Skip to content

Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id#9965

Open
kojo1 wants to merge 4 commits intowolfSSL:masterfrom
kojo1:mldsa
Open

Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id#9965
kojo1 wants to merge 4 commits intowolfSSL:masterfrom
kojo1:mldsa

Conversation

@kojo1
Copy link
Copy Markdown
Contributor

@kojo1 kojo1 commented Mar 13, 2026
edited
Loading

Description

Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id

Fixes zd#21306

  • wolfcrypt/src/evp_pk.c — Fix d2iTryAltDhKey() to return WOLFSSL_FATAL_ERROR on wc_DhKeyDecode() failure so the key-type probe chain in d2i_evp_pkey_try() continues to d2iTryDilithiumKey().
  • wolfcrypt/src/evp.c — Add WC_EVP_PKEY_DILITHIUM case to wolfSSL_EVP_PKEY_type().
    Note: wolfSSL_EVP_PKEY_base_id() calls wolfSSL_EVP_PKEY_type(pkey->type) internally, so this is the correct fix point that makes wolfSSL_EVP_PKEY_base_id() return WC_EVP_PKEY_DILITHIUM for ML-DSA keys.
  • src/x509.c — Add ML-DSA OID mapping (ML_DSA_LEVEL2k / ML_DSA_LEVEL3k / ML_DSA_LEVEL5k) in wolfSSL_X509_get_pubkey() so the key type is set to WC_EVP_PKEY_DILITHIUM instead of falling through to WC_EVP_PKEY_EC.
  • certs/mldsa/ — Add ML-DSA-44/65/87 self-signed test certificates (PEM + DER).
  • certs/renewcerts.sh — Add ML-DSA certificate regeneration logic.
  • tests/api/test_mldsa.c — Add test_mldsa_x509_pubkey_sigtype() covering all three levels.

Testing

Added test_mldsa_x509_pubkey_sigtype, ML-DSA certs for the test
modify certs/renewcerts.sh to update the certs.

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@kojo1 kojo1 requested a review from wolfSSL-Bot March 13, 2026 05:01
@cconlon cconlon requested a review from Copilot March 17, 2026 23:18
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds ML-DSA (Dilithium) handling to the X.509 public key extraction path and verifies it via new API tests using generated ML-DSA certificates.

Changes:

  • Recognize ML-DSA public key OIDs in wolfSSL_X509_get_pubkey() and map them to WC_EVP_PKEY_DILITHIUM.
  • Extend wolfSSL_EVP_PKEY_type() to return the Dilithium key type when enabled.
  • Add a new X.509 test plus certificate/key artifacts and renew script support for generating ML-DSA certs.

Reviewed changes

Copilot reviewed 14 out of 17 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
wolfcrypt/src/evp_pk.c Adjustes error handling/return codes for alternate DH key decoding.
wolfcrypt/src/evp.c Adds Dilithium case to wolfSSL_EVP_PKEY_type().
src/x509.c Detects ML-DSA public key OIDs and sets EVP_PKEY type accordingly.
tests/api/test_mldsa.h Declares the new ML-DSA X.509 pubkey/sigtype test.
tests/api/test_mldsa.c Implements the new X.509 pubkey + signature type test over ML-DSA certs.
tests/api.c Registers the new test in the test runner.
certs/renewcerts.sh Adds generation of ML-DSA PEM/DER certs using an OpenSSL with ML-DSA support.
certs/mldsa/include.am Distributes the newly added ML-DSA PEM/DER artifacts.
certs/mldsa/mldsa87-key.pem Adds ML-DSA-87 private key test artifact.
certs/mldsa/mldsa87-cert.pem Adds ML-DSA-87 certificate test artifact.
certs/mldsa/mldsa65-key.pem Adds ML-DSA-65 private key test artifact.
certs/mldsa/mldsa65-cert.pem Adds ML-DSA-65 certificate test artifact.
certs/mldsa/mldsa44-key.pem Adds ML-DSA-44 private key test artifact.
certs/mldsa/mldsa44-cert.pem Adds ML-DSA-44 certificate test artifact.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfcrypt/src/evp_pk.c Outdated
Comment thread wolfcrypt/src/evp_pk.c
Comment thread wolfcrypt/src/evp.c
Comment thread certs/renewcerts.sh
Comment thread tests/api/test_mldsa.c Outdated
@cconlon cconlon assigned kojo1 and unassigned wolfSSL-Bot Mar 17, 2026
@dgarske
Copy link
Copy Markdown
Member

dgarske commented Mar 21, 2026

@kojo1 please review the copilot feedback

@kojo1 kojo1 requested a review from dgarske April 8, 2026 04:18
@dgarske dgarske assigned wolfSSL-Bot and unassigned kojo1 Apr 16, 2026
@dgarske dgarske requested a review from SparkiDev April 16, 2026 22:54
SparkiDev
SparkiDev requested changes Apr 17, 2026
View reviewed changes
Comment thread tests/api.c
TEST_MLKEM_DECLS,
/* Dilithium */
TEST_MLDSA_DECLS,
TEST_DECL(test_mldsa_x509_pubkey_sigtype),
Copy link
Copy Markdown
Contributor

@SparkiDev SparkiDev Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add this to TEST_MLDSA_DECLS in test_mldsa.h.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SparkiDev SparkiDev SparkiDev requested changes

@dgarske dgarske dgarske approved these changes

@wolfSSL-Bot wolfSSL-Bot Awaiting requested review from wolfSSL-Bot

Requested changes must be addressed to merge this pull request.

Assignees

@kojo1 kojo1

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kojo1 @dgarske @SparkiDev @wolfSSL-Bot