Files
wolfssl/certs/slhdsa/server-mldsa44-priv.pem
T
Tobias Frauenschläger 9393d62591 Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test
certificates plus TLS 1.3 .conf scenarios that exercise the new
verification path. All liboqs SPHINCS+ code is removed.

This enables SLH-DSA for certificate chain authentication: CA
certificates signed with SLH-DSA, certificate signature verification
against an SLH-DSA root. TLS 1.3 entity authentication via
CertificateVerify with SLH-DSA will be added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and
NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families
across all twelve standardized variants.

DER codec:
- New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer,
  PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing
  4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested
  wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants.
- PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode
  and wc_Dilithium_PublicKeyDecode so callers (notably
  wolfssl_x509_make_der and ConfirmSignature, which pass the raw
  BIT STRING contents stashed by StoreKey) decode correctly. Honours
  the caller's *inOutIdx start offset.
- Error paths in Private/PublicKeyDecode preserve params/flags/
  inOutIdx and only ForceZero the buffer half each helper actually
  writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched).
- ImportPublic uses |= on flags so a Private-then-Public import
  sequence retains FLAG_PRIVATE.

OID dispatch:
- 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The
  pre-standardization OID-collision mechanism is removed since NIST
  OIDs do not collide.
- wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN
  (rather than -1) for recognised SLH-DSA OIDs whose parameter set
  isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch
  surfaces this as a precise diagnostic instead of the generic
  "No public key found".
- wc_GetKeyOID picks a placeholder parameter from whatever variant is
  compiled in and #errors at compile time if none is.
- asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes
  alongside SHAKE.

Tests and fixtures:
- Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and
  SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44
  entity keys (server + client), plus the gen script
  (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5).
- New TLS 1.3 .conf scenarios under tests/suites.c dispatch:
  test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a
  wrong-CA negative test test-tls13-slhdsa-fail.conf.
- DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der
  fixtures regenerated with wolfSSL's own encoder so the codec is
  pinned to RFC 9909.
- New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw
  PublicKeyDecode entry point that wolfssl_x509_make_der relies on.
- test_wc_slhdsa_check_key now tests both Public-then-Private and
  Private-then-Public import orderings.

Build / ABI:
- DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment
  for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107).
- All build system / IDE project files updated; SPHINCS+ sources,
  headers, and test data removed.
- Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and
  certs_test.h; the .der files on disk drive the decode tests.
2026-04-30 18:32:07 +02:00

