Add XMSS support to powerdns

Author: jgoertzen-sb

Dockerfile-auth

@@ -7,28 +7,31 @@ RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
 # sudo apt install cmake gcc libtool libssl-dev make ninja-build git
 RUN apt-get install -y --no-install-recommends \
     # original requirements
-    cmake gcc libtool libssl-dev make ninja-build git \
+    cmake gcc libtool make ninja-build git \
     # added by us
-    astyle python3-pytest python3-pytest-xdist unzip xsltproc doxygen \
+    astyle python3-pytest python3-pytest-xdist unzip xsltproc doxygen libluajit-5.1-dev liblua5.3-dev \
     graphviz apt-transport-https ca-certificates build-essential systemd
 # ???
 # RUN update-ca-certificates
 
 WORKDIR /source/
 
+RUN apt remove openssl libssl-dev -y
 RUN git clone --branch openssl-3.2.0 https://github.com/openssl/openssl.git openssl-source/
-RUN git clone https://github.com/open-quantum-safe/liboqs.git
-RUN mkdir liboqs/build/
-RUN cd liboqs/build/ && cmake -GNinja ..
-RUN cd liboqs/build/ && ninja
-RUN cd liboqs/build/ && ninja install
 RUN cd openssl-source/ && ./Configure -lm no-docs --libdir=lib
 RUN cd openssl-source/ && make
 RUN cd openssl-source/ && make install
+RUN git clone --branch stateful-sigs https://github.com/open-quantum-safe/liboqs.git
+RUN mkdir liboqs/build/
+RUN cd liboqs/build/ && cmake -GNinja -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON ..
+RUN cd liboqs/build/ && ninja
+RUN cd liboqs/build/ && ninja install
 RUN git clone https://github.com/open-quantum-safe/oqs-provider.git
 ENV LD_LIBRARY_PATH=/usr/local/lib
-RUN cd oqs-provider/ && cmake -S . -B _build && cmake --build _build && ctest --test-dir _build && cmake --install _build
-
+RUN cd oqs-provider/ && cmake -S . -B _build
+RUN cd oqs-provider/ && cmake --build _build
+RUN cd oqs-provider/ && ctest --test-dir _build
+RUN cd oqs-provider/ && cmake --install _build --config DebPack
 
 ENV NO_LUA_JIT="s390x arm64"
 

Dockerfile-recursor

@@ -15,24 +15,28 @@ RUN apt-get install -y --no-install-recommends \
     # original requirements
     cmake gcc libtool libssl-dev make ninja-build git \
     # added by us
-    astyle python3-pytest python3-pytest-xdist unzip xsltproc doxygen \
+    astyle python3-pytest python3-pytest-xdist unzip xsltproc doxygen libluajit-5.1-dev liblua5.3-dev \
     graphviz apt-transport-https ca-certificates build-essential systemd
 
 
 WORKDIR /source/
+
+RUN apt remove openssl libssl-dev -y
 RUN git clone --branch openssl-3.2.0 https://github.com/openssl/openssl.git openssl-source/
-RUN git clone https://github.com/open-quantum-safe/liboqs.git
-RUN mkdir liboqs/build/
-RUN cd liboqs/build/ && cmake -GNinja ..
-RUN cd liboqs/build/ && ninja
-RUN cd liboqs/build/ && ninja install
 RUN cd openssl-source/ && ./Configure -lm no-docs --libdir=lib
 RUN cd openssl-source/ && make
 RUN cd openssl-source/ && make install
+RUN git clone --branch stateful-sigs https://github.com/open-quantum-safe/liboqs.git
+RUN mkdir liboqs/build/
+RUN cd liboqs/build/ && cmake -GNinja -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON ..
+RUN cd liboqs/build/ && ninja
+RUN cd liboqs/build/ && ninja install
 RUN git clone https://github.com/open-quantum-safe/oqs-provider.git
-ENV LD_LIBRARY_PATH=/usr/local/lib
-RUN cd oqs-provider/ && cmake -S . -B _build && cmake --build _build && ctest --test-dir _build && cmake --install _build
-
+#ENV LD_LIBRARY_PATH=/usr/local/lib
+RUN cd oqs-provider/ && cmake -S . -B _build
+RUN cd oqs-provider/ && cmake --build _build
+RUN cd oqs-provider/ && ctest --test-dir _build
+RUN cd oqs-provider/ && cmake --install _build --config DebPack
 ENV NO_LUA_JIT="s390x arm64"
 
