Moved MLDSA key util methods to dedicated class

Applied some CodeRabbitAI suggestions
Removed copyright banners

Author: Antoine Lochet

.github/workflows/ci.yml

@@ -84,7 +84,8 @@ jobs:
         env:
           OPENSSL_VERSION: 3.5.2
           OPENSSL_INSTALL_DIR: /usr/local/openssl-3.5
-          LDFLAGS: "-Wl,-R/usr/local/openssl-3.5/lib64 -L/usr/local/openssl-3.5/lib64"
+          LDFLAGS: "-Wl,-rpath,/usr/local/openssl-3.5/lib64 -L/usr/local/openssl-3.5/lib64"
+          PKG_CONFIG_PATH: "/usr/local/openssl-3.5/lib64/pkgconfig"
         run: |
           sudo apt-get update -qq
           sudo apt-get install -y libcppunit-dev p11-kit build-essential checkinstall zlib1g-dev sudo autoconf libtool git
@@ -102,7 +103,8 @@ jobs:
           # Once all OpenSSL deprecations fixed, uncomment this
           #   CXXFLAGS: -Werror
           OPENSSL_INSTALL_DIR: /usr/local/openssl-3.5
-          LDFLAGS: "-Wl,-R/usr/local/openssl-3.5/lib64 -L/usr/local/openssl-3.5/lib64"
+          LDFLAGS: "-Wl,-rpath,/usr/local/openssl-3.5/lib64 -L/usr/local/openssl-3.5/lib64"
+          PKG_CONFIG_PATH: "/usr/local/openssl-3.5/lib64/pkgconfig"
         run: |
           ./autogen.sh
           ./configure --with-crypto-backend=openssl --with-openssl=${{ env.OPENSSL_INSTALL_DIR }}

CMakeLists.txt

@@ -8,7 +8,7 @@ option(DISABLE_VISIBILITY "Disables and unsets -fvisibility=hidden" OFF)
 option(ENABLE_64bit "Enable 64-bit compiling" OFF)
 option(ENABLE_ECC "Enable support for ECC" ON)
 option(ENABLE_EDDSA "Enable support for EDDSA" ON)
-option(ENABLE_MLDSA "Enable support for ML-DSA" ON)
+option(ENABLE_MLDSA "Enable support for ML-DSA" OFF)
 option(ENABLE_GOST "Enable support for GOST" OFF)
 option(ENABLE_FIPS "Enable support for FIPS 140-2 mode" OFF)
 option(ENABLE_P11_KIT "Enable p11-kit integration" ON)

m4/acx_botan_mldsa.m4

@@ -8,26 +8,21 @@ AC_DEFUN([ACX_BOTAN_MLDSA],[
 	LIBS="$CRYPTO_LIBS $LIBS"
 
 	AC_LANG_PUSH([C++])
-	AC_CACHE_VAL([acx_cv_lib_botan_mldsa_support],[
-		acx_cv_lib_botan_mldsa_support=no
-		AC_RUN_IFELSE([
-			AC_LANG_SOURCE([[
-				#include <botan/version.h>
-				int main()
-				{
-					// TODO
-					return 1;
-				}
-			]])
-		],[
-			AC_MSG_RESULT([yes])
+	AC_CACHE_VAL([acx_cv_lib_botan_mldsa_support], [
+		AC_COMPILE_IFELSE([
+			AC_LANG_SOURCE([
+			#include <botan/version.h>
+			#ifndef BOTAN_HAS_ML_DSA
+			# error "no ML-DSA support"
+			#endif
+			int main(void){ return 0; }
+			])
+		], [
 			acx_cv_lib_botan_mldsa_support=yes
-		],[
-			AC_MSG_RESULT([no])
-			acx_cv_lib_botan_mldsa_support=no
-		],[
-			AC_MSG_WARN([Cannot test, assuming no ML-DSA])
+			AC_MSG_RESULT([yes])
+		], [
 			acx_cv_lib_botan_mldsa_support=no
+			AC_MSG_RESULT([no])
 		])
 	])
 	AC_LANG_POP([C++])

src/lib/P11Attributes.cpp

@@ -2234,7 +2234,7 @@ bool P11AttrEcPoint::setDefault()
 // Set default value
 bool P11AttrParameterSet::setDefault()
 {
-	OSAttribute attr(ByteString(""));
+	OSAttribute attr((unsigned long)0);
 	return osobject->setAttribute(type, attr);
 }
 
