mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-09 05:50:53 +02:00
9393d62591
Replace the liboqs-based pre-standardization SPHINCS+ implementation with the native FIPS 205 SLH-DSA implementation across the certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test certificates plus TLS 1.3 .conf scenarios that exercise the new verification path. All liboqs SPHINCS+ code is removed. This enables SLH-DSA for certificate chain authentication: CA certificates signed with SLH-DSA, certificate signature verification against an SLH-DSA root. TLS 1.3 entity authentication via CertificateVerify with SLH-DSA will be added in a follow-up PR. Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families across all twelve standardized variants. DER codec: - New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer, PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing 4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants. - PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode and wc_Dilithium_PublicKeyDecode so callers (notably wolfssl_x509_make_der and ConfirmSignature, which pass the raw BIT STRING contents stashed by StoreKey) decode correctly. Honours the caller's *inOutIdx start offset. - Error paths in Private/PublicKeyDecode preserve params/flags/ inOutIdx and only ForceZero the buffer half each helper actually writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched). - ImportPublic uses |= on flags so a Private-then-Public import sequence retains FLAG_PRIVATE. OID dispatch: - 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The pre-standardization OID-collision mechanism is removed since NIST OIDs do not collide. - wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN (rather than -1) for recognised SLH-DSA OIDs whose parameter set isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch surfaces this as a precise diagnostic instead of the generic "No public key found". - wc_GetKeyOID picks a placeholder parameter from whatever variant is compiled in and #errors at compile time if none is. - asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes alongside SHAKE. Tests and fixtures: - Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44 entity keys (server + client), plus the gen script (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5). - New TLS 1.3 .conf scenarios under tests/suites.c dispatch: test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a wrong-CA negative test test-tls13-slhdsa-fail.conf. - DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der fixtures regenerated with wolfSSL's own encoder so the codec is pinned to RFC 9909. - New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw PublicKeyDecode entry point that wolfssl_x509_make_der relies on. - test_wc_slhdsa_check_key now tests both Public-then-Private and Private-then-Public import orderings. Build / ABI: - DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107). - All build system / IDE project files updated; SPHINCS+ sources, headers, and test data removed. - Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and certs_test.h; the .der files on disk drive the decode tests.
57 lines
3.5 KiB
Plaintext
57 lines
3.5 KiB
Plaintext
-----BEGIN PRIVATE KEY-----
|
|
MIIKGAIBADALBglghkgBZQMEAxEEggoEBIIKABhSAaega5HUsoai6G/eXAfC1zWI
|
|
Kz9h4nyZdEvlx4g+JXOmk+lZB1kemzs39YRighKiTNPjWLe/x+I6CK2ByHsAbdQ5
|
|
LPwAnY47H524KBBi+N/AC/rfzwQv8LIuXEE/IlzHql4cQc1lmqDDQSkv8OZ77u0z
|
|
SfBmIcUsqWMCmDnxWaAkWrAN26Jo4DCGSpBg2RSAESki4shB2ChmHElRYjRigSAJ