 # Reusable layer for base update
@@ -59,9 +63,6 @@ COPY .git /source/.git
 COPY builder-support/helpers/install_rust.sh /source/install_rust.sh
 RUN /source/install_rust.sh
 
-COPY builder-support/helpers/install_rust.sh /source/install_rust.sh
-RUN /source/install_rust.sh
-
 # build and install (TODO: before we hit this line, rearrange /source structure if we are coming from a tarball)
 WORKDIR /source/pdns/recursordist
 

PQC.md

@@ -37,7 +37,7 @@ An example can be found down belox (this is only meant as inspiration):
       throw runtime_error(getName()+" unknown algorithm "+std::to_string(d_algorithm));
     }
 ``` 
-**Important:** The NID of the new algorithm shoudl correspond to the NID declared in the OQS library.
+**Important:** The NID of the new algorithm should correspond to the NID declared in the OQS library.
 
 The *convertToISCVector()* function must also be changed to support the new algorithm like follows:
 ```

pdns/Makefile.am

@@ -243,6 +243,7 @@ pdns_server_SOURCES = \
 	iputils.cc iputils.hh \
 	ixfr.cc ixfr.hh \
 	json.cc json.hh \
+	liboqssigners.cc liboqssigners.hh \
 	lock.hh \
 	logger.cc logger.hh \
 	logging.hh \
@@ -376,6 +377,7 @@ pdnsutil_SOURCES = \
 	ipcipher.cc ipcipher.hh \
 	iputils.cc iputils.hh \
 	json.cc \
+	liboqssigners.cc liboqssigners.hh \
 	logger.cc \
 	lua-auth4.cc lua-auth4.hh \
 	lua-base4.cc lua-base4.hh \
@@ -1362,6 +1364,7 @@ testrunner_SOURCES = \
 	ipcipher.cc ipcipher.hh \
 	iputils.cc \
 	ixfr.cc ixfr.hh \
+	liboqssigners.cc liboqssigners.hh \
 	logger.cc \
 	lua-auth4.hh lua-auth4.cc \
 	lua-base4.hh lua-base4.cc \

pdns/dbdnsseckeeper.cc

@@ -86,34 +86,34 @@ bool DNSSECKeeper::isPresigned(const DNSName& name, bool useCache)
 }
 
