Add support for ML-DSA PQC keys

[stefanberger]

This series adds support for ML-DSA PQC key support to the library and evmctl and adds test cases for signing and verifying to the sign_verfiy.test. It requires availability of OpenSSL 3.5.

[coiby]

Hi @stefanberger ,

If I understand the PR correctly, it's actually implementing Pre-Hash ML-DSA. Unfortunately, Currently CNSA 2.0 doesn't allow Pre-Hash ML-DSA,

Q: Is HashML-DSA, aka the pre-hash mode of ML-DSA, allowed in CNSA 2.0?

A: Not at the present time. HashML-DSA is a variant on ML-DSA in FIPS 204, which
describes a method of compressing a message before signing while intentionally
breaking interoperability with ML-DSA to prevent a vulnerability in the case of key re-
use. Because HashML-DSA does not offer any functionality not already offered by the
CNSA hash functions combined in a standard way with ML-DSA-87, and because
standard ML-DSA-87 is expected to be widely supported, NSA anticipates there will be
no need for HashML-DSA in NSS. Hence, at this time, HashML-DSA is not allowed. If at
a later date protocol usage demands it, NSA will provide specific guidance on its limited
usage at that time.

[stefanberger]

Hi @stefanberger ,

If I understand the PR correctly, it's actually implementing Pre-Hash ML-DSA. Unfortunately, Currently CNSA 2.0 doesn't allow Pre-Hash ML-DSA,

Yes, I am actually aware of exactly this and was wondering whether CNSA 2.0 was either incomplete/incorrect, this had to do something with timing of publication versus timing of HashML-DSA addition to standard, or this means that HashML-DSA is optional and ML-DSA can be used also for hashes. So basically this CNSA 2.0 means "forget about HashML-DSA"?? But then CNSA 2.0 is from NSA and HashML-DSA is from NIST. Left hand / right hand problem?

Q: Is HashML-DSA, aka the pre-hash mode of ML-DSA, allowed in CNSA 2.0?
A: Not at the present time. HashML-DSA is a variant on ML-DSA in FIPS 204, which
describes a method of compressing a message before signing while intentionally
breaking interoperability with ML-DSA to prevent a vulnerability in the case of key re-
use. Because HashML-DSA does not offer any functionality not already offered by the
CNSA hash functions combined in a standard way with ML-DSA-87, and because
standard ML-DSA-87 is expected to be widely supported, NSA anticipates there will be
no need for HashML-DSA in NSS. Hence, at this time, HashML-DSA is not allowed. If at
a later date protocol usage demands it, NSA will provide specific guidance on its limited
usage at that time.

[stefanberger]

"A: Not at the present time..."

... Also CNSA 2.1 could come out requiring "HashML-DSA" for products created in 202X and later -- if you can maintain backwards compatibility somehow.

[stefanberger]

Latest code push now uses pure-mode ML-DSA.

[mimizohar]

Patch: "Support signing with ML-DSA keys when OpenSSL >=3.5 is available"

• Attempts to assign -1 to siglen, instead of slen.

[mimizohar]

Patch: examples: Implement script to create ML-DSA-65 CA and signing keys

AI comment:

min=$(openssl version | awk '{print $2}' | cut -d. -f2)
if [ "${maj}" -lt 3 ] || [ "${min}" -lt 5 ]; then

This numeric comparison works correctly for OpenSSL 3.5.x but will fail for OpenSSL 3.10 or later — [ "10" -lt 5 ] evaluates to false correctly as a numeric comparison in POSIX sh, so this is actually safe. However the maj check has a latent issue: if maj is 4 or later, the [ "${maj}" -lt 3 ] check passes (correctly) but the [ "${min}" -lt 5 ] check may incorrectly reject a future OpenSSL 4.x release where the minor version happens to be less than 5. The two conditions should be combined more carefully:

if [ "${maj}" -lt 3 ] || { [ "${maj}" -eq 3 ] && [ "${min}" -lt 5 ]; }; then

As written, OpenSSL 4.0 would pass the major check but then fail on [ "0" -lt 5 ] — incorrectly rejecting a valid future version.

[mimizohar]

AI reported:

-sha256 Passed to openssl req for ML-DSA Key Generation:

shlog openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 \
    -newkey "$mldsa" \

As noted in patch 04's review, -sha256 is not meaningful for ML-DSA keys and should be removed. 

[stefanberger]

Both fixed.

[stefanberger]

Is this where the comment "Attempts to assign -1 to siglen, instead of slen." belongs?

[stefanberger]

Printing an error here now but siglen = -1 is okay IMO.

[mimizohar]

size_t is unsigned, while ssize_t is signed. siglen is defined as size_t, so it can't be -1.

[stefanberger]

Presumably also here?

[stefanberger]

Printing an error here now but siglen = -1 is okay IMO.

[mimizohar]

Same issue as above: size_t is unsigned, while ssize_t is signed. siglen is defined as size_t, so it can't be -1.

[mimizohar]

Typo: uppress -> suppress in "Add IGNORE_EMBEDDED_FUNCTION name to checkpatch ignore list to uppress the"

[mimizohar]

From AI: Missing '[' before "${min}"
error: if [ "${maj}" -lt 3 ] || ( [ "${maj}" -eq 3 ] && "${min}" -lt 5 ] ); then
corrected: if [ "${maj}" -lt 3 ] || ( [ "${maj}" -eq 3 ] && [ "${min}" -lt 5 ] ); then