Skip to content

Add ML-DSA support#161

Open
Frauschi wants to merge 1 commit intowolfSSL:masterfrom
Frauschi:pkcs11_mldsa
Open

Add ML-DSA support#161
Frauschi wants to merge 1 commit intowolfSSL:masterfrom
Frauschi:pkcs11_mldsa

Conversation

@Frauschi
Copy link
Contributor

This PR adds ML-DSA signature support.

The following operations are supported:

  • Key generation (new mechanism CKM_ML_DSA_KEY_PAIR_GEN for the existing C_GenerateKeyPair() method)
  • Signature generation (new mechanisms CKM_ML_DSA and CKM_HASH_ML_DSA for the existing C_SignInit() and C_Sign() methods)
  • Signature verification (same new mechanisms for C_VerifyInit() and C_Verify())
  • Key import (via C_CreateObject())

Furthermore, the new key type CKK_ML_DSA has been added to support ML-DSA object handling.

Both the pure and pre-hash versions of ML-DSA are supported. For that, the new structures CK_SIGN_ADDITIONAL_CONTEXT and CK_HASH_SIGN_ADDITIONAL_CONTEXT are available to pass the optional context as well as the used hash function (in case of the pre-hash version). Not yet supported are the pre-hash versions that also offload the hashing onto the token.

To enable the functionality, use --enable-mldsa for autoconf and WOLFPKCS11_MLDSA for CMake. As ML-DSA is strictly a new PKCS#11 version 3.2 feature, we ensure that this is also enabled when ML-DSA is enabled (although only v2.40 interfaces are used currently).

The new functionality is also tested in the unit tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants