Use default OpenSSL provider for internal ML-DSA key reconstruction

[olszomal]

Current Behavior:

Relying on implicit provider selection can make ML-DSA public/private key reconstruction fail, causing operations such as C_Sign to return CKR_GENERAL_ERROR.

Scope of Changes:

This change explicitly uses provider=default when creating internal ML-DSA key contexts.

Testing:

Verified ML-DSA signing with SoftHSM, OpenSSL 3.6.2, and a development branch of the pkcs11prov provider.

Before this change, signing failed because SoftHSM could not obtain the internal OpenSSL private key. After the change, signing succeeds.

Related Pull Requests:

#823, #862, #874

Summary by CodeRabbit

• Bug Fixes
  • Refined internal cryptographic key handling for ML-DSA algorithms by explicitly configuring default provider initialization during the key reconstruction process. This ensures consistent and reliable behavior for both private and public key operations, improving system stability and compatibility with OpenSSL cryptographic frameworks.

[coderabbitai]

📝 Walkthrough

Walkthrough

Both ML-DSA key classes now explicitly specify the default provider when constructing OpenSSL EVP_PKEY contexts, replacing NULL with "provider=default" in EVP_PKEY_CTX_new_from_name calls during key reconstruction.

Changes

ML-DSA Provider Specification

Layer / File(s)	Summary
Explicit default provider for ML-DSA key context src/lib/crypto/OSSLMLDSAPrivateKey.cpp, src/lib/crypto/OSSLMLDSAPublicKey.cpp	Both OSSLMLDSAPrivateKey::createOSSLKey() and OSSLMLDSAPublicKey::createOSSLKey() update EVP_PKEY_CTX_new_from_name to pass "provider=default" instead of NULL, explicitly specifying the provider used for ML-DSA key reconstruction during EVP_PKEY_fromdata operations.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🐰 A provider so clear, explicit and bright,
No more silent NULLs hiding from sight,
Default and declared, the ML-DSA way,
Keys reconstructed with purpose today! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: explicitly specifying the default OpenSSL provider for ML-DSA key reconstruction in both private and public key files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Infer (1.2.0)

src/lib/crypto/OSSLMLDSAPublicKey.cpp

src/lib/crypto/OSSLMLDSAPublicKey.cpp:7:10: fatal error: 'config.h' file not found
7 | #include "config.h"
| ^~~~~~~~~~
1 error generated.
Error: the following clang command did not run successfully:
/opt/infer-linux-x86_64-v1.2.0/lib/infer/facebook-clang-plugins/clang/install/bin/clang-18
@/tmp/coderabbit-infer/3b0224a31d94bbb1a91e990a239b9671f91fe28b-1af45dfea1950242/tmp/clang_command_.tmp.87d0af.txt
++Contents of '/tmp/coderabbit-infer/3b0224a31d94bbb1a91e990a239b9671f91fe28b-1af45dfea1950242/tmp/clang_command_.tmp.87d0af.txt':
"-cc1" "-load"
"/opt/infer-linux-x86_64-v1.2.0/lib/infer/infer/bin/../../facebook-clang-plugins/libtooling/build/FacebookClangPlugin.dylib"
"-add-plugin" "BiniouASTExporter" "-plugin-arg-BiniouASTExporter" "-"
"-plugin-arg-BiniouASTExporter" "PREPEND_CURRENT_DIR=1"
"-plugin-arg-BiniouASTExporter" "MAX_STRING_SIZE=65535" "-cc1" "-triple"
"x86_64-unknown-linux-gnu" "-emit-obj" "-mrelax-all" "-disable-free"

... [truncated 1082 characters] ...

b/clang/18/include"
"-internal-isystem" "/usr/local/include" "-internal-isystem"
"/usr/lib/gcc/x86_64-linux-gnu/12/../../../../x86_64-linux-gnu/include"
"-internal-externc-isystem" "/usr/include/x86_64-linux-gnu"
"-internal-externc-isystem" "/include" "-internal-externc-isystem"
"/usr/include" "-Wno-ignored-optimization-argument" "-Wno-everything"
"-fdeprecated-macro" "-ferror-limit" "19" "-fgnuc-version=4.2.1"
"-fskip-odr-check-in-gmf" "-fcxx-exceptions" "-fexceptions"
"-D__GCC_HAVE_DWARF2_CFI_ASM=1" "-o"
"/tmp/coderabbit-infer/1af45dfea1950242/file.o" "-x" "c++"
"src/lib/crypto/OSSLMLDSAPublicKey.cpp" "-O0" "-fno-builtin" "-include"
"/opt/infer-linux-x86_64-v1.2.0/lib/infer/infer/bin/../lib/clang_wrappers/global_defines.h"
"-Wno-everything"

