Replace liboqs SPHINCS+ with SLH-DSA in certificate layer

Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test
certificates plus TLS 1.3 .conf scenarios that exercise the new
verification path. All liboqs SPHINCS+ code is removed.

This enables SLH-DSA for certificate chain authentication: CA
certificates signed with SLH-DSA, certificate signature verification
against an SLH-DSA root. TLS 1.3 entity authentication via
CertificateVerify with SLH-DSA will be added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and
NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families
across all twelve standardized variants.

DER codec:
- New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer,
  PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing
  4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested
  wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants.
- PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode
  and wc_Dilithium_PublicKeyDecode so callers (notably
  wolfssl_x509_make_der and ConfirmSignature, which pass the raw
  BIT STRING contents stashed by StoreKey) decode correctly. Honours
  the caller's *inOutIdx start offset.
- Error paths in Private/PublicKeyDecode preserve params/flags/
  inOutIdx and only ForceZero the buffer half each helper actually
  writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched).
- ImportPublic uses |= on flags so a Private-then-Public import
  sequence retains FLAG_PRIVATE.

OID dispatch:
- 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The
  pre-standardization OID-collision mechanism is removed since NIST
  OIDs do not collide.
- wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN
  (rather than -1) for recognised SLH-DSA OIDs whose parameter set
  isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch
  surfaces this as a precise diagnostic instead of the generic
  "No public key found".
- wc_GetKeyOID picks a placeholder parameter from whatever variant is
  compiled in and #errors at compile time if none is.
- asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes
  alongside SHAKE.

Tests and fixtures:
- Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and
  SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44
  entity keys (server + client), plus the gen script
  (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5).
- New TLS 1.3 .conf scenarios under tests/suites.c dispatch:
  test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a
  wrong-CA negative test test-tls13-slhdsa-fail.conf.
- DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der
  fixtures regenerated with wolfSSL's own encoder so the codec is
  pinned to RFC 9909.
- New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw
  PublicKeyDecode entry point that wolfssl_x509_make_der relies on.
- test_wc_slhdsa_check_key now tests both Public-then-Private and
  Private-then-Public import orderings.

