&0m4D75b+Nde{i+QNQ~oTF;mnpf
zqWUw8(D>NVmorYbzn>_wV>?4D)479ZK2H3Y<812jO5W+Tl0ia%NnC}->CUwpzA=t(
z4te_8znD;1JMF&n;l91W?J}ij^S?>T>CT_v{@8c7eVE>)yQ%rDFC*`8U)E{QSSa$l
zxgasK>C~bVy953<)kpk4<LVYW<>Fp*k)>V^ADQL<m%iWf;&oHc;&+A38K0jEaBq?N
z{f;p||AptYa{~Y7o_x#Hm!XxGyTg6`gmM-2Zmtg7`@a<H6Z0o;dp~E}1evPI(=ujg
zM_sbzpSAMw+YhsJ*7NGr3QP~?&wcqXv-0(>H=9DXN3yVA*xfdl|IWhIsa{tCZlApN
z*T(132e0=%8IKot?A>~x+o9v%r20q6BARZo?($swZ?qon;K@04RPNYauJf8YKa77w
zWE}o@rh59_n%hro%O9U<ULv)@hb4vi)0S+<^&bxZeYEK4ET;l<QEet>Guw~%ret4<
zUKZ1I&{pmIlmG{zpMho%7Rg(Fy77)}InN*YAE8|``!~IKw>f5l*V8>uXB39tGmF)@
z=6U?Y*_nwpTEemuOeXHlyd^ZFs3^;DqsHE{0~JzNi(MW{Oud-cyyweO^GRupPs>lF
z%ZY@4VW~7fYH8hn``L-ZvFA=*Ztvz?J2{%auK1|*29Z^M&*IAFy;R+?L*Diw+sni=
zY@hEfcs}{Hx`Lu~y)T2t?&!4BVyjL)y(`c1?#Q!(Wg4z)*WKPNc_7bs<t5F=X>||o
zUW~3@Vm<4H+i~BIj-Lej&h5M=mwoJA=7j4_*14NP``nK_y;<|ROJn-f>sOck2oN-B
zOnCY7nbBQtp(2;f=VV37{Ja^Bp16d3Gg~cM>C*ar$(j@YUkF*>Em2Cfoi?@b{Jtw9
zhkqRumD<VnvTL(%koMv2Cr*C;yeWEXM0C+pLBq!tg)@$cgd4amG)!p<GB%j~so-4A
zANPA_;)^(gm=>B}wC@rR%-XuBPC@6??Y)x^^)7xm{knEZ?2Nk^YrR56@{0ACQ>s?Q
zO*=PHXWq-88rJD+)URG=*qu`PNv?1D^ShRgz2(K{7@uVetXok2JGa_fs6>|c%lXh0
zr_w79yJ9Q*C;pp!|2Ja_(<Q$Tg1gh#ml#H=X_RW*i{pGR|IbqL&b1v{r_bKzXJKyM
z<$q-T<Tc6VlcXkyuY0wWYeDgJj|T3qbLM~8BcS?lW422Cd6wh)XAU)Wo`~~pPGhZz
z`oLsg;<=vtL`9qO&t=|U{7V}OLpwV%JhjVmm1;hHcoq`p!x`-ETbOXF(<Y|v+gpJT
zb%t|p*H!G35}2{&*WtT+3xh>&zw_*i6HISjFJ;@E;J@{&d&$z}>knHcL@StVYdUw|
zU_yV8>eX3$R`OmI*2pfqY-bbiygl_w=EMUBZ~j$LU%dC;mynM;*#+2k9)9w1ru_5w
z?I|C%WtZ`O$@?56n6*#Yf9ZtnllJxR6x!?hY44&E4wobKl~vQGn0ftQbZ&1ym%XFw
zE%wXC%i~fH=U;8Rz2@k;kMFL=zIlITN|TUK^!qnwS(1-@`ZjU;Yq_#Ne_~dwZHP^p
z7_{@KGt=>j#({^_Y+o?2g&R!m)u_Fi%&785-tEtOi^mIv(;HaRD$lDPo;PoC${O>~
zdCdpKcDTO2?>OffbDwt!gYS7AzOw@FcDab`bGph_(eg*gruo<Q@Z-8wA4320O>o=y
zMyKWbo%ri-r+@NfxS%VSqQg^k)Z*Q(swC-&A>ED2Z{1Fxd;Nmd?A+O+_j)_oeak1f
z8SFcDD9>7d+IESQ{!<g<=iQdlO3jNrb1iG4*6P#G)@&)8|M%9*iH8N<PO<o_tF^V%
zXb5fD+7oocLH)8boA(FPe+5TQtvHnuzO3-mN0GF~h=h4Z<wC8z&S$R6`Iq4Ix^}Ij
zpN8|Y%k!pr?EfD5--Jul^{a}}<D!EL+75O0i5t$k!}%@Kdy1P1>-K)*WBc_r8=ua3
zpZc{jbn>Ygx;GwY-kiH`k@&~;g?BFctc%xan}6Svuf8i;?n6cBsYiQ4YEIp5i`HGS
zK4dSWf@R2pT(?QDW~@CPV{yzO*7%B0X7i_=ug|Z!AiO&IlC!kkY`e2eQAa;>X4iyk
zzWT4hy?J}|r8W_jGwciM^k$oJM9Jz-w>RqbOkTYA?8WJmIgdMhKYpp|WRU8*9XCqF
zDtasKeiBYQ_#sY3{=(;p#UJiy{WPC`OI!El8x1~JVe{wh433d5qHOO>nx<U%WzOjy
z5?G`^^LWONcg-70bSGVU&R@oJdFj%CS6^ow+p887E7<#e?wdU)P5AHb@HN@IVq%7@
z+on}gjIlB2b!M!3%UHzgb-9w`W8=K=c%Ep!*zLlfi&uw~Zn}8Kt)|K{ur$eVYx;Sy
zM=Nz|4QIF+JSw=dn*V>PT=!l+i^V2K`Oem~t-MfD)xXq8!kv$Q%Mxt~&56mapVwDc
z9y)i@?D34`i7U6Xo}IOvG5<=$SKEsQcU6<;w!2tLZGE+5<L%7~l}|byRz2`({B!Vc
zZ@3`ug~k-44F0m*r5pC|Zhxut^N+)->$ldfubv)IEv<glP~2c%tO~32uW#M&v)@+t
zsy)kaT`#E5a-qT?dEeHW>)tkJmQ?b&#jW}1BDiUyhpo4IlmkP)4f`P>zK1LHM7N7g
zX}b4fSIj@J)U+^x*@vI2++m8?6z5bM^6^^o$N3yqJrmoG&1EdQ>gczYkNwzn_o?r4
zZ7&KWbQkXHFK~Rdb)wRzZ~BFj3%J%*NY`yB6V9F$sW#!$F~(DRY%A7Qe_AENTDt74
zP;Rooxvkl%XC7`dKgqaP+%CRzPlbm=wq5nJ*OFIa9Ah)3pBF!$_UQzd;EeX0YxmuV
zy4@Nz>H6lidur}j{C&>-Slz*ObAe{Y$EjV$Rw9YJue{1TH)-wH{Y4%(edhGspY(a}
zcD|>HR<5(8^p+kfRJq#!w32DoEvGdv9N#b8dwH4IkuzV9Dwp{#o&S7Zdi4I?pQfeW
zU%zkjf}QhypZglNzL?JN)_qdd!m1M!UOv0>T<vh&SBH~_JHn*2Di&8eo);()Iqamv
z?6e_hyTpl>yLZmr5$)vT@=Q&dyWael%|(u-@A#u7-uixay!-Xfxs2@X)+|m!Z%l&R
zzJBPpmSlTjxO>@!^{T4V|NEVgJlMF8Yk!h~;<Jh$3@OP*LWj?|n|-y__!H^N=(_xs
z`b~)lo4}Z?f^{tu*FMR5xaQLh%l3wZ8>tVo;&wY9S#4!qzahS;LWBF4-^5vSZ^)Yj
z?fJ?Q&1wCuXvOIa>AKf9E>3Ff)^ajpjYzf=G43~NvMow#J6!+ZzVQnt;dqh6A5+8k
zo}9{}wz4$F$ewqmq^Hq$$H&WTFTHv_FVtq&`SOB}v!0AI0~amio&EAoN&M2U2RKD4
zdhYIDae89!<vGqOx~UV2KMJ;UZoVs-|LL}Ps%|xV+)u-{FCS_aZ%`HUzj*nn(ahay
zKRfCx!U7a;SDn~Y#cbs|fBLuBXVY))QoDZn_pQU9<-C2g?thPV2s)Hgw|&w^Q6;hR
MW3SjWA3I(G06Ao>U;qFB

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa87_priv-only.der b/certs/mldsa/mldsa87_priv-only.der
new file mode 100644
index 0000000000000000000000000000000000000000..7b94ea37f95867bd0ca08975465326219f74abf0
GIT binary patch
literal 4924
zcmXqL61HGsWH8`n<4kDtU`%CZVHRd-5>{bp5?1&l{F7n5#pal0$*Xufj-BNfHREbi
z;#YhZFm>PenM>wtq!jlbiU_PK{2sZ6!F9)}lDqB;s*cDV+U229QvW)zB!B<we}y$N
z7nbmdt@p80f2g&2OK3*3=V=C`A2xw(U$)!5KG_ys_$vP6L>--<r=z1>EDZT3+|vw;
zKb_^X(B*u$%tI$573EZpt&I`_LQJMEE(dxd7#JB_dX>afd1kUQFAiW{nyPr%fMa6g
z%pDvIhOUQJv_>rG3}%|pWMp)DgDQ(6Q<6cWuzOm|F~<pRj8aZUlTG+KSEyXEXmWDn
zed1!k*g0X=l3s47Os<J4Tq-;#*%WvLd2X@!N(wX{W=lBjpf>S@2A7B1WQ7*b1rxXx
zG(;vcG;L}0^2m&K5KLj>aA-=r)sVrmS>e$M-@_t`&PM_-Yc$=mn5g8LF{8!vQVYjv
zmE6mRGA@WsVm``nXUBxwI|RHfTDcT5CyTJ0Sd`1j*pST8ddAI-X@yIonWD(ClsTI+
zh14DAh)q=HXq?5O*f4>&(=8>2jYUDi(1oq_NsFqGN8?NeFGgbzmK_e4)e3^Q88n-?
zGH)^TK4!?wnj$>a=de-1<wL0r0-hWO9jCVxHgCvKTGG)eR_N`<$jH{mCD5R3*m<yF
z!X%|$miF8k20Vc(iCj)alInR}2Yt8&*mzhNMGiAE3noZ7GDWI%F>FiZTF5Bj!gPd<
zkHJttXuB$>VPeRpMg_r+#crH;T$H#plB6AU4;UGA3#iRzNaM8hyK;bWp;=E-OU7go
z4~C@$ij6Hy4LQs#8X|^m-a>)O9K3S`dd^t*FdC#>Fq+tTLQp}at#L!oDTPdzWgRLl
zj*mB}&TMkLz?Q(Y%r}N5O_054l0#l&1LI9M1!)UiE+x(ulf+9#0aAw?Bo}Jlc4?6^
zQIOc28g0U(a4gYln@`g*mj^C6Nh=(hl^9r96>oUBo)Ku|RBt;X#MH3ClX3IJJ4*x_
zJ9HDp*k+vQY_Ui<Y{q-bz_7`vgQ>-FqEo^VHN^#+CZsF~n0P3)<pg7-7|#)lOwKI{
zftz%=r}A_N@wrGeDsy;VY~z@%(sfcHFMy#@;z$bDqE;a`m)To%ZyROJR`FdpO@q7B
zS6Yzowuzpgk{Z{<M5UQ5mxVgdu=Fm_P`SmFE3_$qi8ZLvV8Rm<#@lR44raZ|?VLy4
zbi51{7Q1k8Z&8>f<S;{Rg5nH?<OLIyHcwPw4ib^zU@~iySm1d`$b~`Cm(z^VN5qI_
zk*D(3)GH@EosPINxA9DHV^TcO@W{eTxIs|Zgi~^bqlB4(;|>q*=7xwV8MjZQ%wXaQ
z<mj5+<T1k}QBqY!!ni9%!uO$>3nNF{38gOP>5d}eK^(2FCq0^yL?-yS@f}nMl5%xA
zvQ3A3Mvfy>jxrM`$0P+65jPP7#TbPg5f3)*Eg2FTeU}*oCb(p(sHIL3NjtqISJ1FS
zn4{}bgGv_*%cMntT<(R8OFV8IE1cpsF;Xc&LPST>OfS-e^|YEGqe;SLjYRHNA1R?p
z3|k!>cl5}#HnJEgs<3iJ&ge+!&=i>3`q-swK~u(Mx84pBmn$YY3q(A;Cp1X3=y15C
z9cWP$R#)?x!098T8Pn8obBSuRgur8kE{9D%31*&&CZ5WiJr7)(V$@QUR19u$GzNR9
zD06ltZRil*9-y$9fpfct$C1`a6L>vcR67q9FfK8e;=%ji81D_XMu{z%O%9p@7A!La
zJm(k~avJw4Ol4Rg;xT)Xz(kLpAP2VFOj-&p2B#$iIc79Q%t$$Nj8SL;&mj(1M-8VV
z9)d0{fle)+0zz3A7V)%5^xYQ8IKX6dU`xSc4^QP~E)pCrAsSi=0)C4QInH!5ik!xK
zLWK8Vi-V-wgpN%Do@Sas0(mzlDID3Mcv&Ik!itFrlT=vDm}V&WBr6CwGdT$<H#D4Z
zxj93C(PLt_L{g82gQBt`vmi^*Bo{@IfCoxmN=potP4ono2ux52d~D|N(5UU!wp8gY
zfsc-;2snE!l1Ob3a_P`;l3p=UQaz~KWx}By35*W92gDeCcJwH)O_b2g5?bgZF}YJo
zNcXZ>5TmF^ppn3W6{!NM0*{4!n2sB;9O8}C=)1hb^Ma6CoBWTBbxf&qlm*t#|Ftl~
z`f=F?d%*=O-InH@(OtZM=6}~abE_G==ZBa+*dc!0iLFCMYFWi6H_wkx?<zD~m%e!}
zSD?Ml?!aWm)3c7|oBZ&8f91I7>MriN^F#ao1X|^!lrG$Q@nBYhT<00(fYcV<)B0g|
z3eMJaY}NW*(6-Sj^vtdu8th9rmR;}O;cDT^;UuzP){K>Fr?I<z6m$NO6+ioG*rVu+
zin$%OkIlB)HNK8>%{SigG%=O;TWW8dx~GuvBDITVyqAUj95hl3zMXUY(lb%Eb9rKj
zoAmi6^PJ^2W=>c0YeGF6o=6w2u=Ey;uQ{NXB)oT#u*^(W{~s<F(wqDL8C`$JS26F*
z))kjU;&05!==QiP=k-YcMDp_josSF~X5DPNy;<p2Rn8^G4X3}_yuYwWoxg&ye6rAd
zuN&W|MvA*9bl*4KXe=(0cUflRj!B2v9(6Fc7fspriP1@6P5h}D!B5wAWqYK%)-S1i
z;wpIhavOti)uVrhjr*TJxUfJ$V!Bw!O82=B_yPs?y7lV*`L!^#XMerR&V!Xl)NlN`
zI_Ji$KTk`_ywlfQEiXUBmtSaT@k+JxQMlwyS+4f7N45S}>N)Z}?}Ysqi?eLk6mu8j
zedYE}`p^55ySVEU^5sqXpFIC+(N(s~JgoD6Qr(g%tE<bWbkFNj%nkGJNmZ}8xh(lW
zzniA<a{VWr)7`6cw>?jD-N=8&`1S%;ty?ydg1Z(-%F5sTE26|Mv1qd06AkMfB0n5B
zB#s$2ZJE%p(b@V)!08Xp0yo4=gjlsNTdwP1$UUgy^7^HjvE#y-msqPEreBe0x%Fy8
zz$vAQKi2&Hw`3+Pz4GXDlEH_2uP*b<l2)ENo4s-Nbk^6l!I~>2cii8}z}j+k8*@zD
zvn{JDQeLT^PWJ3)aa$;RbzkJQ8HqD4m{}O`K9tm0_9OnbS$B&KFT=w(PoH*nIC=Z`
zhCMUc^X{Vgw*KvmzU$S(f~N&={9NYFD7Is6>V@FLlON4~5xOPIQ{aWJW#98RXD>J$
zd%0weNf)Q$&ZRr7_imrla_M!qOKNPKYlPqZqKhfK9Z9j-k9nJ&E4yS3ugZ3aY~tF&