 
-bool DNSSECKeeper::addKey(const DNSName& name, bool setSEPBit, int algorithm, int64_t& id, int bits, bool active, bool published)
+bool DNSSECKeeper::addKey(const DNSName& name, bool setSEPBit, int algorithm, int64_t& id, int key_param, bool active, bool published)
 {
-  if(!bits) {
+  if(!key_param) {
     if(algorithm <= 10)
-      throw runtime_error("Creating an algorithm " +std::to_string(algorithm)+" ("+algorithm2name(algorithm)+") key requires the size (in bits) to be passed.");
+      throw runtime_error("Creating an algorithm " +std::to_string(algorithm)+" ("+algorithm2name(algorithm)+") key requires the size (in bits) to be passed via key_param.");
     else {
       if(algorithm == DNSSECKeeper::ECCGOST || algorithm == DNSSECKeeper::ECDSA256 || algorithm == DNSSECKeeper::ED25519)
-        bits = 256;
+        key_param = 256;
       else if(algorithm == DNSSECKeeper::ECDSA384)
-        bits = 384;
+        key_param = 384;
       else if(algorithm == DNSSECKeeper::ED448)
-        bits = 456;
+        key_param = 456;
       else if(algorithm == DNSSECKeeper::FALCON512)
-        bits = 10248;
+        key_param = 10248;
       else if(algorithm == DNSSECKeeper::DILITHIUM2)
-        bits = 20224;
+        key_param = 20224;
       else if(algorithm == DNSSECKeeper::SPHINCSSHA256128S)
-        bits = 512;
+        key_param = 512;
       else {
         throw runtime_error("Can not guess key size for algorithm "+std::to_string(algorithm));
       }
     }
   }
   shared_ptr<DNSCryptoKeyEngine> dpk(DNSCryptoKeyEngine::make(algorithm));
   try{
-    dpk->create(bits);
+    dpk->create(key_param);
   } catch (const std::runtime_error& error){
-    throw runtime_error("The algorithm does not support the given bit size.");
+    throw runtime_error("The algorithm does not support the given key parameter.");
   }
   DNSSECPrivateKey dspk;
   dspk.setKey(dpk, setSEPBit ? 257 : 256, algorithm);

pdns/dnsseckeeper.hh

@@ -29,6 +29,7 @@
 #include <boost/multi_index/ordered_index.hpp>
 #include <boost/multi_index/key_extractors.hpp>
 #include <boost/multi_index/sequenced_index.hpp>
+#include "liboqssigners.hh"
 #include "dnssecinfra.hh"
 #include "dnsrecords.hh"
 #include "ueberbackend.hh"
@@ -56,7 +57,9 @@ public:
     ED448=16,
     FALCON512=17,
     DILITHIUM2=18,
-    SPHINCSSHA256128S=19
+    SPHINCSSHA256128S=19,
+    XMSS=20,
+    XMSSMT=21,
   };
 
   enum dsdigestalgorithm_t : uint8_t {
@@ -117,6 +120,8 @@ public:
     if (pdns_iequals(algorithm, "falcon512")) return FALCON512;
     if (pdns_iequals(algorithm, "dilithium2")) return DILITHIUM2;
     if (pdns_iequals(algorithm, "sphincs+-sha256-128s")) return SPHINCSSHA256128S;
+    if (pdns_iequals(algorithm, "xmss")) return XMSS;
+    if (pdns_iequals(algorithm, "xmssmt")) return XMSSMT;
     if (pdns_iequals(algorithm, "indirect")) return 252;
     if (pdns_iequals(algorithm, "privatedns")) return 253;
     if (pdns_iequals(algorithm, "privateoid")) return 254;
@@ -165,6 +170,10 @@ public:
         return "dilithium2";
       case SPHINCSSHA256128S:
         return "sphincs+-sha256-128s";
+      case XMSS:
+        return "xmss";
+      case XMSSMT:
+	return "xmssmt";
       case 252:
         return "INDIRECT";
       case 253:
@@ -175,6 +184,19 @@ public:
         return "Unallocated/Reserved";
     }
   }
+  
+  static int setupParam(string &algorithm, int param)
+  {
+    if (algorithm.rfind("xmssmt", 0) == 0) {
+      param = xmssmtPdnsName2Param(algorithm);
+      algorithm = "xmssmt";
+    }
+    else if (algorithm.rfind("xmss", 0) == 0) {
+      param = xmssPdnsName2Param(algorithm);
+      algorithm = "xmss";
+    }
+    return param;
+  }
 