@@ -2571,7 +2571,6 @@ bool P11AttrSeed::setDefault()
 CK_RV P11AttrSeed::updateAttr(Token *token, bool isPrivate, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int /*op*/)
 {
 	ByteString plaintext((unsigned char*)pValue, ulValueLen);
-	DEBUG_MSG("P11AttrSeed plaintext: %s", plaintext.hex_str().c_str());
 	ByteString value;
 
 	// Encrypt

src/lib/SoftHSM.cpp

@@ -62,9 +62,12 @@
 #include "DHPrivateKey.h"
 #include "GOSTPublicKey.h"
 #include "GOSTPrivateKey.h"
+#ifdef WITH_ML_DSA
 #include "MLDSAParameters.h"
 #include "MLDSAPublicKey.h"
 #include "MLDSAPrivateKey.h"
+#include "MLDSAUtil.h"
+#endif
 #include "cryptoki.h"
 #include "SoftHSM.h"
 #include "osmutex.h"
@@ -143,8 +146,10 @@ static CK_RV newP11Object(CK_OBJECT_CLASS objClass, CK_KEY_TYPE keyType, CK_CERT
 				*p11object = new P11GOSTPublicKeyObj();
 			else if (keyType == CKK_EC_EDWARDS)
 				*p11object = new P11EDPublicKeyObj();
+#ifdef WITH_ML_DSA
 			else if (keyType == CKK_ML_DSA)
 				*p11object = new P11MLDSAPublicKeyObj();
+#endif
 			else
 				return CKR_ATTRIBUTE_VALUE_INVALID;
 			break;
@@ -162,8 +167,10 @@ static CK_RV newP11Object(CK_OBJECT_CLASS objClass, CK_KEY_TYPE keyType, CK_CERT
 				*p11object = new P11GOSTPrivateKeyObj();
 			else if (keyType == CKK_EC_EDWARDS)
 				*p11object = new P11EDPrivateKeyObj();
+#ifdef WITH_ML_DSA
 			else if (keyType == CKK_ML_DSA)
 				*p11object = new P11MLDSAPrivateKeyObj();
+#endif
 			else
 				return CKR_ATTRIBUTE_VALUE_INVALID;
 			break;
@@ -4561,7 +4568,7 @@ CK_RV SoftHSM::AsymSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechan
 			return CKR_HOST_MEMORY;
 		}
 
-		if (getMLDSAPrivateKey((MLDSAPrivateKey*)privateKey, token, key) != CKR_OK)
+		if (MLDSAUtil::getMLDSAPrivateKey((MLDSAPrivateKey*)privateKey, token, key) != CKR_OK)
 		{
 			asymCrypto->recyclePrivateKey(privateKey);
 			CryptoFactory::i()->recycleAsymmetricAlgorithm(asymCrypto);
@@ -5593,7 +5600,7 @@ CK_RV SoftHSM::AsymVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 			return CKR_HOST_MEMORY;
 		}
 
-		if (getMLDSAPublicKey((MLDSAPublicKey*)publicKey, token, key) != CKR_OK)
+		if (MLDSAUtil::getMLDSAPublicKey((MLDSAPublicKey*)publicKey, token, key) != CKR_OK)
 		{
 			asymCrypto->recyclePublicKey(publicKey);
 			CryptoFactory::i()->recycleAsymmetricAlgorithm(asymCrypto);
@@ -6987,7 +6994,7 @@ CK_RV SoftHSM::C_WrapKey
 #endif
 #ifdef WITH_ML_DSA
 			case CKK_ML_DSA:
-				rv = getMLDSAPrivateKey((MLDSAPrivateKey*)privateKey, token, key);
+				rv = MLDSAUtil::getMLDSAPrivateKey((MLDSAPrivateKey*)privateKey, token, key);
 				break;
 #endif
 		}
@@ -7669,7 +7676,7 @@ CK_RV SoftHSM::C_UnwrapKey
 #ifdef WITH_ML_DSA
 			else if (keyType == CKK_ML_DSA)
 			{
-				bOK = bOK && setMLDSAPrivateKey(osobject, keydata, token, isPrivate != CK_FALSE);
+				bOK = bOK && MLDSAUtil::setMLDSAPrivateKey(osobject, keydata, token, isPrivate != CK_FALSE);
 			}
 #endif
 			else
@@ -10091,35 +10098,37 @@ CK_RV SoftHSM::generateMLDSA
 		return CKR_GENERAL_ERROR;
 