|
|
GgBF4sJJk8hN2xggIkdsGDlhCxYMGQJGJCVKGEduigaAUQJEDMKFwBhFGRYAgDKO
|
|
UQRghIRkIzEpRICIyCIwHIkRAhYKXKCNgkJp0xBMVKRMBIhgAENRIhiM5JZFkiZt
|
|
ykgoDKgEIBCRAUUJ4zJIggAFEyMKEMlRAMFpiwYOATIQBBVNBMQxYQQgmEJhjAKO
|
|
AgSGG6BgC0cmGDmA2RhRyqiMGDBgmEhQCBmCAIlgEQmIibhpA8INQIhIZCIF2kYx
|
|
DEZOIAkGgkRhGoRsGTOCE6hAIxMtSoRFGrZllEIEA0WGAIFJ0EZtREYM3CYRm4AM
|
|
UpAlyjhKipQpQggQA7CFJLNFUbglILRwExRt2BICwIYNgQZEDKJsC7ZxC4lJ0jIE
|
|
AKltSiBA2aAk3JBMQpiNEARAChZswIAQkTYk0cCJHBISwZRI2CAkg0RwA6GQkYCI
|
|
CDNq3DBRHChuWZJNiCiOijQw0siJ5EAA1MAhIzcQlBRFlERA4KREioKAiRglGjgK
|
|
YwCFUyYBHBdQBCFIRKIxmABhhKZlQhQE4YQswkhEU5YImqaEUqhQYwZEYsBoEZEA
|
|
SEhR4QRwXBRAA5ghyKAMmURuIbaAG7NQoiIsG5AEUEiMHIGBiEZNUwBN0YJETCCS
|
|
GciISCaBJCBGC7Upi6SAm0BgkzIE5LIo2ZAFiLIQC5MRwiISAoFE1EKIgBQRm4Yw
|
|
EEdEQUII0JQQGyWAkSKNm5aBDAElxLRFVBBxYyYAUggIIMJEwRiI00SEQxQm2cZh
|
|
0yiIS7QhESSOXERpI0eOBLOIk5BJ4iIECDYGIyGCWJSFIUQMQyYtGcFsEoBEQkZl
|
|
AKkBjIZgWKAk4ZCESoCEyaZIyDSNE6KMCpdoiLBlXEIt4DCEHKEB0YAJ4JIAWwJs
|
|
AMWIojABFAgwAJkhg4IEibBFmyIkBAUSSChQYsIMA8BBjEgFiCJCYkQNg4IQ4xSF
|
|
0SRyAycO4oQoG7KAtbxqiXAgMUhMxG8iHXezrhzWKzXrdl5zeh6ojYaRchh81WYG
|
|
Rf64tj6OhO2L0KTx2bmAMNacjMg3p+Rr9cJc4VmAWW3ckeHzpteJRNzsV82GHbgY
|
|
RRPkPCm0996lZbV+gNDpXmvPgUKjtK7mOtfuh+YUkRVsoLGbrokY/gsZl6bW+UZT
|
|
2eWbGqS9osgd83OcsUZgiXXFHwN+dMvhSdjlUyPPUhgO+MC4vbhlKCKug/MQjKT2
|
|
jETaAiEi0gt5ipV6sg6QrHS5UnhMnThmvhNkHz6wLKbBTFrRkQ9DbWa6mZNCVrv/
|
|
Wh/k1c+sRG37laYjupbU4ZKXWht17/7qZjtyGj2162ui48gbXHHuvYEV+Yp+ZtfQ
|
|
aIQ0MtdeSMKC7gPaCoXQrT2a6Ou+tN3Ebslp1DSQ64TikVmXaOPyhp+ohKNUETuy
|
|
aQVKRtUDqqceB9zZv09KB1onH/hhdS8oml6ORgmxwN49VFUGj/GNf4fRk84MQ52N
|
|
pWDh0ZJTyRVyJjAiUT+oIcsdKTVK/ZU+1nCHaYdlWj4LhY6Ug7ewHk9RjEwLX84o
|
|
H6zQwaVXDOoyI+Rnr23cS3UX32SaVORHLyz4MGZafQ5GjpIEYF41QLdUfpWvYSS1
|
|
mM187RHXOsHSVDfm+IwYBCIRCM2d7sJPTv03+86Zm80XRr3Ey9074OzJBPo79Grh
|
|
58z1LRWKcaSBC51C54+Ifo6VHkfjYoN3epmDR8dWQbe8kpYBHdsMz/gjjzoDczSq
|
|
LY/Ou8KUgeQTm9miysl3p2nA+syXuEuPRq6GkaYU2P5i5q9uHhiBNvEY2tpDO7SW
|
|
kB/tAZ08LOpI7DmqhrrZi0dx4gEYrYXsQPynVwdHDLdgNDk+oIRK/mOFc/F1gLhI
|
|
/ruFPGVe1Bv7mGUy/kCwBJnhcxGVxCeXzCykrplL/GzRldQx2jJBz1O4EH1Ua1DL
|
|
yBVy58yvFpZdFVkqS8dEw2NHdxcAHOMcpzypvgTNxupJs+BQm/kWw7FhnMuXWkCb
|
|
4vpgzaLk4q+TzawMLBRTbIvT3DJVj9W5spV7kkl66RZsjbouCWJKRB4GF7mQ04GH
|
|
hS6QqqMsvtIMmk5QVkrN7BmGJhv6x0+7iLtiJYP6mYC7DDyHzLNFFSGsTHuE0gq2
|
|
us7dJkpixfnoWIJXhglsWPLb6d8HiDa5dA7lz3Z5AP926EVVvNqLJxED/0sEZjXo
|
|
xAdZMM4bDTiXKOW8hKCvdY1xJxe1+stsvqFToRHX1ycj/21jqoPaj3CKwocwZB+f
|
|
C1bayxFcTeZMBNONXF8XRa2BXYEViIvQ4Z57emLjvgzx6HMAKwqvjYY4r/xdP1xI
|
|
5BdxGyKGLksuVUdGOH74zHwkt8L4CKWJrwvV5LS++m/HL+3HteHdSydN0FcH+/eg
|
|
x84HfZMw8KJUM0ev1v28Vg2ySyto18uVFVBDGgVuxaYA6Trt3009/fj/+Qd6BURI
|
|
aGJslS8OOophSUU97W2LYEtw2sqYuH3g/d6tN/iNDGwp8a45nEwAP12jHlqZ+Enm
|
|
ZzuLhEMgv92vYOOUyJf0CJEfpBAmc2guufLbu6jetOXRUsWc/AcIg6EXv9ZRuJq+
|
|
L4xyLjdw4i1IUGd065YSP59V80vcexDYlwOHC89UPHfiQ+pViDujOBECWlITaK6l
|
|
LoZzYi8h2vcjA1QWbAX4/Eupmedrjh2c4Ldy76YLjxX40GlbRyzGhTf4GHqj3mpJ
|
|
466rJDFrPxa9QPmQoFkKalY6Ioj2VryASmMsUNx5dhucRjLI3vt++HLcDLAkA7jk
|
|
f/ZRELYe7xdF41bQrjDZ+sQCxtQMZO+jPutNbe+bTt9KQ9X8J7+9au70Gw4K5dk+
|
|
mjdYk9gNkyPz9iy2gWI6PUo7jeli2CraA2SnNSRbyioPmm3YfO+LfQrnwRVQ54e/
|
|
dJbTABNgOx+RMl4szQELpQV0VRT6mVNEdkR3fOjf9xLC+R2yC8sT0HOR0/rJMHbp
|
|
oHghshGqj7ZKh5tQfWaG1d9f80/gh/oGOeI1OGdrf5dkquRAO6qy5pq5ggoAMwO/
|
|
Dgy8glXrmPfvaIfutg4+sOKumqcduBB7/KVc2FLsSFdxs9uiwAHbUv3qXcJRQYJM
|
|
AaikplrHLx8UR76nRWEuwrqQXX1UfKuAGQPg66uYMKP3X049F1bkObajII13smZL
|
|
P8KHMxuKEbtK1e4dTYxOBQ7gMSwl+sY+dVTP6b9h0GyRwlvQkwSum4RuTsw=
|
|
-----END PRIVATE KEY-----
|