mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 16:30:49 +02:00
28468b44f5
Wire the stateful hash-based signature schemes HSS/LMS (RFC 8554) and XMSS / XMSS^MT (RFC 8391) into the X.509 cert-verification path per RFC 9802. asn: - Register id-alg-hss-lms-hashsig (1.2.840.113549.1.9.16.3.17), id-alg-xmss-hashsig (1.3.6.1.5.5.7.6.34) and id-alg-xmssmt-hashsig (1.3.6.1.5.5.7.6.35) in oid_sum.h, asn.c and asn1_oid_sum.pl. - Plumb the new keyOIDs through GetCertKey, SigOidMatchesKeyOid, HashForSignature, FreeSignatureCtx and ConfirmSignature so leaf and CA certificates parse, load and verify end-to-end. - Rename IsSigAlgoECC -> IsSigAlgoNoParams; the function has tested "AlgorithmIdentifier omits NULL parameters" since PQC algos were added, and HSS/LMS + XMSS only made the original name more misleading. wc_lms / wc_xmss: - Add wc_XmssKey_ImportPubRaw_ex which derives parameters from the 4-byte OID prefix at the start of the raw public key, taking an is_xmssmt hint to disambiguate the overlapping XMSS / XMSS^MT OID spaces. - Extend wc_LmsKey_ImportPubRaw with the same auto-derive from u32str(L) || lmsType || lmOtsType when key->params is NULL; this also fixes a latent NULL-deref when the legacy precondition was violated. - Reject WC_*_STATE_OK in both ImportPubRaw paths so re-importing on a private-key-loaded handle can't desync priv/pub. - Tighten wc_XmssKey_Verify's length check to strict equality, matching wc_LmsKey_Verify and the documented contract of using wc_XmssKey_GetSigLen for the buffer size. tests / fixtures: - Bouncy Castle 1.81 fixtures in certs/lms and certs/xmss covering every supported parameter set, plus CA->leaf chains per family and one BC-native LMS fixture as a cross-impl interop gate. - New api tests verify each fixture end-to-end, tamper TBS and signature bytes, exercise the wolfCrypt-level negative paths (NOT_COMPILED_IN, BUFFER_E, BAD_FUNC_ARG, BAD_STATE_E, OID/family mismatch, partial-write invariants, lenient VERIFYONLY re-import, strict sigLen check) and confirm the outer signatureAlgorithm OID is rejected when it disagrees with the SPKI in both XMSS<->XMSS^MT directions.
169 lines
5.8 KiB
Plaintext
169 lines
5.8 KiB
Plaintext
# vim:ft=automake
|
|
# All paths should be given relative to the root
|
|
#
|
|
|
|
EXTRA_DIST += \
|
|
certs/ca-cert-chain.der \
|
|
certs/ca-cert.pem \
|
|
certs/ca-key.pem \
|
|
certs/ca-key-pkcs8-attribute.der \
|
|
certs/client-cert.pem \
|
|
certs/client-keyEnc.pem \
|
|
certs/client-key.pem \
|
|
certs/client-uri-cert.pem \
|
|
certs/client-absolute-urn.pem \
|
|
certs/client-relative-uri.pem \
|
|
certs/client-crl-dist.pem \
|
|
certs/client-crl-dist.der \
|
|
certs/ecc-key.pem \
|
|
certs/ecc-keyPub.pem \
|
|
certs/ecc-params.der \
|
|
certs/ecc-params.pem \
|
|
certs/ecc-privkey.der \
|
|
certs/ecc-privkey.pem \
|
|
certs/ecc-privkeyPkcs8.der \
|
|
certs/ecc-privkeyPkcs8.pem \
|
|
certs/ecc-keyPkcs8Enc.pem \
|
|
certs/ecc-keyPkcs8Enc.der \
|
|
certs/ecc-key-comp.pem \
|
|
certs/ecc-keyPkcs8.pem \
|
|
certs/ecc-keyPkcs8.der \
|
|
certs/ecc-client-key.pem \
|
|
certs/ecc-client-keyPub.pem \
|
|
certs/empty-issuer-cert.pem \
|
|
certs/client-ecc-cert.pem \
|
|
certs/client-ecc-ca-cert.pem \
|
|
certs/client-ca.pem \
|
|
certs/client-ca-cert.pem \
|
|
certs/dh2048.pem \
|
|
certs/server-cert.pem \
|
|
certs/server-ecc.pem \
|
|
certs/server-ecc-self.pem \
|
|
certs/server-ecc-comp.pem \
|
|
certs/server-ecc-rsa.pem \
|
|
certs/server-keyEnc.pem \
|
|
certs/server-key.pem \
|
|
certs/server-keyPub.der \
|
|
certs/server-keyPub.pem \
