Add ML‑DSA context string support to Signer #141
Description
Motivation / Use Case
- FIPS 204 (ML‑DSA) specifies that Pure ML‑DSA signatures encode the input as 0x00 || len(ctx) || ctx || message, where ctx is an application‑defined context string with length ≤ 255 bytes. This is intended for domain separation (e.g., “FIRMWARE” vs “BOOTLOADER”). Without it, signatures may be reinterpreted in unintended domains.
- n OpenSSL 3.x, ML‑DSA’s EVP interface already exposes a context-string parameter (OSSL_SIGNATURE_PARAM_CONTEXT_STRING), defaulting to empty; applications can set a non‑empty context for signing and verifying.
- SignServer 7.1.x supports ML‑DSA (including ML‑DSA‑87) in Plain Signer, but there is no property or request parameter to set a context string—SignServer can only produce signatures with the empty context today.
Proposed Change
- New worker property
- CONTEXT_STRING (string; default empty; max 255 bytes).
- ALLOW_CONTEXT_OVERRIDE (boolean; default false). If true, allow per‑request override.
- New request metadata (effective only if ALLOW_CONTEXT_OVERRIDE=true)
- CONTEXT_STRING — per‑request context (≤255 bytes).