mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 17:00:49 +02:00
9393d62591
Replace the liboqs-based pre-standardization SPHINCS+ implementation with the native FIPS 205 SLH-DSA implementation across the certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test certificates plus TLS 1.3 .conf scenarios that exercise the new verification path. All liboqs SPHINCS+ code is removed. This enables SLH-DSA for certificate chain authentication: CA certificates signed with SLH-DSA, certificate signature verification against an SLH-DSA root. TLS 1.3 entity authentication via CertificateVerify with SLH-DSA will be added in a follow-up PR. Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families across all twelve standardized variants. DER codec: - New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer, PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing 4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants. - PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode and wc_Dilithium_PublicKeyDecode so callers (notably wolfssl_x509_make_der and ConfirmSignature, which pass the raw BIT STRING contents stashed by StoreKey) decode correctly. Honours the caller's *inOutIdx start offset. - Error paths in Private/PublicKeyDecode preserve params/flags/ inOutIdx and only ForceZero the buffer half each helper actually writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched). - ImportPublic uses |= on flags so a Private-then-Public import sequence retains FLAG_PRIVATE. OID dispatch: - 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The pre-standardization OID-collision mechanism is removed since NIST OIDs do not collide. - wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN (rather than -1) for recognised SLH-DSA OIDs whose parameter set isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch surfaces this as a precise diagnostic instead of the generic "No public key found". - wc_GetKeyOID picks a placeholder parameter from whatever variant is compiled in and #errors at compile time if none is. - asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes alongside SHAKE. Tests and fixtures: - Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44 entity keys (server + client), plus the gen script (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5). - New TLS 1.3 .conf scenarios under tests/suites.c dispatch: test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a wrong-CA negative test test-tls13-slhdsa-fail.conf. - DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der fixtures regenerated with wolfSSL's own encoder so the codec is pinned to RFC 9909. - New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw PublicKeyDecode entry point that wolfssl_x509_make_der relies on. - test_wc_slhdsa_check_key now tests both Public-then-Private and Private-then-Public import orderings. Build / ABI: - DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107). - All build system / IDE project files updated; SPHINCS+ sources, headers, and test data removed. - Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and certs_test.h; the .der files on disk drive the decode tests.
89 lines
3.4 KiB
Plaintext
89 lines
3.4 KiB
Plaintext
# vim:ft=automake
|
|
# included from Top Level Makefile.am
|
|
# All paths should be given relative to the root
|
|
|
|
|
|
if BUILD_TESTS
|
|
noinst_PROGRAMS += tests/unit.test
|
|
tests_unit_test_SOURCES = \
|
|
tests/unit.c \
|
|
tests/api.c \
|
|
tests/utils.c \
|
|
testsuite/utils.c \
|
|
tests/suites.c \
|
|
tests/w64wrapper.c \
|
|
tests/srp.c \
|
|
tests/quic.c \
|
|
examples/client/client.c \
|
|
examples/server/server.c
|
|
|
|
if BUILD_WOLFCRYPT_TESTS
|
|
tests_unit_test_SOURCES += wolfcrypt/test/test.c
|
|
endif
|
|
|
|
tests_unit_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) $(WOLFSENTRY_INCLUDE)
|
|
tests_unit_test_LDADD = src/libwolfssl@LIBSUFFIX@.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB)
|
|
tests_unit_test_DEPENDENCIES = src/libwolfssl@LIBSUFFIX@.la
|
|
include tests/api/include.am
|
|
endif
|
|
EXTRA_DIST += tests/unit.h \
|
|
tests/test.conf \
|
|
tests/test-sha2.conf \
|
|
tests/test-tls13.conf \
|
|
tests/test-tls13-down.conf \
|
|
tests/test-tls13-ecc.conf \
|
|
tests/test-tls13-psk.conf \
|
|
tests/test-tls13-pq-standalone.conf \
|
|
tests/test-tls13-pq-hybrid.conf \
|
|
tests/test-tls13-pq-hybrid-extra.conf \
|
|
tests/test-tls13-slhdsa-shake.conf \
|
|
tests/test-tls13-slhdsa-sha2.conf \
|
|
tests/test-tls13-slhdsa-fail.conf \
|
|
tests/test-dtls13-pq-standalone.conf \
|
|
tests/test-dtls13-pq-standalone-frag.conf \
|
|
tests/test-dtls13-pq-hybrid-frag.conf \
|
|
tests/test-dtls13-pq-hybrid-extra.conf \
|
|
tests/test-dtls13-pq-hybrid-extra-frag.conf \
|
|
tests/test-psk.conf \
|
|
tests/test-psk-no-id.conf \
|
|
tests/test-psk-no-id-sha2.conf \
|
|
tests/test-dtls.conf \
|
|
tests/test-dtls-downgrade.conf \
|
|
tests/test-dtls-fails.conf \
|
|
tests/test-dtls-fails-cipher.conf \
|
|
tests/test-dtls-group.conf \
|
|
tests/test-dtls-mtu.conf \
|
|
tests/test-dtls-reneg-client.conf \
|
|
tests/test-dtls-reneg-server.conf \
|
|
tests/test-dtls-resume.conf \
|
|
tests/test-dtls-sha2.conf \
|
|
tests/test-dtls-srtp.conf \
|
|
tests/test-dtls-srtp-fails.conf \
|
|
tests/test-dtls13.conf \
|
|
tests/test-dtls13-downgrade.conf \
|
|
tests/test-dtls13-downgrade-fails.conf \
|
|
tests/test-dtls13-psk.conf \
|
|
tests/test-dtls13-cid.conf \
|
|
tests/test-sctp.conf \
|
|
tests/test-sctp-sha2.conf \
|
|
tests/test-sig.conf \
|
|
tests/test-rsapss.conf \
|
|
tests/test-ed25519.conf \
|
|
tests/test-ed448.conf \
|
|
tests/test-enckeys.conf \
|
|
tests/test-maxfrag.conf \
|
|
tests/test-maxfrag-dtls.conf \
|
|
tests/test-fails.conf \
|
|
tests/test-chains.conf \
|
|
tests/test-altchains.conf \
|
|
tests/test-trustpeer.conf \
|
|
tests/test-dhprime.conf \
|
|
tests/test-p521.conf \
|
|
tests/test-ecc-cust-curves.conf \
|
|
tests/test-sm2.conf \
|
|
tests/NCONF_test.cnf \
|
|
tests/test-tls-downgrade.conf \
|
|
tests/TXT_DB.txt \
|
|
tests/utils.h
|
|
DISTCLEANFILES+= tests/.libs/unit.test
|