 	// Extract desired key information
-	unsigned long* params = 0;
+	CK_ULONG paramSet = 0;
 	for (CK_ULONG i = 0; i < ulPublicKeyAttributeCount; i++)
 	{
 		switch (pPublicKeyTemplate[i].type)
 		{
 			case CKA_PARAMETER_SET:
-				params = (unsigned long*)pPublicKeyTemplate[i].pValue;
+				if (pPublicKeyTemplate[i].ulValueLen != sizeof(CK_ULONG)) {
+                    INFO_MSG("CKA_PARAMETER_SET must be sizeof(CK_ULONG)");
+                    return CKR_ATTRIBUTE_VALUE_INVALID;
+                }
+                paramSet = *(CK_ULONG*)pPublicKeyTemplate[i].pValue;
 				break;
 			default:
 				break;
 		}
 	}
 
 	// The parameters must be specified to be able to generate a key pair.
-	if (params == 0) {
+	if (paramSet == 0) {
 		INFO_MSG("Missing parameter(s) in pPublicKeyTemplate");
 		return CKR_TEMPLATE_INCOMPLETE;
 	}
 
-	if (*params != 1UL && *params != 2UL && *params != 3UL) {
-		INFO_MSG("Wrong parameterSet: %ld", *params);
+	if (paramSet != CKP_ML_DSA_44 && paramSet != CKP_ML_DSA_65 && paramSet != CKP_ML_DSA_87) {
+		INFO_MSG("Unsupported parameter set: %lu", (unsigned long)paramSet);
 		return CKR_PARAMETER_SET_NOT_SUPPORTED;
 	}
 
 	// Set the parameters
 	MLDSAParameters p;
-	p.setParameterSet(*params);
-
-	DEBUG_MSG("params=%d, p.parameterSet=%d", *params, p.getParameterSet());
+	p.setParameterSet(paramSet);
 
 	// Generate key pair
 	AsymmetricKeyPair* kp = NULL;
@@ -10185,8 +10194,6 @@ CK_RV SoftHSM::generateMLDSA
 				CK_ULONG ulKeyGenMechanism = (CK_ULONG)CKM_ML_DSA_KEY_PAIR_GEN;
 				bOK = bOK && osobject->setAttribute(CKA_KEY_GEN_MECHANISM,ulKeyGenMechanism);
 
-				DEBUG_MSG("pub->getParameterSet()=%d, pub->getValue()=%s", pub->getParameterSet(), pub->getValue().hex_str().c_str());
-
 				// ML-DSA Public Key Attributes
 				ByteString value;
 				if (isPublicKeyPrivate)
@@ -10268,7 +10275,6 @@ CK_RV SoftHSM::generateMLDSA
 				ByteString parameterSet;
 				ByteString value;
 				ByteString seed;
-				DEBUG_MSG("priv->getParameterSet()=%d, priv->getSeed()=%s, priv->getValue()=%s", priv->getParameterSet(), priv->getSeed().hex_str().c_str(), priv->getValue().hex_str().c_str());
 				if (isPrivateKeyPrivate)
 				{
 					token->encrypt(priv->getValue(), value);
@@ -10280,8 +10286,6 @@ CK_RV SoftHSM::generateMLDSA
 					seed = priv->getSeed();
 				}
 
-				DEBUG_MSG("parameterSet=%d, seed=%s, value=%s", priv->getParameterSet(), seed.hex_str().c_str(), value.hex_str().c_str());
-
 				bOK = bOK && osobject->setAttribute(CKA_PARAMETER_SET, priv->getParameterSet());
 				bOK = bOK && osobject->setAttribute(CKA_VALUE, value);
 				bOK = bOK && osobject->setAttribute(CKA_SEED, seed);
@@ -13054,65 +13058,7 @@ CK_RV SoftHSM::getEDPublicKey(EDPublicKey* publicKey, Token* token, OSObject* ke
 	return CKR_OK;
 }
 