57 lines
3.5 KiB
Plaintext

-----BEGIN PRIVATE KEY-----
MIIKGAIBADALBglghkgBZQMEAxEEggoEBIIKABhSAaega5HUsoai6G/eXAfC1zWI
Kz9h4nyZdEvlx4g+JXOmk+lZB1kemzs39YRighKiTNPjWLe/x+I6CK2ByHsAbdQ5
LPwAnY47H524KBBi+N/AC/rfzwQv8LIuXEE/IlzHql4cQc1lmqDDQSkv8OZ77u0z
SfBmIcUsqWMCmDnxWaAkWrAN26Jo4DCGSpBg2RSAESki4shB2ChmHElRYjRigSAJ
GgBF4sJJk8hN2xggIkdsGDlhCxYMGQJGJCVKGEduigaAUQJEDMKFwBhFGRYAgDKO
UQRghIRkIzEpRICIyCIwHIkRAhYKXKCNgkJp0xBMVKRMBIhgAENRIhiM5JZFkiZt
ykgoDKgEIBCRAUUJ4zJIggAFEyMKEMlRAMFpiwYOATIQBBVNBMQxYQQgmEJhjAKO
AgSGG6BgC0cmGDmA2RhRyqiMGDBgmEhQCBmCAIlgEQmIibhpA8INQIhIZCIF2kYx
DEZOIAkGgkRhGoRsGTOCE6hAIxMtSoRFGrZllEIEA0WGAIFJ0EZtREYM3CYRm4AM
UpAlyjhKipQpQggQA7CFJLNFUbglILRwExRt2BICwIYNgQZEDKJsC7ZxC4lJ0jIE
AKltSiBA2aAk3JBMQpiNEARAChZswIAQkTYk0cCJHBISwZRI2CAkg0RwA6GQkYCI
CDNq3DBRHChuWZJNiCiOijQw0siJ5EAA1MAhIzcQlBRFlERA4KREioKAiRglGjgK
YwCFUyYBHBdQBCFIRKIxmABhhKZlQhQE4YQswkhEU5YImqaEUqhQYwZEYsBoEZEA
SEhR4QRwXBRAA5ghyKAMmURuIbaAG7NQoiIsG5AEUEiMHIGBiEZNUwBN0YJETCCS
GciISCaBJCBGC7Upi6SAm0BgkzIE5LIo2ZAFiLIQC5MRwiISAoFE1EKIgBQRm4Yw
EEdEQUII0JQQGyWAkSKNm5aBDAElxLRFVBBxYyYAUggIIMJEwRiI00SEQxQm2cZh
0yiIS7QhESSOXERpI0eOBLOIk5BJ4iIECDYGIyGCWJSFIUQMQyYtGcFsEoBEQkZl
AKkBjIZgWKAk4ZCESoCEyaZIyDSNE6KMCpdoiLBlXEIt4DCEHKEB0YAJ4JIAWwJs
AMWIojABFAgwAJkhg4IEibBFmyIkBAUSSChQYsIMA8BBjEgFiCJCYkQNg4IQ4xSF
0SRyAycO4oQoG7KAtbxqiXAgMUhMxG8iHXezrhzWKzXrdl5zeh6ojYaRchh81WYG
Rf64tj6OhO2L0KTx2bmAMNacjMg3p+Rr9cJc4VmAWW3ckeHzpteJRNzsV82GHbgY
RRPkPCm0996lZbV+gNDpXmvPgUKjtK7mOtfuh+YUkRVsoLGbrokY/gsZl6bW+UZT
2eWbGqS9osgd83OcsUZgiXXFHwN+dMvhSdjlUyPPUhgO+MC4vbhlKCKug/MQjKT2
jETaAiEi0gt5ipV6sg6QrHS5UnhMnThmvhNkHz6wLKbBTFrRkQ9DbWa6mZNCVrv/
Wh/k1c+sRG37laYjupbU4ZKXWht17/7qZjtyGj2162ui48gbXHHuvYEV+Yp+ZtfQ
aIQ0MtdeSMKC7gPaCoXQrT2a6Ou+tN3Ebslp1DSQ64TikVmXaOPyhp+ohKNUETuy
aQVKRtUDqqceB9zZv09KB1onH/hhdS8oml6ORgmxwN49VFUGj/GNf4fRk84MQ52N
pWDh0ZJTyRVyJjAiUT+oIcsdKTVK/ZU+1nCHaYdlWj4LhY6Ug7ewHk9RjEwLX84o
H6zQwaVXDOoyI+Rnr23cS3UX32SaVORHLyz4MGZafQ5GjpIEYF41QLdUfpWvYSS1
mM187RHXOsHSVDfm+IwYBCIRCM2d7sJPTv03+86Zm80XRr3Ey9074OzJBPo79Grh
58z1LRWKcaSBC51C54+Ifo6VHkfjYoN3epmDR8dWQbe8kpYBHdsMz/gjjzoDczSq
LY/Ou8KUgeQTm9miysl3p2nA+syXuEuPRq6GkaYU2P5i5q9uHhiBNvEY2tpDO7SW
kB/tAZ08LOpI7DmqhrrZi0dx4gEYrYXsQPynVwdHDLdgNDk+oIRK/mOFc/F1gLhI
/ruFPGVe1Bv7mGUy/kCwBJnhcxGVxCeXzCykrplL/GzRldQx2jJBz1O4EH1Ua1DL
yBVy58yvFpZdFVkqS8dEw2NHdxcAHOMcpzypvgTNxupJs+BQm/kWw7FhnMuXWkCb
4vpgzaLk4q+TzawMLBRTbIvT3DJVj9W5spV7kkl66RZsjbouCWJKRB4GF7mQ04GH
hS6QqqMsvtIMmk5QVkrN7BmGJhv6x0+7iLtiJYP6mYC7DDyHzLNFFSGsTHuE0gq2
us7dJkpixfnoWIJXhglsWPLb6d8HiDa5dA7lz3Z5AP926EVVvNqLJxED/0sEZjXo
xAdZMM4bDTiXKOW8hKCvdY1xJxe1+stsvqFToRHX1ycj/21jqoPaj3CKwocwZB+f
C1bayxFcTeZMBNONXF8XRa2BXYEViIvQ4Z57emLjvgzx6HMAKwqvjYY4r/xdP1xI
5BdxGyKGLksuVUdGOH74zHwkt8L4CKWJrwvV5LS++m/HL+3HteHdSydN0FcH+/eg
x84HfZMw8KJUM0ev1v28Vg2ySyto18uVFVBDGgVuxaYA6Trt3009/fj/+Qd6BURI
aGJslS8OOophSUU97W2LYEtw2sqYuH3g/d6tN/iNDGwp8a45nEwAP12jHlqZ+Enm
ZzuLhEMgv92vYOOUyJf0CJEfpBAmc2guufLbu6jetOXRUsWc/AcIg6EXv9ZRuJq+
L4xyLjdw4i1IUGd065YSP59V80vcexDYlwOHC89UPHfiQ+pViDujOBECWlITaK6l
LoZzYi8h2vcjA1QWbAX4/Eupmedrjh2c4Ldy76YLjxX40GlbRyzGhTf4GHqj3mpJ
466rJDFrPxa9QPmQoFkKalY6Ioj2VryASmMsUNx5dhucRjLI3vt++HLcDLAkA7jk
f/ZRELYe7xdF41bQrjDZ+sQCxtQMZO+jPutNbe+bTt9KQ9X8J7+9au70Gw4K5dk+
mjdYk9gNkyPz9iy2gWI6PUo7jeli2CraA2SnNSRbyioPmm3YfO+LfQrnwRVQ54e/
dJbTABNgOx+RMl4szQELpQV0VRT6mVNEdkR3fOjf9xLC+R2yC8sT0HOR0/rJMHbp
oHghshGqj7ZKh5tQfWaG1d9f80/gh/oGOeI1OGdrf5dkquRAO6qy5pq5ggoAMwO/
Dgy8glXrmPfvaIfutg4+sOKumqcduBB7/KVc2FLsSFdxs9uiwAHbUv3qXcJRQYJM
AaikplrHLx8UR76nRWEuwrqQXX1UfKuAGQPg66uYMKP3X049F1bkObajII13smZL
P8KHMxuKEbtK1e4dTYxOBQ7gMSwl+sY+dVTP6b9h0GyRwlvQkwSum4RuTsw=
-----END PRIVATE KEY-----