zc{iGUDzp9v``lIHA(x}I&qQCp=yBHm#h<U4FBg_uugE$qX>YumZ>r$it#vF;_RX=s
zem_uUXiBelKmBpl&3Kumepx)e2XCBoObXn8;9B<QUwV0!U)sbxtv85l<7w*LAQ|=c
z>;5+V^)<87m;GBB+WGSIjMQtFJ6$G~@i5KG3V(KSsmU5)m+%%rO)f6$xy>sI&NN6p
zUnNpydU{q2Ytn^%zPaB8bnC9jOJ(@+Eb@0gf1ge3@T1(xm1R0EcRsT0XP;a9c}B&5
zhoz2R{X^udoyu=N+O*}OhqPsMOdIzE)dW}m+W{RL`!=3d)pb3-{=-iXMsw>boz}3t
zw1Bfk%%v-O=j<=4ejaj_?eQD#e!2b+K527`+poAe=lZ>M;VBb4d%<(w<hL*GxfH)L
zitN=7Yx=URxAKwMeUEL@A%6{@^vnAkKa|n7R_mS0oUY}EI%Tg*XJ-BiUMhV>{@VIE
z3;5S8Oxbl~*W-Y@yvaRhf*PtA&7N#5imfp^!N0`5-tJGn)B*SZuCoj-xm2J1+!o}=
z`a*Iw=g(gu)1T|~u5ox)^0oWYQ=dm!lYNe>ELc9NhUInYii(O>n}eT<jD+l;Fy9Yf
zB4l?#%W1>0|DX1Br*uxbQ0#wr=9zB3jfI!~-0G;)yE@V0zrl@nKWhW#ZZ|1tyz<I<
zs`O)F?RhC@R+sWNYAk1+SH8x;`%I^CEJsh(+np!t7v*%c+7w)5erB=s%h6N`7Vd?2
zthcHLI7LYv5AIl28gO2~Zk73_;4}k;<24(UdcL&$Kdac!$9?B_d)4#I`TJgbJTaJG
zW2Nz;C*fYLWg0^h!?Y`p*SF_Q4BN=-Q+8{^@rINzJE3LKjpAnu=c(LS`bO@Fwrt@G
z;Vs<EZ|)kea=N*;m9yxO!4p?yhE-42<SBb!C|Ta-d8+2(w4Y{H>u#;@@6{D7WV2es
zbUovNc4Ob2S%u%q_b>3i`E<>s5RDBnCU*ZlB`18b6xknVaKK<{*wRa8TrumfeP7cR
zc*UwEx~hopW-k9(%Tq^|t#En1+#|ksZJOrfe_KT3W*yya;b+1w>E7<VG~(dlC1DqK
z9hjUyap%r|vkN^9U3p|zFWXo6Ue34CLe`??&63!a7NT>REc+}=vwps}cCz0+FX$7~
zoq}anzyC}>tZuQEW&PnJh4-%XYESk(l#sAZbHf`8+XO{pR*h!u9P8$pvu1Zhmu*&c
znmK<{ds5c{z0GNh-d@SxevPq$sVTH>BKyX>yByDcTE$@R78Md}$>00Kxo~ZCtHQ!9
z(T{)L&GOL{Fx&V^duCnk5i{}Ei8FYYZ{gt6kD4!8J9SOahMgV7;>xTgXSg@s_O)LY
zd#cgwXys$a#IDz;EjJVjOWx_YX>0jk{`JZYR>_S|0~#z6Gu(t-cY6zksBL+7&?@!S
z^nD%~$JTM2G&jBYd_%nVe~n!sR-0GFnVok%tHdhJ>3L>B+T2&F7Z=X3{?(tEW%lce
z;el!QtJ*iNVYx6ZqO~SwP0hba_iYa>i9ZqKH=)Ohb6RD<)4P*C?-Aixa%Spl85dL2
zxPUgHZPyQM-fZ8@*_qIx>vVK)*gv^*pPuTiPjh5jYV|(Fd}THJ_Gc=Bb3!s6Yg+O5
zUlZe)cW-{-cD+5X?oOIl(y;N{neM8VG}X=ZaqPk#OTUX>E8lkCFnOmYUusCjg3mSl
z^X*0FYS!MF{^h9s&Uq(zPHr%ekTA;=`1JRuswdwp&Vx%M>wkWJD{_FtTcEsP$HKSY
zd7I{~x%OeJ*qz_IOZfZ}g{w<m?g^h$zFYI3@`kRST&?|12HUjS_e;#PF48S!o2Rn!
z(%I9I2WPNy?eFe;w^JwCNcsBTX1O^RFDd-AKL2=rMaWU!Y09@QhRyx8YF-mhz^em0
zZe4cRB4@Q?pOMwQSy%2ea(sH&l+N4k;^lkzSuocHeG!(vUd?Kk1XYV?KK&wr&Uf}c
zDm`-c_iyHaEf+Qk+D55-6}URXqg9=urBU?rWr^&d&xdmEUlN$*Xm)&dr)%QgE#I<J
zn-+y7`Y-PPDE8;9>qfy<is$n(&+PpmVD~HP*VVLbb33L!FS{Kw;r)))3G41oU{(6a
zw?8$PZ@&TGvuN`jx?BmW7o4*CnbW1}F7J}_&tCAes?v;8VD}^Am%4IyO-_XA?pHF=
zORdR`y%2VIs^%*3HTSY+7JS~-{HsStbm0PL@qz>o?HvmqeHJ~DdNyUQX8q!O8@8^0
z(Y4d5-R548>Axq(x^uUDth(gpr_XjMNJ8qp)`!wpZ?dKoz3~#TJN@m~D|rcSkL=GS
z^=k~CdVb7_d$9A*z5mN@eHXcOK~m^dxxl8Yv*h1jnS1EjN%yt?W~D3_vkZ>7*Xdkg
zSorXp%gNlE_s#ikEdFJ*BV^{$r}v};gVN_jYrMP5|KZ7T^=_Ac2@4{>hzsc*m7RGs
z%l?3(>?7Y?W&fFf7>idv*cIHU-TcCkr|!SYM9pdMHe~PjQt6H4XQ-K&>wP?=CfIaB
z`mDBI=6!+}1WK8UPcKQav^^CyTTOY1+Uwte*-EcdoTq;IzINH3W6jnFe#9)>mG)Hp
z(fx-H4&CScJ&8?^v%q}zZ3W+dX<tP35+-ar+jl^xNNHjB^<U<#6;n=Ld9E!TzxU?m
zFqhCmNnT4op$qahS;=v2{;z{Jmp;mBwR}2XWeIQh9-cK}y?@`nu=dNi-uC8Nc<`22
zymJz#f8N}@uq}CUxs|~$mn&*pU%xQ8^X$LZg<OFLyL|35Ukd%%#B<lt{-2~#ZrQc2
zBWui4-W)%==i_8)eIxS;8*{}(r>@)JA+=xBf;CU|<jnt7?vM18WNt3ntE_VT-ZJ@F
zKaw13FWATkA1gnras1)kCzm9??@oTz;ouXssr9|iyvFJBb2BQ-p9;!aTJ`W-F?@V@
zKd4##qW_kcwM)4L-fdf~wdS;+*}ZkQ7EEQ@dC_fWU#o(EjV#-r`I(<XUNuBGO!S|$
zZ%>=Y-=!`^9``kWhUR_Rbzw&QRMkD{?Yh;g0t_~{ZOopzqle>2)^67D$*PN_Pc*+_
zpEgHx^HYhuRU0@oqz=wzU${5DikmB||C#30>U^Jc=4X{9*;XGW@p@m*bl0<4+_;XZ
zWa_?zjjNewcrJ-=JijR-My>xgyO4fH2-ok$wn?Y|8C;#~aC5DNZ1o;-?wI2ZGoya)
zs@s)+hk1eId4un}Uj16Qef7)N;rf<xjJ-cKRxHS_Uey0gIq^)m07u!5H?O~jZtP{&
zQkkc>IAmMjyCYXRy^pNRRbHOoQdP2rWqV@7$Bpy*cXz!LxLDb`V2{k<vZF@YmoMfe
z{aqVso!NTF`u(zkJ0Yhe4^+%_eSU4>31-iO`A28|eztB2+upvM4z)>bhfi=m@W@%m
zzx2k}n#ZMj1$G}dcJ*=8Z8kk>HGyCERLt?j#Vo5VV?Ej}mc*U@zR>sHgfG22E3*GD
Nc<33C>{9DG2LQ)pp(y|W

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa87_seed-only.der b/certs/mldsa/mldsa87_seed-only.der
new file mode 100644
index 0000000000000000000000000000000000000000..6ec75512b722643297a10afd19693e77cf6433d0
GIT binary patch
literal 54
zcmXpoVPa%3;AZ1YX!Br9WoBU(W>IQTINPAI<GA;iR}~pQ7sYZMDVusG-S)-3OwkWI
Ly{9*{Pw)o-x9k-!

literal 0
HcmV?d00001

diff --git a/certs/mldsa/mldsa87_seed-priv.der b/certs/mldsa/mldsa87_seed-priv.der
new file mode 100644
index 0000000000000000000000000000000000000000..9b994e5c579e22756ee2eaffaff50dbed2f6931b
GIT binary patch
literal 4962
zcmXqL5{_eHWH8`n<4kDtU`%CZVHRd-6817^5_V%z*c4?nv6MsBtk#|V_8x;{!gJqE
zKA__plW|FIbxyzF8z+_~VTD-}?3T@#@b0&{%Kj1$v$+L7KMU-!Uu<@CQq-viv6pKf
zCb*pa9+$#A+1gxgKi9^4ylp-Fon_7I*4J@AzM@@}JmDF4%ToRL)}1l2dykweKJN0I
z`|yen8=@B6P2V#mK<g&2GE0uc)|D6T-3kxYsr%z{_=><aM$IFOZm*16QSh{qq3`mM
zi3b+3_^{}BZYvbt(b6EmJJ~=;!97=4g2zFk<F*r9j9BWOX&M}ADZvwRxI8r+T-qEQ
z^v)=CDp@9+WDtDBl*`rV+rXsr@IddQ6NXdNvN&ht3LG=I!s7Cz!;n$jH<%&!mQhbs
zgKCOc(`AXG=qU~h1Xu-52rwQEob8}?W<%jbroPFO6ckJaZ)@-{xKH9yXo_J|VDg;Q
zAmHWVmec4q;kJ^Sgs{$$X&MeQI;R}ckyzfsti~y1?4Zyt;OQ{o^pZ>_XAK?>rrRuO
zho%|IxTU6;wa%WQ5wJqQlOs=JqJW~3uaYq9tqHkHSe$~CaxSf4Y++zxG+=8y(86LF
z5Pih6g`tb7BcVsgLBN&a5ktZa2F(X<9nL#4lwEZNJXvA{1Qg9(1w{)3B;1rvwsw1P
zHfR){<S>#FbeyEX#m(Bvqv+AN#lb^GKxDEHhvK9T2g55Zf)X=1Ty}Kcn&cTXDW}VY
zm(zKY%8Y;`E_s}ssY`?=Np^Zfsw7Hk1kP?rk=&9xVUvoYqRUAo)&~s*v$qKznbskE
z!bf;Z!;B-XS1h!++c~F*BuFh!xFyjcG0l^UQ&m`4$9Y1p(6S6>$({uUj#tz?1eIGa
zZfIayWN>0dYY$TbqpOhfp};3XoHw@UOlAq1z`($=O!K5$YY2m3634{Z+Y*JEc$6$P
zBo!KkB-C0Cv@nP(a5H*Hs3|e2G77kPb_ub0v@`^WWeN!j&C%$3B9<_VY2r<zNlfB?
zlFdDW9*K=i6B>+KMUHfMP0Mkbmb!RGCX0h%_qN=H5|a*jqzZHD9XY`G=vZ%zi{5NC
zwaFp{5e7NT%{h-|xOPlRJ?tVFDA4lQXhIZ6s;8MA_i@HxhqRlE8WdGp4;|utv?-Ho
z>BProte$Q@2e!045NhIP$ZRy|>R6FDWeKO?_MRysTp|n(LK_Q&G+crjd>4puHc#;s
zoT16NJmsWYgV5H3W(I>((>w(%6}a3p71i{FnK_h?PE_6?Fvo=@p+$9(Nsq`OPahA~
z?g^?cM>2&4auwWEJO%g|Jro{0^-h}5BjMtp;*>Pm$@54<4}+qRgka{Rwni3{qRGot
zWQ=orcBDv(bslu^3{nXQUXdETXrkbf97YS?Ga`&4#vRh0K8gx~4^}ifnyK`h=<H%i
zVQ^yP-0tDAZQ{+Qgj;3_EGJcjS&~95d@oO6P&vV>Y%-~98^eSKAD%YF0~1`G*whq+
zRT2bvrX0vr5zoBTlFQ-Hd+~sQ;xvVj1B{HW9^FO`$w~|^CP`d7InOXP-QZ}O?4)ys
zq4APH3y*Q4u!NBiV}askUTKjWZlNT>8HSuIHE)<Wa2@Am6zxqG$eg3$_+VN96X&Ex
zjfu`1co?T~ayDnmEcH3bknlvrK+@PrVMR}%LYqU2;cbHniCbD37B!yQq}yet7wn`u
zfk{DxDS>lYqT-T5;TE3YHi0MugDXk_LY^+o7J?Ur^1MVe6c0@dG0Bw?X1!^^!D6Ay
z?dqA_;MhE+VahbtXtsh`Mut-aT9_>Ilvs>pIExl}s9o^j=`!=YX`(P`3d^ER42f!)
z$<sO*ggv+qawr<<-ezfWKE$cGP~gxK4~azz$rcSx3=BzTDoIRQb3`UFT4*$hFgkMZ
