-
Notifications
You must be signed in to change notification settings - Fork 837
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ML-DSA/Dilithium: obtain security level from DER when decoding #8177
ML-DSA/Dilithium: obtain security level from DER when decoding #8177
Conversation
c6347bd
to
dd1ddb7
Compare
encoded key based on the algorithm type OID - Add test coverage for decoding DER keys without level specified
dd1ddb7
to
0e6ac11
Compare
Consider changing call to DecodeAsymKey_Assign() to call DecodeAsymKey_ex(), a new function, which returns the OID. |
@SparkiDev I had originally thought about modifying If you would rather see this rolled out globally then I can do that, but perhaps we could add that in a subsequent PR? I'd prefer to just get this in for Dilithium now, so some wolfHSM features depending on this functionality can be completed. I agree that this would be great generic functionality to have though, and would be happy to take a stab at it. Let me know your thoughts. |
26a59b0
to
6b1b6ec
Compare
All the PQC algorithms go through here and they pass in the OID. |
0ad6d4a
to
f672105
Compare
@SparkiDev Okay, spent some time today refactoring the code to pull OID detection into |
Jenkins retest this please |
wolfssl/wolfcrypt/asn.h
Outdated
@@ -2542,6 +2542,10 @@ WOLFSSL_LOCAL int SetAsymKeyDerPublic(const byte* pubKey, word32 pubKeyLen, | |||
WOLFSSL_LOCAL int DecodeAsymKeyPublic_Assign(const byte* input, | |||
word32* inOutIdx, word32 inSz, const byte** pubKey, word32* pubKeyLen, | |||
int keyType); | |||
WOLFSSL_LOCAL int DecodeAsymKeyPublic_Assign_ex(const byte* input, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since DecodeAsymKeyPublic_Assign
is a local function it is fine with me to change all uses of it... Vs asking another _ex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, made the change in 2207791. If @SparkiDev insists on the _ex function as he originally suggested we can just revert that commit.
…ed in original _Assign function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[quantum-safe-wolfssl-all-clang-tidy] [1 of 1] [2207791aab]
autogen.sh 2207791aab... real 0m10.667s user 0m8.739s sys 0m1.113s
configure... real 0m27.840s user 0m14.860s sys 0m15.123s
build... real 3m16.297s user 19m42.864s sys 0m28.443s
check...FAIL: scripts/unit.test
real 0m26.240s user 0m24.799s sys 0m9.948s
ERROR - tests/api.c line 34847 failed with:
expected: wc_Dilithium_PublicKeyDecode(der, &idx, key, pubDerLen) == (BAD_FUNC_ARG)
result: -140 != -173
ERROR - tests/api.c line 98894 failed with:
expected: Test failed
result: ret 0
Testing TLSv1_2
Testing DTLSv1_2
passed ( 0.00096)
1001: test_wolfSSL_Cleanup : passed ( 0.00000)
FAILURES:
285: test_wc_dilithium_der
End API Tests
FAIL scripts/unit.test (exit status: 1)
scripts/unit.log tail:
Testing TLSv1_2
Testing DTLSv1_2
passed ( 0.00096)
1001: test_wolfSSL_Cleanup : passed ( 0.00000)
FAILURES:
285: test_wc_dilithium_der
End API Tests
FAIL scripts/unit.test (exit status: 1)
check exited with status 2
retry? [y] n
quantum-safe-wolfssl-all-clang-tidy fail_check
