Path: blob/main/crypto/openssl/providers/implementations/encode_decode/ml_dsa_codecs.c
48383 views
/*1* Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.2*3* Licensed under the Apache License 2.0 (the "License"). You may not use4* this file except in compliance with the License. You can obtain a copy5* in the file LICENSE in the source distribution or at6* https://www.openssl.org/source/license.html7*/89#include <string.h>10#include <openssl/byteorder.h>11#include <openssl/err.h>12#include <openssl/proverr.h>13#include <openssl/x509.h>14#include <openssl/core_names.h>15#include "internal/encoder.h"16#include "prov/ml_dsa.h"17#include "ml_dsa_codecs.h"1819/*-20* Tables describing supported ASN.1 input/output formats.21*/2223/*-24* ML-DSA-44:25* Public key bytes: 1312 (0x0520)26* Private key bytes: 2560 (0x0a00)27*/28static const ML_COMMON_SPKI_FMT ml_dsa_44_spkifmt = {29{ 0x30, 0x82, 0x05, 0x32, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48,300x01, 0x65, 0x03, 0x04, 0x03, 0x11, 0x03, 0x82, 0x05, 0x21, 0x00, }31};32static const ML_COMMON_PKCS8_FMT ml_dsa_44_p8fmt[NUM_PKCS8_FORMATS] = {33{ "seed-priv", 0x0a2a, 0, 0x30820a26, 0x0420, 6, 0x20, 0x04820a00, 0x2a, 0x0a00, 0, 0, },34{ "priv-only", 0x0a04, 0, 0x04820a00, 0, 0, 0, 0, 0x04, 0x0a00, 0, 0, },35{ "oqskeypair", 0x0f24, 0, 0x04820f20, 0, 0, 0, 0, 0x04, 0x0a00, 0x0a04, 0x0520 },36{ "seed-only", 0x0022, 2, 0x8020, 0, 2, 0x20, 0, 0, 0, 0, 0, },37{ "bare-priv", 0x0a00, 4, 0, 0, 0, 0, 0, 0, 0x0a00, 0, 0, },38{ "bare-seed", 0x0020, 4, 0, 0, 0, 0x20, 0, 0, 0, 0, 0, },39};4041/*42* ML-DSA-65:43* Public key bytes: 1952 (0x07a0)44* Private key bytes: 4032 (0x0fc0)45*/46static const ML_COMMON_SPKI_FMT ml_dsa_65_spkifmt = {47{ 0x30, 0x82, 0x07, 0xb2, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48,480x01, 0x65, 0x03, 0x04, 0x03, 0x12, 0x03, 0x82, 0x07, 0xa1, 0x00, }49};50static const ML_COMMON_PKCS8_FMT ml_dsa_65_p8fmt[NUM_PKCS8_FORMATS] = {51{ "seed-priv", 0x0fea, 0, 0x30820fe6, 0x0420, 6, 0x20, 0x04820fc0, 0x2a, 0x0fc0, 0, 0, },52{ "priv-only", 0x0fc4, 0, 0x04820fc0, 0, 0, 0, 0, 0x04, 0x0fc0, 0, 0, },53{ "oqskeypair", 0x1764, 0, 0x04821760, 0, 0, 0, 0, 0x04, 0x0fc0, 0x0fc4, 0x07a0 },54{ "seed-only", 0x0022, 2, 0x8020, 0, 2, 0x20, 0, 0, 0, 0, 0, },55{ "bare-priv", 0x0fc0, 4, 0, 0, 0, 0, 0, 0, 0x0fc0, 0, 0, },56{ "bare-seed", 0x0020, 4, 0, 0, 0, 0x20, 0, 0, 0, 0, 0, },57};5859/*-60* ML-DSA-87:61* Public key bytes: 2592 (0x0a20)62* Private key bytes: 4896 (0x1320)63*/64static const ML_COMMON_SPKI_FMT ml_dsa_87_spkifmt = {65{ 0x30, 0x82, 0x0a, 0x32, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48,660x01, 0x65, 0x03, 0x04, 0x03, 0x13, 0x03, 0x82, 0x0a, 0x21, 0x00, }67};68static const ML_COMMON_PKCS8_FMT ml_dsa_87_p8fmt[NUM_PKCS8_FORMATS] = {69{ "seed-priv", 0x134a, 0, 0x30821346, 0x0420, 6, 0x20, 0x04821320, 0x2a, 0x1320, 0, 0, },70{ "priv-only", 0x1324, 0, 0x04821320, 0, 0, 0, 0, 0x04, 0x1320, 0, 0, },71{ "oqskeypair", 0x1d44, 0, 0x04821d40, 0, 0, 0, 0, 0x04, 0x1320, 0x1324, 0x0a20 },72{ "seed-only", 0x0022, 2, 0x8020, 0, 2, 0x20, 0, 0, 0, 0, 0, },73{ "bare-priv", 0x1320, 4, 0, 0, 0, 0, 0, 0, 0x1320, 0, 0, },74{ "bare-seed", 0x0020, 4, 0, 0, 0, 0x20, 0, 0, 0, 0, 0, },75};7677/* Indices of slots in the codec table below */78#define ML_DSA_44_CODEC 079#define ML_DSA_65_CODEC 180#define ML_DSA_87_CODEC 28182/*83* Per-variant fixed parameters84*/85static const ML_COMMON_CODEC codecs[3] = {86{ &ml_dsa_44_spkifmt, ml_dsa_44_p8fmt },87{ &ml_dsa_65_spkifmt, ml_dsa_65_p8fmt },88{ &ml_dsa_87_spkifmt, ml_dsa_87_p8fmt }89};9091/* Retrieve the parameters of one of the ML-DSA variants */92static const ML_COMMON_CODEC *ml_dsa_get_codec(int evp_type)93{94switch (evp_type) {95case EVP_PKEY_ML_DSA_44:96return &codecs[ML_DSA_44_CODEC];97case EVP_PKEY_ML_DSA_65:98return &codecs[ML_DSA_65_CODEC];99case EVP_PKEY_ML_DSA_87:100return &codecs[ML_DSA_87_CODEC];101}102return NULL;103}104105ML_DSA_KEY *106ossl_ml_dsa_d2i_PUBKEY(const uint8_t *pk, int pk_len, int evp_type,107PROV_CTX *provctx, const char *propq)108{109OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);110const ML_COMMON_CODEC *codec;111const ML_DSA_PARAMS *params;112ML_DSA_KEY *ret;113114if ((params = ossl_ml_dsa_params_get(evp_type)) == NULL115|| (codec = ml_dsa_get_codec(evp_type)) == NULL)116return NULL;117if (pk_len != ML_COMMON_SPKI_OVERHEAD + (ossl_ssize_t) params->pk_len118|| memcmp(pk, codec->spkifmt->asn1_prefix, ML_COMMON_SPKI_OVERHEAD) != 0)119return NULL;120pk_len -= ML_COMMON_SPKI_OVERHEAD;121pk += ML_COMMON_SPKI_OVERHEAD;122123if ((ret = ossl_ml_dsa_key_new(libctx, propq, evp_type)) == NULL)124return NULL;125126if (!ossl_ml_dsa_pk_decode(ret, pk, (size_t) pk_len)) {127ERR_raise_data(ERR_LIB_PROV, PROV_R_BAD_ENCODING,128"errror parsing %s public key from input SPKI",129params->alg);130ossl_ml_dsa_key_free(ret);131return NULL;132}133134return ret;135}136137ML_DSA_KEY *138ossl_ml_dsa_d2i_PKCS8(const uint8_t *prvenc, int prvlen,139int evp_type, PROV_CTX *provctx,140const char *propq)141{142const ML_DSA_PARAMS *v;143const ML_COMMON_CODEC *codec;144ML_COMMON_PKCS8_FMT_PREF *fmt_slots = NULL, *slot;145const ML_COMMON_PKCS8_FMT *p8fmt;146ML_DSA_KEY *key = NULL, *ret = NULL;147PKCS8_PRIV_KEY_INFO *p8inf = NULL;148const uint8_t *buf, *pos;149const X509_ALGOR *alg = NULL;150const char *formats;151int len, ptype;152uint32_t magic;153uint16_t seed_magic;154const uint8_t *seed = NULL;155const uint8_t *priv = NULL;156157/* Which ML-DSA variant? */158if ((v = ossl_ml_dsa_params_get(evp_type)) == NULL159|| (codec = ml_dsa_get_codec(evp_type)) == NULL)160return 0;161162/* Extract the key OID and any parameters. */163if ((p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, &prvenc, prvlen)) == NULL)164return 0;165/* Shortest prefix is 4 bytes: seq tag/len + octet string tag/len */166if (!PKCS8_pkey_get0(NULL, &buf, &len, &alg, p8inf))167goto end;168/* Bail out early if this is some other key type. */169if (OBJ_obj2nid(alg->algorithm) != evp_type)170goto end;171172/* Get the list of enabled decoders. Their order is not important here. */173formats = ossl_prov_ctx_get_param(174provctx, OSSL_PKEY_PARAM_ML_DSA_INPUT_FORMATS, NULL);175fmt_slots = ossl_ml_common_pkcs8_fmt_order(v->alg, codec->p8fmt,176"input", formats);177if (fmt_slots == NULL)178goto end;179180/* Parameters must be absent. */181X509_ALGOR_get0(NULL, &ptype, NULL, alg);182if (ptype != V_ASN1_UNDEF) {183ERR_raise_data(ERR_LIB_PROV, PROV_R_UNEXPECTED_KEY_PARAMETERS,184"unexpected parameters with a PKCS#8 %s private key",185v->alg);186goto end;187}188if ((ossl_ssize_t)len < (ossl_ssize_t)sizeof(magic))189goto end;190191/* Find the matching p8 info slot, that also has the expected length. */192pos = OPENSSL_load_u32_be(&magic, buf);193for (slot = fmt_slots; (p8fmt = slot->fmt) != NULL; ++slot) {194if (len != (ossl_ssize_t)p8fmt->p8_bytes)195continue;196if (p8fmt->p8_shift == sizeof(magic)197|| (magic >> (p8fmt->p8_shift * 8)) == p8fmt->p8_magic) {198pos -= p8fmt->p8_shift;199break;200}201}202if (p8fmt == NULL203|| (p8fmt->seed_length > 0 && p8fmt->seed_length != ML_DSA_SEED_BYTES)204|| (p8fmt->priv_length > 0 && p8fmt->priv_length != v->sk_len)205|| (p8fmt->pub_length > 0 && p8fmt->pub_length != v->pk_len)) {206ERR_raise_data(ERR_LIB_PROV, PROV_R_ML_DSA_NO_FORMAT,207"no matching enabled %s private key input formats",208v->alg);209goto end;210}211212if (p8fmt->seed_length > 0) {213/* Check |seed| tag/len, if not subsumed by |magic|. */214if (pos + sizeof(uint16_t) == buf + p8fmt->seed_offset) {215pos = OPENSSL_load_u16_be(&seed_magic, pos);216if (seed_magic != p8fmt->seed_magic)217goto end;218} else if (pos != buf + p8fmt->seed_offset) {219goto end;220}221pos += ML_DSA_SEED_BYTES;222}223if (p8fmt->priv_length > 0) {224/* Check |priv| tag/len */225if (pos + sizeof(uint32_t) == buf + p8fmt->priv_offset) {226pos = OPENSSL_load_u32_be(&magic, pos);227if (magic != p8fmt->priv_magic)228goto end;229} else if (pos != buf + p8fmt->priv_offset) {230goto end;231}232pos += v->sk_len;233}234if (p8fmt->pub_length > 0) {235if (pos != buf + p8fmt->pub_offset)236goto end;237pos += v->pk_len;238}239if (pos != buf + len)240goto end;241242/*243* Collect the seed and/or key into a "decoded" private key object,244* to be turned into a real key on provider "load" or "import".245*/246if ((key = ossl_prov_ml_dsa_new(provctx, propq, evp_type)) == NULL)247goto end;248if (p8fmt->seed_length > 0)249seed = buf + p8fmt->seed_offset;250if (p8fmt->priv_length > 0)251priv = buf + p8fmt->priv_offset;252/* Any OQS public key content is ignored */253254if (ossl_ml_dsa_set_prekey(key, 0, 0,255seed, ML_DSA_SEED_BYTES, priv, v->sk_len))256ret = key;257258end:259OPENSSL_free(fmt_slots);260PKCS8_PRIV_KEY_INFO_free(p8inf);261if (ret == NULL)262ossl_ml_dsa_key_free(key);263return ret;264}265266/* Same as ossl_ml_dsa_encode_pubkey, but allocates the output buffer. */267int ossl_ml_dsa_i2d_pubkey(const ML_DSA_KEY *key, unsigned char **out)268{269const ML_DSA_PARAMS *params = ossl_ml_dsa_key_params(key);270const uint8_t *pk = ossl_ml_dsa_key_get_pub(key);271272if (pk == NULL) {273ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_A_PUBLIC_KEY,274"no %s public key data available", params->alg);275return 0;276}277if (out != NULL278&& (*out = OPENSSL_memdup(pk, params->pk_len)) == NULL)279return 0;280return (int)params->pk_len;281}282283/* Allocate and encode PKCS#8 private key payload. */284int ossl_ml_dsa_i2d_prvkey(const ML_DSA_KEY *key, uint8_t **out,285PROV_CTX *provctx)286{287const ML_DSA_PARAMS *params = ossl_ml_dsa_key_params(key);288const ML_COMMON_CODEC *codec;289ML_COMMON_PKCS8_FMT_PREF *fmt_slots, *slot;290const ML_COMMON_PKCS8_FMT *p8fmt;291uint8_t *buf = NULL, *pos;292const char *formats;293int len = ML_DSA_SEED_BYTES;294int ret = 0;295const uint8_t *seed = ossl_ml_dsa_key_get_seed(key);296const uint8_t *sk = ossl_ml_dsa_key_get_priv(key);297298/* Not ours to handle */299if ((codec = ml_dsa_get_codec(params->evp_type)) == NULL)300return 0;301302if (sk == NULL) {303ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY,304"no %s private key data available",305params->alg);306return 0;307}308309formats = ossl_prov_ctx_get_param(310provctx, OSSL_PKEY_PARAM_ML_DSA_OUTPUT_FORMATS, NULL);311fmt_slots = ossl_ml_common_pkcs8_fmt_order(params->alg, codec->p8fmt,312"output", formats);313if (fmt_slots == NULL)314return 0;315316/* If we don't have a seed, skip seedful entries */317for (slot = fmt_slots; (p8fmt = slot->fmt) != NULL; ++slot)318if (seed != NULL || p8fmt->seed_length == 0)319break;320/* No matching table entries, give up */321if (p8fmt == NULL322|| (p8fmt->seed_length > 0 && p8fmt->seed_length != ML_DSA_SEED_BYTES)323|| (p8fmt->priv_length > 0 && p8fmt->priv_length != params->sk_len)324|| (p8fmt->pub_length > 0 && p8fmt->pub_length != params->pk_len)) {325ERR_raise_data(ERR_LIB_PROV, PROV_R_ML_DSA_NO_FORMAT,326"no matching enabled %s private key output formats",327params->alg);328goto end;329}330len = p8fmt->p8_bytes;331332if (out == NULL) {333ret = len;334goto end;335}336337if ((pos = buf = OPENSSL_malloc((size_t) len)) == NULL)338goto end;339340switch (p8fmt->p8_shift) {341case 0:342pos = OPENSSL_store_u32_be(pos, p8fmt->p8_magic);343break;344case 2:345pos = OPENSSL_store_u16_be(pos, (uint16_t)p8fmt->p8_magic);346break;347case 4:348break;349default:350ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,351"error encoding %s private key", params->alg);352goto end;353}354355if (p8fmt->seed_length != 0) {356/*357* Either the tag/len were already included in |magic| or they require358* us to write two bytes now.359*/360if (pos + sizeof(uint16_t) == buf + p8fmt->seed_offset)361pos = OPENSSL_store_u16_be(pos, p8fmt->seed_magic);362if (pos != buf + p8fmt->seed_offset) {363ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,364"error encoding %s private key", params->alg);365goto end;366}367memcpy(pos, seed, ML_DSA_SEED_BYTES);368pos += ML_DSA_SEED_BYTES;369}370if (p8fmt->priv_length != 0) {371if (pos + sizeof(uint32_t) == buf + p8fmt->priv_offset)372pos = OPENSSL_store_u32_be(pos, p8fmt->priv_magic);373if (pos != buf + p8fmt->priv_offset) {374ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,375"error encoding %s private key", params->alg);376goto end;377}378memcpy(pos, sk, params->sk_len);379pos += params->sk_len;380}381/* OQS form output with tacked-on public key */382if (p8fmt->pub_length != 0) {383/* The OQS pubkey is never separately DER-wrapped */384if (pos != buf + p8fmt->pub_offset) {385ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,386"error encoding %s private key", params->alg);387goto end;388}389memcpy(pos, ossl_ml_dsa_key_get_pub(key), params->pk_len);390pos += params->pk_len;391}392393if (pos == buf + len) {394*out = buf;395ret = len;396}397398end:399OPENSSL_free(fmt_slots);400if (ret == 0)401OPENSSL_free(buf);402return ret;403}404405int ossl_ml_dsa_key_to_text(BIO *out, const ML_DSA_KEY *key, int selection)406{407const ML_DSA_PARAMS *params;408const uint8_t *seed, *sk, *pk;409410if (out == NULL || key == NULL) {411ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER);412return 0;413}414params = ossl_ml_dsa_key_params(key);415pk = ossl_ml_dsa_key_get_pub(key);416sk = ossl_ml_dsa_key_get_priv(key);417seed = ossl_ml_dsa_key_get_seed(key);418419if (pk == NULL) {420/* Regardless of the |selection|, there must be a public key */421ERR_raise_data(ERR_LIB_PROV, PROV_R_MISSING_KEY,422"no %s key material available", params->alg);423return 0;424}425426if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {427if (sk == NULL) {428ERR_raise_data(ERR_LIB_PROV, PROV_R_MISSING_KEY,429"no %s key material available", params->alg);430return 0;431}432if (BIO_printf(out, "%s Private-Key:\n", params->alg) <= 0)433return 0;434if (seed != NULL && !ossl_bio_print_labeled_buf(out, "seed:", seed,435ML_DSA_SEED_BYTES))436return 0;437if (!ossl_bio_print_labeled_buf(out, "priv:", sk, params->sk_len))438return 0;439} else if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {440if (BIO_printf(out, "%s Public-Key:\n", params->alg) <= 0)441return 0;442}443444if (!ossl_bio_print_labeled_buf(out, "pub:", pk, params->pk_len))445return 0;446447return 1;448}449450451