z9kJl(Fzbk#Hc>=eVTy<m!&KH_rGg%(jtCExkO_uNqFgR2xgrcKlFn^2nI;MecyKYa
zNw+96GcYk8DVWT}DA}TLW1HipMV$+b0yr&lL^c>Inx!gCo6zWzy1-3O%AoCpMbLyM
zo&{`z9&R~v1e&^*IXq%eyfDLX(t*^OYypq9WD0I>P+r~{!q6psveBD^@zIIa8EOrU
z4!S}tT0R=N!lFzvTM9Tu6&f_OCK@P7PiWvc(x{}`7A2yRxU403Nr#t6VH1;T<0L^Q
zvyMg&2jS_iEQ)NLTPB>@rpd8<qM!$3xy!{luY<J<tctBg5>A@kxiqzaWxn#<uRcYx
z*B>Zs-=zJ+vPnjA!eS<6l`^hh-7m$A?-*9IS*=Unkm1IwTDpJps=H@D7_i6|EZX$f
zNb>8?m&$h>)v|jl1G*-O`gAi$R6G&iSNHwr{B?h83d;=~9~N|8Km6&=H>FEGB|F`E
zeAlko_4BME`;Q|<mO2wYD(NaIUH!jreQEl=`+TCBp?fp}+rk>$#Pbes=+d1lJ^zO3
zx+7Wa_mU;OAFzEAG(D)KUA3~Q+1tQVkjF>$X44~$Uq#DQ_ty1$>$YDuEBwTE$CO2>
zYodtT+DkXss#%V|cp}$!A%nf>FSl3C8~!$Z@p8{++v|DveY(5*k<Jyn*Wb2YpQ%xo
za^>Mpo!fTJE~iwrjOX#~@)lWGD8lsLcG9)j%J;vIEKqnY-~VxL!|M6vX{&BZez~d6
zJL%FDhHd+P=&0}toSUE7u=ve^Xr^bUu19yaR9v5)d(Pj<(&y4WW1h}4H(Il8_xCNT
z{;#&{q`l6Rm#^Q+zbh@iGBYdv_0QJJ)?Zz#bQWDMurhvo$U*i>@mEt_+b4(CvALgi
z6y=e*Ua>hPKzpmJS=qsWV|)J{Tju<uy_D;BkC2B>-1Ke78y{M8pVWCF^y8maz~mb-
z8a~qgMg|-!q$and@2ra9y7j;0e4@Id-Y16F=k^?so@#L0>+Ium2crV5w!C!aw9qb}
zw{eQRV4G{f?1$!Y8~JJuWmm>u-#C@?$%MO&j%_n4;!nRgx;eW<a+=`Z;u(ot9RFKv
z({9|=oV9Pd_QW;Y)x~p`YMGz$GT${<^PO1k4xjc%E7@~Ta%7(lT%Nf3<Dmyr5|(W(
zI~`_d8!GU#HoUCr<eBeJ4=gR7SEAy3jm1}Kmdo~LL#-R<AH^?NX{5;IwNX6ej?0oe
zZjWF1n=tM7sn@9}jbNNLzqr%nL(;qQuh}POzFEsJ+E@8v|J0Mea<$L(u6V!n=)RMx
zLF!vvcC4tkNDVXddLfi-RO{=`ZeuB0!BHbPm02&tgX7}!Z>tKL-j%t2ySY_njc@Ae
z_wzP3NWPn+-X%NhfzPT6gV{m?E^~Ki%Kl(fZqPrvXOZC^t%{>&cGLXlCH*;`{7@tN
zn3fj5e|qDbS+e_0CK?LWcPO0UT()J2rJ20wcfFKT&LL;T-vn<DdU5J_sPiP@eXGox
z{EAwSPoMCO*{^U{fzNA8pR`*Q&tH7}DV{n-S;#WH(N6w|1?RL4-SgI$rRANi<9;kD
zH|rGNN!7p;@+_?z9aD|cpGn#oo#IQ^J?CEJTEiPFANlbp`~99-@*hgitu<^8+y5!`
zlBnm#klg1HCmSYx2$=us|Lhg!3+{?dC|Vz=_)(EpyywW?N2jeDH*c$s-ZwY;?bi%3
zv*Y_W*D^{q`M)*$^1CuIt@C>Rr>y?2!y;WOTs}wB9-jy~qu(1a`RCTGSxU-Y`*u7E
zp1bNt!0pM0Cp@^ZB_wHgu=UNEF0+iK?|K+Yvus&*#({ZXMwQG*wO_xzCdKSh3h%Wt
z(eIshV(+o9tNtCF?(!mIQ`y5*A2FG2Cu?m~?rydCkR;Zi;dE)Oc9XYGPWtwZsy_d@
zZ++{W-m%{;B;v<`u-CPQYU{3EoBr<I4za-Astd;7C%=hof4y?jxf_P7HD7*P?rYq8
z<$0ZiMvd*$<^`1viIvWeJHxL}Rh(@(lS`fJN$1ILiwdXC<@7zbRr_1mq{!o4NB(Y~
zlBg73EVpRhsztHv%e>9DG5yK9_&b^*e2=}QN=<%y9~+xpxZ!;@L7#_$IvjKU-eSq$
zy2|eMC4oQd-tTzVFx}^U*Xd%97D=B2`}a*|4&kU<qHOq&rL#-z3cEqhI)UYHW&Uh+
zQ|4bkIjd~qEZIG0rWFU)*d9EyDpc&xgwLKKb*sLKZ{v>O^RRuk$zbu5_m_Tz73#CF
ztka$`y+LqK_K~g9M~^311@7DYrv2yRre53ccV?(D>vJ46ueVf)+k4~Y%AT3(9ozr=
zGRWKiO*|_;b<@*G=Oe$5npUl;Yzzrt-Eov>!PjNmqhJ0xet*H7-;8-aeGkvo%%AEZ
zw8&0U<U#tE3mw^uE=`e7+dk9yC@-(eNhkgdF{_jp?3{k_qIG<1-1fA{s~RF-il0`o