Build / ABI:
- DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment
  for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107).
- All build system / IDE project files updated; SPHINCS+ sources,
  headers, and test data removed.
- Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and
  certs_test.h; the .der files on disk drive the decode tests.
This commit is contained in:
Tobias Frauenschläger
2026-04-20 15:12:16 +02:00
parent a057975347
commit 9393d62591
90 changed files with 10755 additions and 2926 deletions
+43 -20
View File
@@ -302,12 +302,18 @@ my @dilithium_5 = ( 1, 3, 6, 1, 4, 1, 2, 267, 12, 8, 7 );
my @mldsa_2 = ( 2, 16, 840, 1, 101, 3, 4, 3, 17 );
my @mldsa_3 = ( 2, 16, 840, 1, 101, 3, 4, 3, 18 );
my @mldsa_5 = ( 2, 16, 840, 1, 101, 3, 4, 3, 19 );
my @sphincs_fast_1 = ( 1, 3, 9999, 6, 7, 4 );
my @sphincs_fast_3 = ( 1, 3, 9999, 6, 8, 3 );
my @sphincs_fast_5 = ( 1, 3, 9999, 6, 9, 3 );
my @sphincs_small_1 = ( 1, 3, 9999, 6, 7, 10 );
my @sphincs_small_3 = ( 1, 3, 9999, 6, 8, 7 );
my @sphincs_small_5 = ( 1, 3, 9999, 6, 9, 7 );
my @slhdsa_sha2_128s = (2, 16, 840, 1, 101, 3, 4, 3, 20);
my @slhdsa_sha2_128f = (2, 16, 840, 1, 101, 3, 4, 3, 21);
my @slhdsa_sha2_192s = (2, 16, 840, 1, 101, 3, 4, 3, 22);
my @slhdsa_sha2_192f = (2, 16, 840, 1, 101, 3, 4, 3, 23);
my @slhdsa_sha2_256s = (2, 16, 840, 1, 101, 3, 4, 3, 24);
my @slhdsa_sha2_256f = (2, 16, 840, 1, 101, 3, 4, 3, 25);
my @slhdsa_shake_128s = (2, 16, 840, 1, 101, 3, 4, 3, 26);
my @slhdsa_shake_128f = (2, 16, 840, 1, 101, 3, 4, 3, 27);
my @slhdsa_shake_192s = (2, 16, 840, 1, 101, 3, 4, 3, 28);
my @slhdsa_shake_192f = (2, 16, 840, 1, 101, 3, 4, 3, 29);
my @slhdsa_shake_256s = (2, 16, 840, 1, 101, 3, 4, 3, 30);
my @slhdsa_shake_256f = (2, 16, 840, 1, 101, 3, 4, 3, 31);
my @keys = (
{ name => "ANON", oid => \@anon },
@@ -330,13 +336,18 @@ my @keys = (
{ name => "ML_DSA_LEVEL2", oid => \@mldsa_2 },
{ name => "ML_DSA_LEVEL3", oid => \@mldsa_3 },
{ name => "ML_DSA_LEVEL5", oid => \@mldsa_5 },
{ name => "SPHINCS_FAST_LEVEL1", oid => \@sphincs_fast_1 },
{ name => "SPHINCS_FAST_LEVEL3", oid => \@sphincs_fast_3,
oid_sum => 283 },
{ name => "SPHINCS_FAST_LEVEL5", oid => \@sphincs_fast_5 },
{ name => "SPHINCS_SMALL_LEVEL1", oid => \@sphincs_small_1 },
{ name => "SPHINCS_SMALL_LEVEL3", oid => \@sphincs_small_3 },
{ name => "SPHINCS_SMALL_LEVEL5", oid => \@sphincs_small_5 },
{ name => "SLH_DSA_SHA2_128S", oid => \@slhdsa_sha2_128s },
{ name => "SLH_DSA_SHA2_128F", oid => \@slhdsa_sha2_128f },
{ name => "SLH_DSA_SHA2_192S", oid => \@slhdsa_sha2_192s },
{ name => "SLH_DSA_SHA2_192F", oid => \@slhdsa_sha2_192f },
{ name => "SLH_DSA_SHA2_256S", oid => \@slhdsa_sha2_256s },
{ name => "SLH_DSA_SHA2_256F", oid => \@slhdsa_sha2_256f },
{ name => "SLH_DSA_SHAKE_128S", oid => \@slhdsa_shake_128s },
{ name => "SLH_DSA_SHAKE_128F", oid => \@slhdsa_shake_128f },
{ name => "SLH_DSA_SHAKE_192S", oid => \@slhdsa_shake_192s },
{ name => "SLH_DSA_SHAKE_192F", oid => \@slhdsa_shake_192f },
{ name => "SLH_DSA_SHAKE_256S", oid => \@slhdsa_shake_256s },
{ name => "SLH_DSA_SHAKE_256F", oid => \@slhdsa_shake_256f },
);
print_sum_enum("Key", "k", \@keys);
@@ -1126,17 +1137,29 @@ my @sig_types = (
same => 1 },
{ name => "CTC_ML_DSA_LEVEL5", oid => \@mldsa_5,
same => 1 },
{ name => "CTC_SPHINCS_FAST_LEVEL1", oid => \@sphincs_fast_1,
{ name => "CTC_SLH_DSA_SHA2_128S", oid => \@slhdsa_sha2_128s,
same => 1 },
{ name => "CTC_SPHINCS_FAST_LEVEL3", oid => \@sphincs_fast_3,
same => 1, oid_sum => 283 },
{ name => "CTC_SPHINCS_FAST_LEVEL5", oid => \@sphincs_fast_5,
{ name => "CTC_SLH_DSA_SHA2_128F", oid => \@slhdsa_sha2_128f,
same => 1 },
{ name => "CTC_SPHINCS_SMALL_LEVEL1", oid => \@sphincs_small_1,
{ name => "CTC_SLH_DSA_SHA2_192S", oid => \@slhdsa_sha2_192s,
same => 1 },
{ name => "CTC_SPHINCS_SMALL_LEVEL3", oid => \@sphincs_small_3,
{ name => "CTC_SLH_DSA_SHA2_192F", oid => \@slhdsa_sha2_192f,
same => 1 },
{ name => "CTC_SPHINCS_SMALL_LEVEL5", oid => \@sphincs_small_5,
{ name => "CTC_SLH_DSA_SHA2_256S", oid => \@slhdsa_sha2_256s,
same => 1 },
{ name => "CTC_SLH_DSA_SHA2_256F", oid => \@slhdsa_sha2_256f,
same => 1 },
{ name => "CTC_SLH_DSA_SHAKE_128S", oid => \@slhdsa_shake_128s,
same => 1 },
{ name => "CTC_SLH_DSA_SHAKE_128F", oid => \@slhdsa_shake_128f,
same => 1 },
{ name => "CTC_SLH_DSA_SHAKE_192S", oid => \@slhdsa_shake_192s,
same => 1 },
{ name => "CTC_SLH_DSA_SHAKE_192F", oid => \@slhdsa_shake_192f,
same => 1 },
{ name => "CTC_SLH_DSA_SHAKE_256S", oid => \@slhdsa_shake_256s,
same => 1 },
{ name => "CTC_SLH_DSA_SHAKE_256F", oid => \@slhdsa_shake_256f,
same => 1 },
);