 private:
   UeberBackend* d_keymetadb;
@@ -207,7 +229,7 @@ public:
   keyset_t getEntryPoints(const DNSName& zname);
   keyset_t getKeys(const DNSName& zone, bool useCache = true);
   DNSSECPrivateKey getKeyById(const DNSName& zone, unsigned int id);
-  bool addKey(const DNSName& zname, bool setSEPBit, int algorithm, int64_t& id, int bits=0, bool active=true, bool published=true);
+  bool addKey(const DNSName& zname, bool setSEPBit, int algorithm, int64_t& id, int key_param=0, bool active=true, bool published=true);
   bool addKey(const DNSName& zname, const DNSSECPrivateKey& dpk, int64_t& id, bool active=true, bool published=true);
   bool removeKey(const DNSName& zname, unsigned int id);
   bool activateKey(const DNSName& zname, unsigned int id);

pdns/opensslsigners.cc

@@ -1773,7 +1773,7 @@ class OpenSSLPQCDNSCryptoKeyEngine : public DNSCryptoKeyEngine
       d_priv_len = 1281;
       d_pub_len = 897;
       d_sig_len = 666;
-      d_algname = "falcon512";
+      d_algname = "falconpadded512";
     }
     else if (d_algorithm == DNSSECKeeper::DILITHIUM2) {
       d_priv_len = 2528;

pdns/pdnsutil.cc

@@ -2292,19 +2292,19 @@ static bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
 
   // parse attribute
   string k_algo = ::arg()["default-ksk-algorithm"];
-  int k_size = ::arg().asNum("default-ksk-size");
+  int k_param = ::arg().asNum("default-ksk-size");
   string z_algo = ::arg()["default-zsk-algorithm"];
-  int z_size = ::arg().asNum("default-zsk-size");
+  int z_param = ::arg().asNum("default-zsk-size");
 
-  if (k_size < 0) {
+  if (k_param < 0) {
     throw runtime_error("KSK key size must be equal to or greater than 0");
   }
 
   if (k_algo.empty() && z_algo.empty()) {
     throw runtime_error("Zero algorithms given for KSK+ZSK in total");
   }
 
-  if (z_size < 0) {
+  if (z_param < 0) {
     throw runtime_error("ZSK key size must be equal to or greater than 0");
   }
 
@@ -2313,6 +2313,8 @@ static bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
     return false;
   }
 
+
+
   DomainInfo di;
   UeberBackend B("default");
   // di.backend and B are mostly identical
@@ -2327,16 +2329,19 @@ static bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
   }
 
   if (!k_algo.empty()) { // Add a KSK
-    if (k_size)
-      cout << "Securing zone with key size " << k_size << endl;
+    k_param = DNSSECKeeper::setupParam(k_algo, k_param);
+    if (k_param && k_algo != "xmss")
+      cout << "Securing zone with key size " << k_param << endl;
+    else if (k_param && k_algo == "xmss")
+      cout << "Securing zone with xmss oid " << k_param << endl;
     else
       cout << "Securing zone with default key size" << endl;
 
     cout << "Adding " << (z_algo.empty() ? "CSK (257)" : "KSK") << " with algorithm " << k_algo << endl;
 
     int k_real_algo = DNSSECKeeper::shorthand2algorithm(k_algo);
 
-    if (!dk.addKey(zone, true, k_real_algo, id, k_size, true, true)) {
+    if (!dk.addKey(zone, true, k_real_algo, id, k_param, true, true)) {
       cerr << "No backend was able to secure '" << zone << "', most likely because no DNSSEC" << endl;
       cerr << "capable backends are loaded, or because the backends have DNSSEC disabled." << endl;
       cerr << "For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or" << endl;
@@ -2346,11 +2351,12 @@ static bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
   }
 
   if (!z_algo.empty()) {
+    z_param = DNSSECKeeper::setupParam(z_algo, z_param);
     cout << "Adding " << (k_algo.empty() ? "CSK (256)" : "ZSK") << " with algorithm " << z_algo << endl;
 
     int z_real_algo = DNSSECKeeper::shorthand2algorithm(z_algo);
 