src/lib/crypto/OSSLMLDSAPrivateKey.cpp

src/lib/crypto/OSSLMLDSAPrivateKey.cpp:7:10: fatal error: 'config.h' file not found
7 | #include "config.h"
| ^~~~~~~~~~
1 error generated.
Error: the following clang command did not run successfully:
/opt/infer-linux-x86_64-v1.2.0/lib/infer/facebook-clang-plugins/clang/install/bin/clang-18
@/tmp/coderabbit-infer/3b0224a31d94bbb1a91e990a239b9671f91fe28b-d5c41da70b670744/tmp/clang_command_.tmp.000561.txt
++Contents of '/tmp/coderabbit-infer/3b0224a31d94bbb1a91e990a239b9671f91fe28b-d5c41da70b670744/tmp/clang_command_.tmp.000561.txt':
"-cc1" "-load"
"/opt/infer-linux-x86_64-v1.2.0/lib/infer/infer/bin/../../facebook-clang-plugins/libtooling/build/FacebookClangPlugin.dylib"
"-add-plugin" "BiniouASTExporter" "-plugin-arg-BiniouASTExporter" "-"
"-plugin-arg-BiniouASTExporter" "PREPEND_CURRENT_DIR=1"
"-plugin-arg-BiniouASTExporter" "MAX_STRING_SIZE=65535" "-cc1" "-triple"
"x86_64-unknown-linux-gnu" "-emit-obj" "-mrelax-all" "-disable-free"

... [truncated 1085 characters] ...

/clang/18/include"
"-internal-isystem" "/usr/local/include" "-internal-isystem"
"/usr/lib/gcc/x86_64-linux-gnu/12/../../../../x86_64-linux-gnu/include"
"-internal-externc-isystem" "/usr/include/x86_64-linux-gnu"
"-internal-externc-isystem" "/include" "-internal-externc-isystem"
"/usr/include" "-Wno-ignored-optimization-argument" "-Wno-everything"
"-fdeprecated-macro" "-ferror-limit" "19" "-fgnuc-version=4.2.1"
"-fskip-odr-check-in-gmf" "-fcxx-exceptions" "-fexceptions"
"-D__GCC_HAVE_DWARF2_CFI_ASM=1" "-o"
"/tmp/coderabbit-infer/d5c41da70b670744/file.o" "-x" "c++"
"src/lib/crypto/OSSLMLDSAPrivateKey.cpp" "-O0" "-fno-builtin" "-include"
"/opt/infer-linux-x86_64-v1.2.0/lib/infer/infer/bin/../lib/clang_wrappers/global_defines.h"
"-Wno-everything"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/lib/crypto/OSSLMLDSAPublicKey.cpp (1)

114-127: ⚡ Quick win

Consider adding NULL check for name to match the private key implementation.

OSSLMLDSAPrivateKey::createOSSLKey() validates that name is non-NULL before proceeding (lines 185-189), but this function does not. If mldsaParameterSet2Name() returns NULL for an unknown parameter set, passing NULL to EVP_PKEY_CTX_new_from_name may produce unclear errors or undefined behavior.

♻️ Suggested fix

 	const char* name = OSSL::mldsaParameterSet2Name(getParameterSet());
+	if (name == NULL)
+	{
+		ERROR_MSG("Unknown ML-DSA parameter set (value length: %zu)", localValue.size());
+		return;
+	}

 	int selection = 0;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/crypto/OSSLMLDSAPublicKey.cpp` around lines 114 - 127, The code calls
mldsaParameterSet2Name(getParameterSet()) into the variable name and immediately
passes it to EVP_PKEY_CTX_new_from_name without verifying it is non-NULL; add
the same NULL-check used in OSSLMLDSAPrivateKey::createOSSLKey(): if name is
NULL, log/return an error (or clean up and return failure) before calling
EVP_PKEY_CTX_new_from_name, ensuring any allocated resources (e.g., params/ctx)
are handled consistently and avoid passing NULL into EVP_PKEY_CTX_new_from_name.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/crypto/OSSLMLDSAPublicKey.cpp`:
- Around line 114-127: The code calls mldsaParameterSet2Name(getParameterSet())
into the variable name and immediately passes it to EVP_PKEY_CTX_new_from_name
without verifying it is non-NULL; add the same NULL-check used in
OSSLMLDSAPrivateKey::createOSSLKey(): if name is NULL, log/return an error (or
clean up and return failure) before calling EVP_PKEY_CTX_new_from_name, ensuring
any allocated resources (e.g., params/ctx) are handled consistently and avoid
passing NULL into EVP_PKEY_CTX_new_from_name.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9d167bef-7d86-4f10-afb6-9d0ff51313f8

📥 Commits

Reviewing files that changed from the base of the PR and between de25233 and 3b0224a.

📒 Files selected for processing (2)

• src/lib/crypto/OSSLMLDSAPrivateKey.cpp
• src/lib/crypto/OSSLMLDSAPublicKey.cpp