Skip to content

Signed CMS for SLH-DSA #115310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
May 14, 2025
Merged

Signed CMS for SLH-DSA #115310

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
ae0e013
refactor signed cms for pure and hashed signing
PranavSenthilnathan May 2, 2025
1f2a854
support shake hash
PranavSenthilnathan May 7, 2025
6af2d07
merge
PranavSenthilnathan May 8, 2025
9097d39
fix build after merge
PranavSenthilnathan May 8, 2025
aa20b55
more tests
PranavSenthilnathan May 8, 2025
7a0b4c9
add IsSupported check
PranavSenthilnathan May 8, 2025
8f44640
Unconditionally compile X509CertificateKeyAccessors
PranavSenthilnathan May 8, 2025
a577b2a
fix key accessor and PR comments
PranavSenthilnathan May 8, 2025
b6470e6
Key accessor tests, dispose keys, and other PR feedback
PranavSenthilnathan May 9, 2025
bdb9bc9
use ThrowsAny
PranavSenthilnathan May 9, 2025
2c6db1e
Remove extra algo check in CheckHash and update exception message in …
PranavSenthilnathan May 9, 2025
c29d8e3
Apply suggestions from code review
PranavSenthilnathan May 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions src/libraries/Common/src/Internal/Cryptography/PkcsHelpers.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,9 +353,12 @@ public static Pkcs9AttributeObject CreateBestPkcs9AttributeObjectAvailable(Oid o
};
}

public static AttributeAsn[] NormalizeAttributeSet(AttributeAsn[] setItems) =>
NormalizeAttributeSet(setItems, out _);

public static AttributeAsn[] NormalizeAttributeSet(
AttributeAsn[] setItems,
Action<byte[]>? encodedValueProcessor = null)
out byte[] encodedValue)
{
byte[] normalizedValue;

Expand All @@ -370,7 +373,7 @@ public static AttributeAsn[] NormalizeAttributeSet(
writer.PopSetOf();
normalizedValue = writer.Encode();

encodedValueProcessor?.Invoke(normalizedValue);
encodedValue = normalizedValue;

try
{
Expand Down
12 changes: 12 additions & 0 deletions src/libraries/Common/src/System/Security/Cryptography/Helpers.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,18 @@ Oids.EcPublicKey or
};
}

internal static IncrementalHash CreateIncrementalHash(HashAlgorithmName hashAlgorithmName)
{
try
{
return IncrementalHash.CreateHash(hashAlgorithmName);
}
catch (PlatformNotSupportedException ex)
{
throw new CryptographicException(SR.Format(SR.Cryptography_UnknownHashAlgorithm, hashAlgorithmName), ex);
}
}

internal static CryptographicException CreateAlgorithmUnknownException(AsnWriter encodedId)
{
#if NET10_0_OR_GREATER
Expand Down
3 changes: 3 additions & 0 deletions src/libraries/Common/src/System/Security/Cryptography/Oids.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ internal static partial class Oids
internal const string Pkcs7Hashed = "1.2.840.113549.1.7.5";
internal const string Pkcs7Encrypted = "1.2.840.113549.1.7.6";

// Hash algorithms
internal const string Md5 = "1.2.840.113549.2.5";
internal const string Sha1 = "1.3.14.3.2.26";
internal const string Sha256 = "2.16.840.1.101.3.4.2.1";
Expand All @@ -74,6 +75,8 @@ internal static partial class Oids
internal const string Sha3_256 = "2.16.840.1.101.3.4.2.8";
internal const string Sha3_384 = "2.16.840.1.101.3.4.2.9";
internal const string Sha3_512 = "2.16.840.1.101.3.4.2.10";
internal const string Shake128 = "2.16.840.1.101.3.4.2.11";
internal const string Shake256 = "2.16.840.1.101.3.4.2.12";