-    if (!dk.addKey(zone, false, z_real_algo, id, z_size, true, true)) {
+    if (!dk.addKey(zone, false, z_real_algo, id, z_param, true, true)) {
       cerr << "No backend was able to secure '" << zone << "', most likely because no DNSSEC" << endl;
       cerr << "capable backends are loaded, or because the backends have DNSSEC disabled." << endl;
       cerr << "For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or" << endl;
@@ -3057,47 +3063,55 @@ try {
     // need to get algorithm, bits & ksk or zsk from commandline
     bool keyOrZone = false;
     int tmp_algo = 0;
-    int bits = 0;
+    int key_param = 0;
+    int tmp_param = 0;
     int algorithm = DNSSECKeeper::ECDSA256;
     bool active = false;
     bool published = true;
     for (unsigned int n = 2; n < cmds.size(); ++n) {
-      if (pdns_iequals(cmds.at(n), "zsk"))
+      std::string cmd = cmds.at(n);
+      if (pdns_iequals(cmd, "zsk"))
         keyOrZone = false;
-      else if (pdns_iequals(cmds.at(n), "ksk"))
+      else if (pdns_iequals(cmd, "ksk"))
         keyOrZone = true;
-      else if ((tmp_algo = DNSSECKeeper::shorthand2algorithm(cmds.at(n))) > 0) {
+      else if ((tmp_param = DNSSECKeeper::setupParam(cmd, key_param)) != key_param) {
+        key_param = tmp_param;
+	algorithm = DNSSECKeeper::shorthand2algorithm(cmd);
+      }
+      else if ((tmp_algo = DNSSECKeeper::shorthand2algorithm(cmd)) > 0) {
         algorithm = tmp_algo;
       }
-      else if (pdns_iequals(cmds.at(n), "active")) {
+      else if (pdns_iequals(cmd, "active")) {
         active = true;
       }
-      else if (pdns_iequals(cmds.at(n), "inactive") || pdns_iequals(cmds.at(n), "passive")) { // 'passive' eventually needs to be removed
+      else if (pdns_iequals(cmd, "inactive") || pdns_iequals(cmd, "passive")) { // 'passive' eventually needs to be removed
         active = false;
       }
-      else if (pdns_iequals(cmds.at(n), "published")) {
+      else if (pdns_iequals(cmd, "published")) {
         published = true;
       }
-      else if (pdns_iequals(cmds.at(n), "unpublished")) {
+      else if (pdns_iequals(cmd, "unpublished")) {
         published = false;
       }
-      else if (pdns::checked_stoi<int>(cmds.at(n)) != 0) {
-        pdns::checked_stoi_into(bits, cmds.at(n));
+      else if (pdns::checked_stoi<int>(cmd) != 0) {
+        pdns::checked_stoi_into(key_param, cmd);
       }
       else {
-        cerr << "Unknown algorithm, key flag or size '" << cmds.at(n) << "'" << endl;
+        cerr << "Unknown algorithm, key flag or size '" << cmd << "'" << endl;
         return EXIT_FAILURE;
       }
     }
     int64_t id{-1};
-    if (!dk.addKey(zone, keyOrZone, algorithm, id, bits, active, published)) {
+    if (!dk.addKey(zone, keyOrZone, algorithm, id, key_param, active, published)) {
       cerr << "Adding key failed, perhaps DNSSEC not enabled in configuration?" << endl;
       return 1;
     }
     else {
       cerr << "Added a " << (keyOrZone ? "KSK" : "ZSK") << " with algorithm = " << algorithm << ", active=" << active << endl;
-      if (bits)
-        cerr << "Requested specific key size of " << bits << " bits" << endl;
+      if (key_param && (algorithm == DNSSECKeeper::XMSS || algorithm == DNSSECKeeper::XMSSMT))
+        cerr << "Requested xmss(mt) key with oid " << key_param << endl;
+      else if (key_param)
+        cerr << "Requested specific key size of " << key_param << " bits" << endl;
       if (id == -1) {
         cerr << std::to_string(id) << ": Key was added, but backend does not support returning of key id" << endl;
       }