failed config: '--srcdir' '.' '--disable-jobserver' '--enable-option-checking=fatal' '--enable-all' '--enable-testcert' '--enable-intelasm' '--enable-sp-asm' '--enable-experimental' '--enable-kyber' '--enable-lms' '--enable-xmss' '--enable-dilithium' '--disable-qt' 'CPPFLAGS=-DWOLFSSL_SP_INT_NEGATIVE -DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK -pedantic -DSP_ALLOC -DWOLFSSL_CLANG_TIDY' 'CC=/home/davidgarske/GitHub/testing/git-hooks/clang-tidy-builder.sh' 'CLANG=/usr/lib/llvm-18/bin/clang-18' 'CFLAGS=-Wunreachable-code-aggressive -Wthread-safety -Wloop-analysis -Wenum-compare-conditional -fcolor-diagnostics -fcomplete-member-pointers -Wheader-hygiene -Wstring-conversion -Wtautological-overlap-compare -Wno-language-extension-token -Wunreachable-code-break -Wunreachable-code-return -Wimplicit-fallthrough -Wno-language-extension-token'
BUILD_ENV: 'CLANG_TIDY=/usr/lib/llvm-18/bin/clang-tidy' 'CLANG=/usr/lib/llvm-18/bin/clang-18' 'CLANG_TIDY_EXTRA_ARGS=--use-color=1 --quiet -line-filter=[{"name":"asn1.h","lines":[[1,166]]},{"name":".c"},{"name":".h"},{"name":".s"},{"name":".S"},{"name":".i"}]' 'CLANG_OVERRIDE_CFLAGS=' 'FAIL_BUILD_CODENAME=fail_analytic_build' 'MAX_FIPS_CODE_SZ=10000000'
EXE: 'run_untrusted_task' 'make' 'EXTRA_CFLAGS=-fdiagnostics-color=always -fmax-errors=20' '--quiet' 'WOLFSSL_OPENSSL_TEST=1' '-j' '42' 'check'
exiting with status 2
results for 2207791aab:
failed: quantum-safe-wolfssl-all-clang-tidy
final tally for 2207791aab with build env de3c7da84a: 0 of 1 check succeeded, 0 skipped, 0 forced, and 1 failed.
stopped at config: 'quantum-safe-wolfssl-all-clang-tidy' '--srcdir' '.' '--disable-jobserver' '--enable-option-checking=fatal' '--enable-all' '--enable-testcert' '--enable-intelasm' '--enable-sp-asm' '--enable-experimental' '--enable-kyber' '--enable-lms' '--enable-xmss' '--enable-dilithium' '--disable-qt' 'CPPFLAGS=-DWOLFSSL_SP_INT_NEGATIVE -DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK -pedantic -DSP_ALLOC -DWOLFSSL_CLANG_TIDY' 'CC=/home/davidgarske/GitHub/testing/git-hooks/clang-tidy-builder.sh' 'CLANG=/usr/lib/llvm-18/bin/clang-18' 'CFLAGS=-Wunreachable-code-aggressive -Wthread-safety -Wloop-analysis -Wenum-compare-conditional -fcolor-diagnostics -fcomplete-member-pointers -Wheader-hygiene -Wstring-conversion -Wtautological-overlap-compare -Wno-language-extension-token -Wunreachable-code-break -Wunreachable-code-return -Wimplicit-fallthrough -Wno-language-extension-token'
$ cd /tmp/wolfssl_test_workdir.3444126/wolfssl
davidgarske@P700-XEON:/tmp/wolfssl_test_workdir.3444126/wolfssl$ ./tests/unit.test -285
starting unit tests...
Begin API Tests
285: test_wc_dilithium_der :
ERROR - tests/api.c line 34847 failed with:
expected: wc_Dilithium_PublicKeyDecode(der, &idx, key, pubDerLen) == (BAD_FUNC_ARG)
result: -140 != -173
failed ( 0.00012)
ERROR - tests/api.c line 98894 failed with:
expected: Test failed
result: ret 0
FAILURES:
285: test_wc_dilithium_der
End API Tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No additional changes. Agree with Sean that the API should be extended rather than changed. A couple of questions but I think this is close.
Jenkins retest this please |
Jenkins retest this please |
Hi @bigbrett , This PR seems to have broken some of the tests. Can you please review the issue and put up a PR?
|
Description
Similar to #8129, wolfHSM needs to be able to "blindly" decode a DER key without knowing its exact contents. In this case it just knows that an item is an ML-DSA key, and nothing more. This change allows the security level to be set dynamically in the output
MlDsaKey
struct based on the algorithm OID in the DER file.Testing
Added new wolfCrypt test coverage for decoding keys without specifying a level
Checklist