z%LPZwc|PIt-R#mgLT`>v6PbQhUjD!r76q2f_+<h;RUaNN)bhD}YnF=1zh(2(a=!Z|
z{M(~2$4S>Sb=ldzU#B{mmp%5D@_pAaWBKXV2Aq#Kar<pw_(FVp@M2{jZ~l;s4_V3<
zVf)&4X9PKy7<#Q+lvJtPwYP6WZ>(DW{Z*SfvP0gabl1<loLzkOWbAyd{{Pueqxz3#
zpS$(>y-)CO>pw?R8b0Xyl^;H)?3i{bVGCok-&6sHbE5H0pRPrmpQifnKy+p5*`Bkx
zDjqBecaPjPu1oBlSGzv#&FK$UGqprRELOZ`+$E4x>|``Czuhi9;i0qfGbd&~|2Iai
zM^FBkKk-x2?5p>_wf`?INw@crUHaDlSdh@NaIvdDe#IU>%*V9tRX}9tlRD<#ck8Yt
z9G)x^Qgfw)uQfVk!C}vM52cxAB5N<EFM5!Y7<6z?smF&*n+t5$OwV}LU1q#dl3@^d
z*4kk6V)ohF*DEYbN}T)2`j2+~8|w=vPp-<C{a8-u{uAMa-~JhCuG2gFQqCt#z^?V4
z?wS63EDujV{uS@HLFIYa*_yuA*hcdRz1dl(+Se8f&5`-6w@c=!njSyjGrLnP>}Jik
zUiF=xxKeiSMX_I3JJO~-KBK$bF6j1;E#;=B$Ir{%V|>=xxao=P`_t1>kHzna`n<n;
zs*g`?sh!S?KgWJ$t=w|<N>5aWKgZ^sYm;tSNvAIfVKw<`axuC@=2WGOLCli}YLDX|
z8wMt6@NJ(Lr@j4WDQoe!%l8&AI`GX@I4t>4uVxX8&e{A|CQ)zBt=H~8`F`2_zR4YN
zJPWyf<)-ba6xFMlGyk`#`mXl|{@<!I&0cSK=X>XO2A}4!HHY6e^w&om^WEv~qVkmQ
zU(aNZx~=!8sBm04e%GgZ_eqhw1-A~gUDkYdWOBTzXu%PkH6It)Wh$i3n!h}(_^ZEi
zwn&`DMHXT9#HmR?dCE+u?+DrYe(H>*UVqm^Ei87^N{&cqm^gdn-R1I<;+k6R=wMY5
z?zm}P|2er?C5c;{%2I6V=I+#G<ozJg__jZ0#pdv|y2KM!;<Ib6XoYVt|2+A2x8(v6
zj+*A)tES!;GQZVKZrLn)%H>AK4|m;3COoGO_F6qVD$`u}+voebRVz&1JG=LD1Y5s(
z<}SHs&;RLbH(4be(>!y#`$n0=MUl6!UwAIg-MHjzb(y{YeY0bhH!j#L-5=Y0Kl17K
zr^3gTE(>Xu{qR}bmHKyv!p{F{iT2-5a&a7<yC&|X%SDwBy!8*1&gMsH1lVr*w6LX6
z%i@N<WZR193xeLKduw-O*?dUuja?P>!G7I6Pmv=5k6rh!IjJ!17faOd)?Lk+*00Uj
zUrn$JJYd1^l(4@c;=9;%b?0|EVS2x>H#9%3-;h`1&av|3jQjZ($5UUe3onV<R4E)0
zsL^`UVDX<fi>{RS^hhv&;$q}U(zv=pZ@P38kJEwKC-*nD>|WITtoz^W__ZPjw|#x)
z!M^0zkNqxw4UTXAiBCUpZC_|fT$vV|@U_&ZTCDFF1vQ1T3TtkiR+`EA)-2@y7uK_N
zLZN19p^_oik9^GRa;BK-?MlnJY~H`&UO0PRU+sZ8bCQy#yt*ada#2@J;^cX5!On%A
zdsiO3wCc!C-U(_G19l!f#4_Q-!pohzGyblazsdN{z8l-79{d}%y!P7D+4<MJf8V?r
zDz`gr!nD%$tgE67l1;fT&I#S;vQfl$(v#vQhTy~&!4*d9SImywHODfdD{QXd^{2@}
zoejFu2V3}MOP|e_vrC?GkEcrM$L#A&-Krd1k~)PF(Hjo#ZU3*N6ZdUNSJ>qR0mp*Y
z-1PpDR++r!MEt?Gq2HAv9g_FEhOE%)n!7<maC^{&6Y(dk%1(2wZ~yeK=D@Z{zYQ{)
z%lO$HeoR;*xc{@GgXtdIlpETu2G1rewfObs%8Cc}TurMxpFeC}z<JSmlKrv&T&CHz
zORC$}Y}W9e_*qj}+{RkTa<=k9Pu0m+zRoo}dury#pwkEM-pTzWWwcIe@}65~j@xsd
zygp;znjcL6%}ZLZ&3$FQhT*!#j4In}$zQx&Ht{7?T{rFgyC!Z|C3}K``p?yCH%RL{
zBsx7=%)sA}A~rGQ`q`+t64?{<AALA|Z_4RiuNO)`bhs#;?3EcY_oVTQH!R%Zj`{Pt
ze=VpmFH4j!Rc(w}w`2DF1HsHMgG4_a^g0@I+okT(>_#O!`GqQdLX%m4Y~kAe@2d&l
zv%23u3%vGTUaTi#RU!JM&MvX(<0Y?>&G|)cvR8$-tzWyjr{ognl<sB4nX`FLKmJn~
zn36d6g06>HJAcNh)t+<T{#aU>bnJNj<#1KA>ocC$7CiK;staj~IWzm7%Y%&TYLO0`
z4o*A!E|{BPp7)YN-K_CDUwB3pgdWa$EfDyKM`LcmM{yJOzu#`$|EAD7(_&%B)YmJs
E0J*Wb5C8xG

