mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-09 06:20:52 +02:00
9393d62591
Replace the liboqs-based pre-standardization SPHINCS+ implementation with the native FIPS 205 SLH-DSA implementation across the certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test certificates plus TLS 1.3 .conf scenarios that exercise the new verification path. All liboqs SPHINCS+ code is removed. This enables SLH-DSA for certificate chain authentication: CA certificates signed with SLH-DSA, certificate signature verification against an SLH-DSA root. TLS 1.3 entity authentication via CertificateVerify with SLH-DSA will be added in a follow-up PR. Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families across all twelve standardized variants. DER codec: - New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer, PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing 4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants. - PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode and wc_Dilithium_PublicKeyDecode so callers (notably wolfssl_x509_make_der and ConfirmSignature, which pass the raw BIT STRING contents stashed by StoreKey) decode correctly. Honours the caller's *inOutIdx start offset. - Error paths in Private/PublicKeyDecode preserve params/flags/ inOutIdx and only ForceZero the buffer half each helper actually writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched). - ImportPublic uses |= on flags so a Private-then-Public import sequence retains FLAG_PRIVATE. OID dispatch: - 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The pre-standardization OID-collision mechanism is removed since NIST OIDs do not collide. - wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN (rather than -1) for recognised SLH-DSA OIDs whose parameter set isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch surfaces this as a precise diagnostic instead of the generic "No public key found". - wc_GetKeyOID picks a placeholder parameter from whatever variant is compiled in and #errors at compile time if none is. - asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes alongside SHAKE. Tests and fixtures: - Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44 entity keys (server + client), plus the gen script (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5). - New TLS 1.3 .conf scenarios under tests/suites.c dispatch: test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a wrong-CA negative test test-tls13-slhdsa-fail.conf. - DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der fixtures regenerated with wolfSSL's own encoder so the codec is pinned to RFC 9909. - New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw PublicKeyDecode entry point that wolfssl_x509_make_der relies on. - test_wc_slhdsa_check_key now tests both Public-then-Private and Private-then-Public import orderings. Build / ABI: - DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107). - All build system / IDE project files updated; SPHINCS+ sources, headers, and test data removed. - Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and certs_test.h; the .der files on disk drive the decode tests.
58 lines
3.5 KiB
Plaintext
58 lines
3.5 KiB
Plaintext
-----BEGIN PRIVATE KEY-----
|
|
MIIKPgIBADALBglghkgBZQMEAxEEggoqMIIKJgQgB5k2MNHvdz51ebw/tXj6ECZ3
|
|
eScZNPdog84ItrvpBhgEggoAnXtmhZqzy98ZxarirCp5r/H94riNkdr1joa0kTwV
|
|
KhLGmElj7VDLeQ1YQ/IAjjVfJS88y6vZBIUgHV5ViJRkN0/TZIm+4svclsximVbe
|
|
JozeMBhm+dkb8c8yxXhIAgSyOxY96ahsgQaf9Gl3foY0pd2xSSDgLxcr3GL5k14X
|
|
