Add verify-only LMS and XMSS support#206
Conversation
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #206
Scan targets checked: wolfpkcs11-bugs, wolfpkcs11-src
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
c878805 to
0c06695
Compare
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #206
Scan targets checked: wolfpkcs11-bugs, wolfpkcs11-src
Findings: 3
3 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
0c06695 to
f208ae8
Compare
|
The failing CMake Build Test will be resolved once wolfSSL/wolfssl#10929 lands. |
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #206
Scan targets checked: wolfpkcs11-bugs, wolfpkcs11-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
f208ae8 to
90e55a0
Compare
Add PKCS#11 verify-only support for the stateful hash-based signature schemes LMS/HSS (RFC 8554) and XMSS/XMSS^MT (RFC 8391), backed by wolfSSL and gated behind the --enable-lms and --enable-xmss build options. Interface: - Key types CKK_HSS, CKK_XMSS, CKK_XMSSMT and mechanisms CKM_HSS, CKM_XMSS, CKM_XMSSMT, using the OASIS PKCS#11 v3.3 standard constant values (not vendor-defined). - Public keys are imported as ordinary token or session objects from the raw RFC 8554 / RFC 8391 public key in CKA_VALUE. wolfSSL derives the parameter set from the key bytes; supplied CKA_HSS_* parameter attributes and the XMSS CKA_PARAMETER_SET OID are validated against the key, and a mismatch is rejected with CKR_ATTRIBUTE_VALUE_INVALID. - HSS parameter attributes (CKA_HSS_LEVELS, CKA_HSS_LMS_TYPE(S), CKA_HSS_LMOTS_TYPE(S)) and the XMSS CKA_PARAMETER_SET are exposed on read. CKA_HSS_KEYS_REMAINING is a private-key state property and is reported as unavailable in a verify-only build. - C_Verify checks the mechanism against the key type, and reports a wrong-length signature or an empty message (for XMSS) as an invalid signature rather than a function failure. Constraints (verify-only): - Key generation (CKM_*_KEY_PAIR_GEN) and private-key import are rejected. Copying any HBS key is prohibited so that future sign-capable builds can never duplicate one-time-signature state. Persistence: - Public keys are stored and reloaded from disk via the new store types WOLFPKCS11_STORE_HSSKEY_PUB (0x11) and WOLFPKCS11_STORE_XMSSKEY_PUB (0x13), with 0x10 and 0x12 reserved for future private keys. Tests: - Known-answer verification, parameter-set validation, token-object persistence across a library reload, and negative cases covering private-key import, wrong mechanism/key-type pairings, and malformed, wrong-length, and structurally invalid public keys.
90e55a0 to
c496034
Compare
|
the edit: is a separate issue: #206 (comment) |
Summary
Adds PKCS#11 verify-only support for the two NIST-approved stateful hash-based signature (SHBS) families:
Signature verification and raw public-key import are implemented on top of wolfSSL's
wc_LmsKey_*/wc_XmssKey_*APIs, using the standard OASIS PKCS#11 v3.3 mechanism, key-type, and attribute constants. Everything is gated behind the new--enable-lmsand--enable-xmssbuild options and is off by default.This is step 1 (verify only). Signing, key generation, and private-key import are deliberately out of scope and are rejected at runtime; the object model and store layout are laid out so a future sign-capable step can add private keys without an interface break.
What's included
Interface (standard PKCS#11 v3.3)
CKK_HSS(0x46),CKK_XMSS(0x47),CKK_XMSSMT(0x48)CKM_HSS(0x4033),CKM_XMSS(0x4036),CKM_XMSSMT(0x4037)CKA_HSS_LEVELS,CKA_HSS_LMS_TYPE(S),CKA_HSS_LMOTS_TYPE(S),CKA_HSS_KEYS_REMAINING,CKA_PARAMETER_SET(XMSS)All values match the OASIS PKCS#11 v3.3 working headers exactly (not vendor-defined).
Behaviour
CKA_VALUE. wolfSSL derives the parameter set from the key bytes.CKA_HSS_*parameter attributes and the XMSSCKA_PARAMETER_SETOID are validated against the imported key; a mismatch, a malformed key, or a wrong-length key is rejected withCKR_ATTRIBUTE_VALUE_INVALID.CKA_PARAMETER_SETare exposed on read.CKA_HSS_KEYS_REMAININGis a private-key state property and is reported as unavailable in a verify-only build.C_Verify— validates the mechanism against the key type (CKR_KEY_TYPE_INCONSISTENTon a mismatch) and reports a wrong-length signature (both schemes) or an empty message (XMSS only, a wolfSSL backend limitation) as an invalid signature rather than a function failure.WOLFPKCS11_STORE_HSSKEY_PUB(0x11) andWOLFPKCS11_STORE_XMSSKEY_PUB(0x13), with0x10/0x12reserved for future private keys.Verify-only constraints
CKM_*_KEY_PAIR_GEN) and private-key import are rejected.Build
Testing
New coverage in
tests/pkcs11v3test.cand a dedicatedtests/hbs_persistence_test.c:CKA_HSS_*/CKA_PARAMETER_SET).CKA_HSS_KEYS_REMAINING.All tests pass; the key-lifecycle paths (import, atomic re-import, free) were additionally checked clean under AddressSanitizer, including a
--disable-rsa --enable-lmsbuild.Notes and limitations
CKA_HSS_LMS_TYPES/CKA_HSS_LMOTS_TYPES) report the single top-level type for every level. Heterogeneous HSS keys are not expressible today.CKA_PARAMETER_SET.CKL_LMS_*/CKL_LMOTS_*convenience macros are wolfPKCS11-local (the spec header defines none); their values are the RFC 8554 registry codes.