literal 0
HcmV?d00001


From bbcdfe92e05f9abf99fbd676803fe5e43c20974c Mon Sep 17 00:00:00 2001
From: Koji Takeda <takeda@wolfssl.com>
Date: Mon, 28 Jul 2025 17:39:42 +0900
Subject: [PATCH 3/4] Disable exporting dilithium DER tests without
 WOLFSSL_ASN_TEMPLATE

---
 tests/api/test_mldsa.c | 34 +++++++++++++++++++++++++++++++++-
 wolfcrypt/src/asn.c    |  5 +++++
 wolfcrypt/test/test.c  |  6 +++---
 3 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/tests/api/test_mldsa.c b/tests/api/test_mldsa.c
index 132b797c9..445412cff 100644
--- a/tests/api/test_mldsa.c
+++ b/tests/api/test_mldsa.c
@@ -3004,8 +3004,13 @@ int test_wc_dilithium_der(void)
 
     ExpectIntEQ(wc_Dilithium_PrivateKeyToDer(NULL, NULL,
         0                     ), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+#ifndef WOLFSSL_ASN_TEMPLATE
+    ExpectIntEQ(wc_Dilithium_PrivateKeyToDer(key , NULL,
+        0                     ), BAD_FUNC_ARG);
+#else
     ExpectIntGT(wc_Dilithium_PrivateKeyToDer(key , NULL,
         0                     ), 0);
+#endif
     ExpectIntEQ(wc_Dilithium_PrivateKeyToDer(NULL, der ,
         0                     ), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wc_Dilithium_PrivateKeyToDer(NULL, NULL,
@@ -3015,13 +3020,23 @@ int test_wc_dilithium_der(void)
     ExpectIntEQ(wc_Dilithium_PrivateKeyToDer(key , der ,
         0                     ), WC_NO_ERR_TRACE(BUFFER_E));
     /* Get length only. */
+#ifndef WOLFSSL_ASN_TEMPLATE
+    ExpectIntEQ(wc_Dilithium_PrivateKeyToDer(key , NULL,
+        DILITHIUM_MAX_DER_SIZE), BAD_FUNC_ARG);
+#else
     ExpectIntEQ(wc_Dilithium_PrivateKeyToDer(key , NULL,
         DILITHIUM_MAX_DER_SIZE), privDerLen);
+#endif
 