// DSA CMS uses the combined signature+digest OID
internal const string DsaWithSha1 = "1.2.840.10040.4.3";
Expand Down
133 changes: 100 additions & 33 deletions ...mmon/tests/System/Security/Cryptography/AlgorithmImplementations/SlhDsa/SlhDsaTestData.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -553,19 +553,46 @@ public static partial class SlhDsaTestData
//
// Get base64 encrypted private key info:
// > openssl pkcs8 -topk8 -outform DER -v2 "aes-192-cbc" -v2prf hmacWithSHA384 -iter 10 -in private.pem | base64 -w 64
public record SlhDsaGeneratedKeyInfo(
int Id,
SlhDsaAlgorithm Algorithm,
string SecretKeyHex,
string Pkcs8PrivateKeyBase64,
string Pkcs8PublicKeyBase64,
string Pkcs8EncryptedPrivateKeyBase64,
string CertificateBase64,
string SelfSignedCertificatePfxBase64,
string ThumbprintHex,
string EncryptionPassword,
PbeParameters EncryptionParameters)
public class SlhDsaGeneratedKeyInfo
{
public SlhDsaGeneratedKeyInfo(
int Id,
SlhDsaAlgorithm Algorithm,
string SecretKeyHex,
string Pkcs8PrivateKeyBase64,
string Pkcs8PublicKeyBase64,
string Pkcs8EncryptedPrivateKeyBase64,
string CertificateBase64,
string SelfSignedCertificatePfxBase64,
string ThumbprintHex,
string EncryptionPassword,
PbeParameters EncryptionParameters)
{
this.Id = Id;
this.Algorithm = Algorithm;
this.SecretKeyHex = SecretKeyHex;
this.Pkcs8PrivateKeyBase64 = Pkcs8PrivateKeyBase64;
this.Pkcs8PublicKeyBase64 = Pkcs8PublicKeyBase64;
this.Pkcs8EncryptedPrivateKeyBase64 = Pkcs8EncryptedPrivateKeyBase64;
this.CertificateBase64 = CertificateBase64;
this.SelfSignedCertificatePfxBase64 = SelfSignedCertificatePfxBase64;
this.ThumbprintHex = ThumbprintHex;
this.EncryptionPassword = EncryptionPassword;
this.EncryptionParameters = EncryptionParameters;
}

public int Id { get; }
public SlhDsaAlgorithm Algorithm { get; }
public string SecretKeyHex { get; }
public string Pkcs8PrivateKeyBase64 { get; }
public string Pkcs8PublicKeyBase64 { get; }
public string Pkcs8EncryptedPrivateKeyBase64 { get; }
public string CertificateBase64 { get; }
public string SelfSignedCertificatePfxBase64 { get; }
public string ThumbprintHex { get; }
public string EncryptionPassword { get; }
public PbeParameters EncryptionParameters { get; }

public byte[] SecretKey => SecretKeyHex.HexToByteArray();
public byte[] PublicKey => SecretKey.AsSpan(Algorithm.SecretKeySizeInBytes/2).ToArray();
public byte[] Pkcs8PrivateKey => Convert.FromBase64String(Pkcs8PrivateKeyBase64);
Expand All @@ -574,9 +601,9 @@ public record SlhDsaGeneratedKeyInfo(
public byte[] EncryptionPasswordBytes => Encoding.UTF8.GetBytes(EncryptionPassword); // Assuming UTF-8 encoding
public byte[] Certificate => Convert.FromBase64String(CertificateBase64);
public byte[] SelfSignedCertificatePfx => Convert.FromBase64String(SelfSignedCertificatePfxBase64);
public string EncryptedPem => PemEncoding.WriteString("ENCRYPTED PRIVATE KEY", Pkcs8EncryptedPrivateKey);
public string PrivateKeyPem => PemEncoding.WriteString("PRIVATE KEY", Pkcs8PrivateKey);
public string PublicKeyPem => PemEncoding.WriteString("PUBLIC KEY", Pkcs8PublicKey);
public string EncryptedPem => ByteUtils.PemEncode("ENCRYPTED PRIVATE KEY", Pkcs8EncryptedPrivateKey);
public string PrivateKeyPem => ByteUtils.PemEncode("PRIVATE KEY", Pkcs8PrivateKey);
public string PublicKeyPem => ByteUtils.PemEncode("PUBLIC KEY", Pkcs8PublicKey);
public byte[] Thumbprint => ThumbprintHex.HexToByteArray();

