Add post-quantum and EdDSA CRL signing#10943
Open
Frauschi wants to merge 1 commit into
Open
Conversation
|
CRL signature verification already supported post-quantum algorithms through the shared ConfirmSignature() engine, but CRL generation did not: wc_SignCRL_ex accepted only RSA and ECC keys and sized its signature buffer for a classic signature. Add wc_SignCRL_ex2, which takes an untyped key plus a keyType selector, the same scheme wc_MakeCert_ex and wc_SignCert_ex use. It resolves the key and reuses the existing CheckSigTypeForKey, GetSignatureBufferSz and MakeSignature helpers, so the signature buffer is sized from the key and post-quantum signatures get enough room. wc_SignCRL_ex keeps its original RSA/ECC signature and becomes a thin wrapper, preserving the public API. This enables CRL signing with ML-DSA, SLH-DSA, Ed25519, Ed448 and Falcon. Stateful hash-based schemes (LMS/XMSS) are rejected with ALGO_ID_E, since a CRL is reissued periodically and would exhaust the key's one-time signature state. Under WOLFSSL_NO_MALLOC the signature must still fit the fixed CertSignCtx.sig buffer, consistent with the certificate signing path. Tests cover CRL sign and verify through the certificate manager for ML-DSA (44/65/87), SLH-DSA (SHAKE and SHA2 128s), Ed25519 and Ed448, plus negative cases for a tampered signature, a sigType and key-family mismatch, and rejection of LMS/XMSS.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CRL signature verification already supported post-quantum algorithms: the CRL path reuses the shared
ConfirmSignature()engine, which dispatches to ML-DSA / SLH-DSA / Falcon. CRL generation did not —wc_SignCRL_exaccepted only RSA and ECC keys and sized its signature buffer for a classic signature.This PR adds
wc_SignCRL_ex2, a new wolfcrypt API that signs a CRL with any supported key type, and sizes the signature buffer from the key so post-quantum signatures fit.The new API
keyplus akeyTypeselector, the same schemewc_MakeCert_exandwc_SignCert_exuse, instead of one argument per key family.CheckSigTypeForKey,GetSignatureBufferSz, andMakeSignaturehelpers, so the signature buffer is sized from the key rather than assumed classic.wc_SignCRL_exis unchanged (its original RSA/ECC signature) and becomes a thin wrapper overwc_SignCRL_ex2, so the existing public API and ABI are preserved.Supported algorithms
wc_SignCRL_ex)ALGO_ID_ELMS/XMSS are intentionally rejected. They are stateful hash-based schemes; a CRL is reissued periodically and would exhaust the key's one-time signature state, with catastrophic reuse risk if that state is mismanaged.
Buffer sizing
The signature buffer is sized from the key via
GetSignatureBufferSz, so large post-quantum signatures (a few KB for ML-DSA up to tens of KB for SLH-DSA) get enough room. UnderWOLFSSL_NO_MALLOCthe signature must still fit the fixedCertSignCtx.sigbuffer (tunable viaWOLFSSL_MAX_SIG_SZ), consistent with the certificate signing path.Scope and carve-outs
wolfSSL_X509_CRL_sign(theEVP_PKEYwrapper) has no PQC private-key support, so PQC CRL signing is exposed at the wolfcrypt level throughwc_SignCRL_ex2. Wiring the EVP layer for PQC is a separate, larger change and is out of scope here.wc_SignCRL_ex2does not special-caseWC_PENDING_E, mirroring the pre-existingwc_SignCRL_exbehavior. CRL signing is not async-safe; adding it would use the same guardwc_SignCert_exalready has.Test coverage
New
tests/api.ccases build a CRL, sign it withwc_SignCRL_ex2, and verify it through the certificate manager against the issuing CA:ASN_CRL_CONFIRM_EsigType/ key-family mismatch rejected withALGO_ID_EALGO_ID_EThe classic RSA/ECC path keeps its existing coverage through
wc_SignCRL_ex.