Skip to content

xmss: bump format dependencies #1290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tarcieri merged 1 commit into from
Apr 6, 2026
+54 −75
Merged

xmss: bump format dependencies #1290

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 23 additions & 59 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions xmss/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,17 @@ serde = ["dep:serdect"]
pkcs8 = ["dep:pkcs8", "dep:spki", "dep:der", "dep:const-oid"]

[dependencies]
const-oid = { version = "0.9", optional = true }
der = { version = "0.7", optional = true, default-features = false, features = ["alloc"] }
const-oid = { version = "0.10", optional = true }
der = { version = "0.8", optional = true, default-features = false, features = ["alloc"] }
digest = "0.11"
hybrid-array = { version = "0.4", features = ["zeroize"] }
pkcs8 = { version = "0.10", optional = true, default-features = false, features = ["alloc"] }
pkcs8 = { version = "0.11.0-rc.11", optional = true, default-features = false, features = ["alloc"] }
rand = "0.10"
sha2 = "0.11"
sha3 = "0.11"
serdect = { version = "0.4", features = ["alloc"], optional = true }
signature = "2"
spki = { version = "0.7", optional = true, default-features = false, features = ["alloc"] }
spki = { version = "0.8", optional = true, default-features = false, features = ["alloc"] }
subtle = "2.6"
thiserror = "2"
zeroize = "1"
Expand Down
11 changes: 11 additions & 0 deletions xmss/src/error.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,18 @@ pub enum Error {
/// Actual signature length in bytes.
got: usize,
},
/// PKCS#8 errors.
#[cfg(feature = "pkcs8")]
#[error("PKCS#8 error: {0}")]
Pkcs8(pkcs8::Error),
}

/// Result type used by this crate.
pub type XmssResult<T> = Result<T, Error>;

#[cfg(feature = "pkcs8")]
impl From<pkcs8::Error> for Error {
fn from(err: pkcs8::Error) -> Self {
Self::Pkcs8(err)
}
}
28 changes: 16 additions & 12 deletions xmss/src/pkcs8.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
//! PKCS#8 encoding/decoding support for XMSS keys and signatures.

use const_oid::ObjectIdentifier;
use der::asn1::BitStringRef;
use pkcs8::{AlgorithmIdentifierRef, EncodePrivateKey, PrivateKeyInfo};
use der::asn1::{BitStringRef, OctetStringRef};
use pkcs8::{AlgorithmIdentifierRef, EncodePrivateKey, PrivateKeyInfo, PrivateKeyInfoRef};
use spki::{EncodePublicKey, SubjectPublicKeyInfoRef};

use crate::error::Error;
use crate::error::{Error, XmssResult};
use crate::params::XmssParameter;
use crate::xmss::{KeyPair, SigningKey, VerifyingKey};

Expand Down Expand Up @@ -67,8 +67,8 @@ impl<P: XmssParameter> EncodePrivateKey for KeyPair<P> {
oid: algorithm_oid::<P>(),
parameters: None,
};
let sk_bytes = self.signing_key_ref().as_ref();
let pk_bytes = self.verifying_key().as_ref();
let sk_bytes = OctetStringRef::new(self.signing_key_ref().as_ref())?;
let pk_bytes = BitStringRef::new(0, self.verifying_key().as_ref())?;
let pki = PrivateKeyInfo {
algorithm: algo,
private_key: sk_bytes,
Expand All @@ -80,19 +80,23 @@ impl<P: XmssParameter> EncodePrivateKey for KeyPair<P> {

impl<P: XmssParameter> KeyPair<P> {
/// Decodes a key pair from PKCS#8 DER bytes.
pub fn from_pkcs8_der(der_bytes: &[u8]) -> crate::error::XmssResult<Self> {
let pk_info = PrivateKeyInfo::try_from(der_bytes).map_err(|_| Error::InvalidKeyLength {
expected: 0,
got: der_bytes.len(),
})?;
pub fn from_pkcs8_der(der_bytes: &[u8]) -> XmssResult<Self> {
let pk_info =
PrivateKeyInfoRef::try_from(der_bytes).map_err(|_| Error::InvalidKeyLength {
expected: 0,
got: der_bytes.len(),
})?;

let expected_oid = algorithm_oid::<P>();
if pk_info.algorithm.oid != expected_oid {
return Err(Error::InvalidOid(0));
}

let signing_key = SigningKey::<P>::try_from(pk_info.private_key)?;
let verifying_key = if let Some(pk_bytes) = pk_info.public_key {
let signing_key = SigningKey::<P>::try_from(pk_info.private_key.as_ref())?;
let verifying_key = if let Some(pk) = pk_info.public_key {
let pk_bytes = pk.as_bytes().ok_or(pkcs8::Error::KeyMalformed)?;

// TODO(tarcieri): verify key matches expected value?
VerifyingKey::<P>::try_from(pk_bytes)?
} else {
VerifyingKey::from(&signing_key)
Expand Down
Loading