public override string ToString() =>
Expand All @@ -588,16 +615,35 @@ from info in GeneratedKeyInfosRaw
select new object[] { info };

public static partial SlhDsaGeneratedKeyInfo[] GeneratedKeyInfosRaw { get; }

public record SlhDsaKeyGenTestVector(
int TestCaseId,
SlhDsaAlgorithm Algorithm,
string SecretKeySeedHex,
string SecretKeyPrfHex,
string PublicKeySeedHex,
string SecretKeyHex,
string PublicKeyHex)

public class SlhDsaKeyGenTestVector
{
public SlhDsaKeyGenTestVector(
int TestCaseId,
SlhDsaAlgorithm Algorithm,
string SecretKeySeedHex,
string SecretKeyPrfHex,
string PublicKeySeedHex,
string SecretKeyHex,
string PublicKeyHex)
{
this.TestCaseId = TestCaseId;
this.Algorithm = Algorithm;
this.SecretKeySeedHex = SecretKeySeedHex;
this.SecretKeyPrfHex = SecretKeyPrfHex;
this.PublicKeySeedHex = PublicKeySeedHex;
this.SecretKeyHex = SecretKeyHex;
this.PublicKeyHex = PublicKeyHex;
}

public int TestCaseId { get; }
public SlhDsaAlgorithm Algorithm { get; }
public string SecretKeySeedHex { get; }
public string SecretKeyPrfHex { get; }
public string PublicKeySeedHex { get; }
public string SecretKeyHex { get; }
public string PublicKeyHex { get; }

public byte[] SecretKeySeed => SecretKeySeedHex.HexToByteArray();
public byte[] SecretKeyPrf => SecretKeyPrfHex.HexToByteArray();
public byte[] PublicKeySeed => PublicKeySeedHex.HexToByteArray();
Expand Down Expand Up @@ -722,16 +768,37 @@ public record SlhDsaKeyGenTestVector(
),
];

public record SlhDsaSigVerTestVector(
int TestCaseId,
bool TestPassed,
SlhDsaAlgorithm Algorithm,
string SecretKeyHex,
string PublicKeyHex,
string MessageHex,
string ContextHex,
string SignatureHex)
public class SlhDsaSigVerTestVector
{
public SlhDsaSigVerTestVector(
int TestCaseId,
bool TestPassed,
SlhDsaAlgorithm Algorithm,
string SecretKeyHex,
string PublicKeyHex,
string MessageHex,
string ContextHex,
string SignatureHex)
{
this.TestCaseId = TestCaseId;
this.TestPassed = TestPassed;
this.Algorithm = Algorithm;
this.SecretKeyHex = SecretKeyHex;
this.PublicKeyHex = PublicKeyHex;
this.MessageHex = MessageHex;
this.ContextHex = ContextHex;
this.SignatureHex = SignatureHex;
}

public int TestCaseId { get; }
public bool TestPassed { get; }
public SlhDsaAlgorithm Algorithm { get; }
public string SecretKeyHex { get; }
public string PublicKeyHex { get; }
public string MessageHex { get; }
public string ContextHex { get; }
public string SignatureHex { get; }

public byte[] SecretKey => SecretKeyHex.HexToByteArray();
public byte[] PublicKey => PublicKeyHex.HexToByteArray();
public byte[] Message => MessageHex.HexToByteArray();
Expand Down
Loading
Loading