     ExpectIntEQ(wc_Dilithium_KeyToDer(NULL, NULL, 0                     ),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+#ifndef WOLFSSL_ASN_TEMPLATE
+    ExpectIntEQ(wc_Dilithium_KeyToDer(key , NULL, 0                     ),
+        BAD_FUNC_ARG);
+#else
     ExpectIntGT(wc_Dilithium_KeyToDer(key , NULL, 0                     ),
         0           );
+#endif
     ExpectIntEQ(wc_Dilithium_KeyToDer(NULL, der , 0                     ),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wc_Dilithium_KeyToDer(NULL, NULL, DILITHIUM_MAX_DER_SIZE),
@@ -3031,8 +3046,13 @@ int test_wc_dilithium_der(void)
     ExpectIntEQ(wc_Dilithium_KeyToDer(key , der , 0                     ),
         WC_NO_ERR_TRACE(BUFFER_E));
     /* Get length only. */
+#ifndef WOLFSSL_ASN_TEMPLATE
+    ExpectIntEQ(wc_Dilithium_KeyToDer(key , NULL, DILITHIUM_MAX_DER_SIZE),
+        BAD_FUNC_ARG);
+#else
     ExpectIntEQ(wc_Dilithium_KeyToDer(key , NULL, DILITHIUM_MAX_DER_SIZE),
         keyDerLen);
+#endif
 
     ExpectIntEQ(wc_Dilithium_PublicKeyDecode(NULL, NULL, NULL, 0        ),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
@@ -3081,15 +3101,25 @@ int test_wc_dilithium_der(void)
     idx = 0;
     ExpectIntEQ(wc_Dilithium_PublicKeyDecode(der, &idx, key, len), 0);
 
+#ifndef WOLFSSL_ASN_TEMPLATE
+    ExpectIntEQ(len = wc_Dilithium_PrivateKeyToDer(key, der,
+        DILITHIUM_MAX_DER_SIZE), BAD_FUNC_ARG);
+#else
     ExpectIntEQ(len = wc_Dilithium_PrivateKeyToDer(key, der,
         DILITHIUM_MAX_DER_SIZE), privDerLen);
     idx = 0;
     ExpectIntEQ(wc_Dilithium_PrivateKeyDecode(der, &idx, key, len), 0);
+#endif
 
+#ifndef WOLFSSL_ASN_TEMPLATE
+    ExpectIntEQ(len = wc_Dilithium_KeyToDer(key, der, DILITHIUM_MAX_DER_SIZE),
+        BAD_FUNC_ARG);
+#else
     ExpectIntEQ(len = wc_Dilithium_KeyToDer(key, der, DILITHIUM_MAX_DER_SIZE),
         keyDerLen);
     idx = 0;
     ExpectIntEQ(wc_Dilithium_PrivateKeyDecode(der, &idx, key, len), 0);
+#endif
 
 
     wc_dilithium_free(key);
@@ -3097,6 +3127,8 @@ int test_wc_dilithium_der(void)
 
     XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    (void)keyDerLen;
 #endif
     return EXPECT_RESULT();
 }
@@ -16878,7 +16910,7 @@ int test_mldsa_pkcs8_export_import_wolfSSL_form(void)
     (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \
     !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) && \
     !defined(WOLFSSL_DILITHIUM_NO_SIGN) && \
-    !defined(WOLFSSL_DILITHIUM_NO_ASN1)
+    !defined(WOLFSSL_DILITHIUM_NO_ASN1) && defined(WOLFSSL_ASN_TEMPLATE)
 
     WOLFSSL_CTX* ctx = NULL;
     size_t i;
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index bd448c355..d1e892dcc 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -37583,6 +37583,11 @@ int SetAsymKeyDer(const byte* privKey, word32 privKeyLen,
     }
 
 #ifndef WOLFSSL_ASN_TEMPLATE
+    if (privKeyLen >= 128 || pubKeyLen >= 128) {
+        /* privKeyLen and pubKeyLen are assumed to be less than 128 */
+        return BAD_FUNC_ARG;
+    }
+
     /* calculate size */
     if (pubKey) {
         pubSz = 2 + pubKeyLen;
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index c05cb23cd..a0850bbd9 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -46932,7 +46932,7 @@ static wc_test_ret_t test_dilithium_decode_level(const byte* rawKey,
                                                  int         isPublicOnlyKey)
 {
     int           ret = 0;
-#ifndef WOLFSSL_DILITHIUM_NO_ASN1
+#if !defined(WOLFSSL_DILITHIUM_NO_ASN1) && defined(WOLFSSL_ASN_TEMPLATE)
     /* Size the buffer to accommodate the largest encoded key size */
     const word32  maxDerSz = DILITHIUM_MAX_PRV_KEY_DER_SIZE;
     word32        derSz;
@@ -46982,7 +46982,7 @@ static wc_test_ret_t test_dilithium_decode_level(const byte* rawKey,
 #endif
     }
 
-#ifndef WOLFSSL_DILITHIUM_NO_ASN1
+#if !defined(WOLFSSL_DILITHIUM_NO_ASN1) && defined(WOLFSSL_ASN_TEMPLATE)
     /* Export raw key as DER */
     if (ret == 0) {
 #ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY
@@ -47056,7 +47056,7 @@ static wc_test_ret_t test_dilithium_decode_level(const byte* rawKey,
         ret = WC_TEST_RET_ENC_NC;
     }
 #endif /* !WOLFSSL_DILITHIUM_FIPS204_DRAFT */
-#endif /* WOLFSSL_DILITHIUM_NO_ASN1 */
+#endif /* !WOLFSSL_DILITHIUM_NO_ASN1 && WOLFSSL_ASN_TEMPLATE */
 
     /* Cleanup */
     wc_dilithium_free(key);

From 189ba201f302f38604485712daa0430203eb8d86 Mon Sep 17 00:00:00 2001
From: Koji Takeda <takeda@wolfssl.com>
Date: Tue, 29 Jul 2025 07:15:32 +0900
Subject: [PATCH 4/4] Follow copilot review

---
 wolfcrypt/src/asn.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index d1e892dcc..b9edf8e30 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -37074,7 +37074,7 @@ int DecodeAsymKey_Assign(const byte* input, word32* inOutIdx, word32 inSz,
     allowSeed = (seed != NULL && seedLen != NULL);
 
 #ifndef WOLFSSL_ASN_TEMPLATE
-    /* The seed can't be parsed without WOLF_ASN_TEMPLATE */
+    /* The seed can't be parsed without WOLFSSL_ASN_TEMPLATE */
     if (allowSeed) {
         return ASN_PARSE_E;
     }