UThKgghIBiQISGCStFETBSgauI2JtCiQqGQMgUTjxomEFg5EAkALly3ZSJIBFWRC
|
|
OGgaJ44TE1IAMQLEAiYUQk0QKJAgMTIBwWALAWyAAGxjJlACgEVKpkAcsiUIIWIk
|
|
SU4hh0gbSAIchmQEopDasIkUGU5JJgUYyQCapIXcpEhBIoECNXBjJorUEGEgRIij
|
|
omACooEZtHCcFoSBAkEitZHSCFESNEHTuBEIITJCRGUASGmSRhIilGHCtnDimI3T
|
|
JgmEIgoJuQ1MsGQDJC4BloSZBBGbyBGjEpAMFgqMICyUCEYEtg1gsIjcBCKaRkIh
|
|
Qk1JRikkJ2ITJQUKhAVKEEakBoAcNIIapUwZlokkJmEQRozBGEgcGW0EmI2LRgIC
|
|
kA1cEmVKFHICwWUbIU1cOG0DQYykJg6JooBKQCYcmWmBEjDDQCEiRmEiQ3ICRyYQ
|
|
oQmBIgbDIi5kMhIBsgFZlkUENQjDto0UMGwMlQyjSIBjQFAAICbcICQBRnHhQFHC
|
|
Eg3EEEAMQyQCMyYCyAQaIwjgFoqasC0TQAhDIjJEOG3RRJDUhglIggDimGgSsZEJ
|
|
kG3JMIXAhICcxkzhEJHYljDatmjIxmXjBlBcFBECREmbomhaMpBSgEUAJjACRkzU
|
|
yEmcuJDEIIoMFQ0JN44SRkUIIyUhoRGAkGWTRnLhKG1EllGBEoAERkqLEG0TRlFT
|
|
NkrhpkXgIgFIpgASkXAjs0ACqGXbQgbgBmrjlmFIlGVDImncIoWbhIlZGGRDsCCL
|
|
qClYMCQKF44RQS0kuCWJFCAUQZEjoiQhFyERsQQDhEwLI2JQhmVUIkJCgoAIpVHZ
|
|
BjEjAJEQqU3iBGZENjCLskmYxnAZpIxapg1jAC6blHCKIC1iJixCJmwSEy7bGAgR
|
|
IS6KsHEBwSzjRGLjlCgLOHBAFGViwEGhBiGCokSUsCwhEI0UlnESFAURJwQSl2XE
|
|
Am5YxGzAEHCEwEWZElKAqIjTuCgBF3ADwxCIGApTkkBTxiCTwIGkkJCTkgUiiAjI
|
|
AGTwGc/fNxkyya8KPEqPnLO0SilcbdKBED+fTSMYZe4Dp+sUmcCrbC6tMaAVf/0S
|
|
wwuGjR0PGY4s3cHO8nXCP//DvH1cQFCB1ZLJ3IlWAARkZiepwEPNXdbmx4So8ALa
|
|
o/LXJ6xSMLOVUzQxHwbydLpYUs+5C9E5PmD+2VVy+9lcLZ5fXZXj+CVtFHAk+BUE
|
|
JBQVq6UzyeD9nLM9V+/04ochm9QnPm57I55WfGfSOepStb1t2gDHHgrubRb7mjSu
|
|
i4V7aZqY1hUmGU8JveAGeZMsnqqHPMarygeYqbRjkHgTKNxi8wQE1VWKkfuL3B1q
|
|
UxbeGYjnlvyxtRHnkU5ixqS4qwh/dQZFC1RjeH0KhGSWo51Ec/YWdEY1EKKcvlvA
|
|
4V7EqCSr4cJZUhbYybY+WK37yDZlfvGOT5HI4vOn0yirYiGWljHvoa/pLjb+Cevx
|
|
jfr7WDmjzkXkH92MJKnXM4D1uwURUsu8swkULgrdROQvhYROCdoLIHhhKrlnnITg
|
|
67uV0DFdg5EVvyf1HiXJxUioqoz86mB6zZeSqwfHngtUvEHcf/eJchLuhRiGG+BE
|
|
4U97dT0n94LuOPdh48ml21n/IA18uNIs7IhdxAMIZ7RyO1zGFqsaa3KZh4CnNVq5
|
|
kU5cesaUGNLll3zVkV1XVun/WmT5yP8qWrrODc9nCbEtY8VyeMdPwcAjQq/yuC95
|
|
t/ddpbrVD6ib8q9dcpKGzhBS090VFWWoOMKYJ0dOsd4Fi9k21w/1M25MnEl9jgd5
|
|
dxSK6juGxK/5TI9DJr+kaPSz59IDxIUc1QoYVVH+sVuOee0Hh3261AmYk8upTzHO
|
|
4qs68m06608sGmvy/4H69DS+tU4a6vIQez6Wz2c32K7wPQOo5pMdWbwaBrQcDWjy
|
|
vidYGmaSyjdjZypZYr1A1enZSklpjEz0ZYU0zDfQXj5linNrMtL6bFSUtyB1bkrJ
|
|
+HLI3NoJyuOUm/jr6DK+u0FotgGN6Z/Tf/2R4ivATvlCW6LsyDUPNtnRiGWiKupQ
|
|
mRlQMSQQe1ZnpKXK46XJd7TRityk/8ru2Fg+baXUszkVossCnP6TZhjY0s6yjU0o
|
|
YsR7OeIqAm44Wcw12pmywZMktmOo/jeRMngR+ZVyLdFRQBOQ+qc9XfrOwT3Uq7dL
|
|
jNHZRcZ+DMa83RH6UoNZLaeorj+4WKKEFAV3+bn+BdFK+eh9Hri0OfyAHbI4jcRj
|
|
wOkVX/72gbI94BPs0HUdA7hr3BO2CbGC5AISGMseLc7u8sSkmhumUcP9c8HFhee7
|
|
ROdhngADChjkYoZF2PpbcUaGDjqJbbLXDtdlPswW5Zwt8g5EZBT9qS+26HiiVKNF
|
|
XrAUAveh4BZY2cNYWuZypwqfM/jVGFQegFQeUWlTYFfw+caXS1uY5hrBtGHtPcfo
|
|
FNaSSXxGHjogtiCzJeD4OerJfcs4mAOVmplprtQMHlA0bYVqMy+MA2qkGv2sijQI
|
|
6Yi2oLmWp0E3f+fC0a/lYGgG/nCBgLT+922I7MaQOAQ0JBu4V4ZA0hnsoTYR/yI0
|
|
jDE/Y6FPzmdzXHhdhcjYQFpA34g98230m7Ypvwfd2VEnppeyb2HvHKkBUivQEuRA
|
|
puolgLqAYYeljX5xCWj7xggvmCznqzC03jm2cf8ykGFl+cQWftrEBXcL8fngwH0U
|
|
V29IuurgxZNgFOP4amey3FboN39ZY1x30uOnc1OcjfSs6QeKHL6nTR9gNp8znfQt
|
|
T2HdM0AfbhCf9x/wlYlijAT3ZOBm0EtKeZZwVtsH2q8A0VTsB6wJJZFG0U+/UOnm
|
|
VHORx/tnM+sBG9xFWtyjljVscZum5ytllS2ugQooMfAqngHigy/gpGXKkkoPMkW1
|
|
5hkkRCsr6mRGsknQL+JkDR/u5CkEmYCLfHo6TNQY1Pc7DEQ5PQ8Q1B9Hf7Hf0sHX
|
|
HR/3KTZUS45Vm8sI9TEP1AxeGFl+6u9a0g3GlF2DvVWpL/6FgtmpkUD2zPmIunIJ
|
|
Np+hxXzqk9SuSKoukZMvG2Y+hw7doB4ZjSXfvzmC33p8fJWyvScrPXbvBTj8ijhG
|
|
bdWqOWupyvWf/YHCT6WMEpCjA+b9eWpIaWzDeDCdeaaBp/Tpz06dWAEQ7SwnLlyq
|
|
yNBX7wWl55+NB6fXSAV7cBes49RKCZLEjoQDdFphYQ4aDB+MTtlslkKskwvUFGzY
|
|
Jw6buXcN1d2CCPWJ20SGjbIsqAZfvExzJ/4yJjwzg9oYyQ==
|
|
-----END PRIVATE KEY-----
|