|
|
certs/server-keyPkcs8.der \
|
|
certs/server-keyPkcs8Enc12.pem \
|
|
certs/server-keyPkcs8Enc2.pem \
|
|
certs/server-keyPkcs8Enc.pem \
|
|
certs/server-keyPkcs8Enc.der \
|
|
certs/server-keyPkcs8.pem \
|
|
certs/server-revoked-cert.pem \
|
|
certs/server-revoked-key.pem \
|
|
certs/wolfssl-website-ca.pem \
|
|
certs/test-degenerate.p7b \
|
|
certs/test-multiple-recipients.p7b \
|
|
certs/test-stream-sign.p7b \
|
|
certs/test-stream-dec.p7b \
|
|
certs/test-ber-exp02-05-2022.p7b \
|
|
certs/test-servercert.p12 \
|
|
certs/test-servercert-rc2.p12 \
|
|
certs/ecc-rsa-server.p12 \
|
|
certs/dsaparams.der \
|
|
certs/dsaparams.pem \
|
|
certs/ecc-privOnlyKey.pem \
|
|
certs/ecc-privOnlyCert.pem \
|
|
certs/dh3072.pem \
|
|
certs/dh4096.pem \
|
|
certs/client-cert-ext.pem \
|
|
certs/csr.attr.der \
|
|
certs/csr.dsa.der \
|
|
certs/csr.dsa.pem \
|
|
certs/csr.signed.der \
|
|
certs/csr.ext.der \
|
|
certs/entity-no-ca-bool-cert.pem \
|
|
certs/entity-no-ca-bool-key.pem \
|
|
certs/x942dh2048.der \
|
|
certs/x942dh2048.pem \
|
|
certs/fpki-cert.der \
|
|
certs/fpki-certpol-cert.der \
|
|
certs/rid-cert.der \
|
|
certs/dh-priv-2048.der \
|
|
certs/dh-priv-2048.pem \
|
|
certs/dh-pub-2048.der \
|
|
certs/dh-pub-2048.pem \
|
|
certs/dsa2048.pem
|
|
|
|
EXTRA_DIST += \
|
|
certs/aia/ca-issuers-cert.pem \
|
|
certs/aia/multi-aia-cert.pem \
|
|
certs/aia/overflow-aia-cert.pem \
|
|
certs/sia/timestamping-sia-cert.pem
|
|
|
|
EXTRA_DIST += \
|
|
certs/ca-key.der \
|
|
certs/ca-cert.der \
|
|
certs/client-cert.der \
|
|
certs/client-key.der \
|
|
certs/client-ecc-cert.der \
|
|
certs/client-ecc-ca-cert.der \
|
|
certs/client-ca-cert.der \
|
|
certs/client-keyPub.der \
|
|
certs/client-keyPub.pem \
|
|
certs/dh2048.der \
|
|
certs/dh3072.der \
|
|
certs/dh4096.der \
|
|
certs/dh-pubkey-2048.der \
|
|
certs/rsa2048.der \
|
|
certs/rsa-pub-2048.pem \
|
|
certs/rsa3072.der \
|
|
certs/dsa2048.der \
|
|
certs/dsa3072.der \
|
|
certs/dsa-pubkey-2048.der \
|
|
certs/ecc-client-key.der \
|
|
certs/ecc-client-keyPub.der \
|
|
certs/ecc-key.der \
|
|
certs/ecc-keyPub.der \
|
|
certs/server-key.der \
|
|
certs/server-cert.der \
|
|
certs/server-ecc-comp.der \
|
|
certs/server-ecc.der \
|
|
certs/server-ecc-self.der \
|
|
certs/server-ecc-rsa.der \
|
|
certs/server-cert-chain.der \
|
|
certs/client-cert-ext.der
|
|
|
|
# ECC CA prime256v1
|
|
EXTRA_DIST += \
|
|
certs/ca-ecc-cert.der \
|
|
certs/ca-ecc-cert.pem \
|
|
certs/ca-ecc-key.der \
|
|
certs/ca-ecc-key.pem
|
|
|
|
# ECC CA SECP384R1
|
|
EXTRA_DIST += \
|
|
certs/ca-ecc384-cert.der \
|
|
certs/ca-ecc384-cert.pem \
|
|
certs/ca-ecc384-key.der \
|
|
certs/ca-ecc384-key.pem
|
|
|
|
dist_doc_DATA+= certs/taoCert.txt
|
|
|
|
include certs/1024/include.am
|
|
include certs/3072/include.am
|
|
include certs/4096/include.am
|
|
include certs/crl/include.am
|
|
include certs/ecc/include.am
|
|
include certs/ed25519/include.am
|
|
include certs/ed448/include.am
|
|
include certs/p521/include.am
|
|
include certs/sm2/include.am
|
|
include certs/external/include.am
|
|
include certs/ocsp/include.am
|
|
include certs/statickeys/include.am
|
|
include certs/test/include.am
|
|
include certs/test-pathlen/include.am
|
|
include certs/intermediate/include.am
|
|
include certs/falcon/include.am
|
|
include certs/rsapss/include.am
|
|
include certs/dilithium/include.am
|
|
include certs/slhdsa/include.am
|
|
include certs/lms/include.am
|
|
include certs/xmss/include.am
|
|
include certs/rpk/include.am
|
|
include certs/acert/include.am
|
|
include certs/mldsa/include.am
|