-CK_RV SoftHSM::getMLDSAPrivateKey(MLDSAPrivateKey* privateKey, Token* token, OSObject* key)
-{
-	if (privateKey == NULL) return CKR_ARGUMENTS_BAD;
-	if (token == NULL) return CKR_ARGUMENTS_BAD;
-	if (key == NULL) return CKR_ARGUMENTS_BAD;
-
-	// Get the CKA_PRIVATE attribute, when the attribute is not present use default false
-	bool isKeyPrivate = key->getBooleanValue(CKA_PRIVATE, false);
-
-	// ML-DSA Private Key Attributes
-	ByteString value;
-	ByteString seed;
-	if (isKeyPrivate)
-	{
-		bool bOK = true;
-		bOK = bOK && token->decrypt(key->getByteStringValue(CKA_VALUE), value);
-		bOK = bOK && token->decrypt(key->getByteStringValue(CKA_SEED), seed);
-		if (!bOK)
-			return CKR_GENERAL_ERROR;
-	}
-	else
-	{
-		value = key->getByteStringValue(CKA_VALUE);
-		seed = key->getByteStringValue(CKA_SEED);
-	}
-
-	privateKey->setValue(value);
-	privateKey->setSeed(seed);
-
-	return CKR_OK;
-}
-
-CK_RV SoftHSM::getMLDSAPublicKey(MLDSAPublicKey* publicKey, Token* token, OSObject* key)
-{
-	if (publicKey == NULL) return CKR_ARGUMENTS_BAD;
-	if (token == NULL) return CKR_ARGUMENTS_BAD;
-	if (key == NULL) return CKR_ARGUMENTS_BAD;
-
-	// Get the CKA_PRIVATE attribute, when the attribute is not present use default false
-	bool isKeyPrivate = key->getBooleanValue(CKA_PRIVATE, false);
-
-	// EC Public Key Attributes
-	ByteString value;
-	if (isKeyPrivate)
-	{
-		bool bOK = true;
-		bOK = bOK && token->decrypt(key->getByteStringValue(CKA_VALUE), value);
-		if (!bOK)
-			return CKR_GENERAL_ERROR;
-	}
-	else
-	{
-		value = key->getByteStringValue(CKA_VALUE);
-	}
-
-	publicKey->setValue(value);
 
-	return CKR_OK;
-}
 
 CK_RV SoftHSM::getDHPrivateKey(DHPrivateKey* privateKey, Token* token, OSObject* key)
 {
@@ -13571,48 +13517,6 @@ bool SoftHSM::setEDPrivateKey(OSObject* key, const ByteString &ber, Token* token
 	return bOK;
 }
 
-bool SoftHSM::setMLDSAPrivateKey(OSObject* key, const ByteString &ber, Token* token, bool isPrivate) const
-{
-	AsymmetricAlgorithm* mldsa = CryptoFactory::i()->getAsymmetricAlgorithm(AsymAlgo::MLDSA);
-	if (mldsa == NULL)
-		return false;
-	PrivateKey* priv = mldsa->newPrivateKey();
-	if (priv == NULL)
-	{
-		CryptoFactory::i()->recycleAsymmetricAlgorithm(mldsa);
-		return false;
-	}
-	if (!priv->PKCS8Decode(ber))
-	{
-		mldsa->recyclePrivateKey(priv);
-		CryptoFactory::i()->recycleAsymmetricAlgorithm(mldsa);
-		return false;
-	}
-	// ML-DSA Private Key Attributes
-	ByteString parameterSet;
-	ByteString seed;
-	ByteString value;
-	if (isPrivate)
-	{
-		token->encrypt(((MLDSAPrivateKey*)priv)->getSeed(), seed);
-		token->encrypt(((MLDSAPrivateKey*)priv)->getValue(), value);
-	}
-	else
-	{
-		seed = ((MLDSAPrivateKey*)priv)->getSeed();
-		value = ((MLDSAPrivateKey*)priv)->getValue();
-	}
-	bool bOK = true;
-	bOK = bOK && key->setAttribute(CKA_PARAMETER_SET, ((MLDSAPrivateKey*)priv)->getParameterSet());
-	bOK = bOK && key->setAttribute(CKA_SEED, seed);
-	bOK = bOK && key->setAttribute(CKA_VALUE, value);
-
-	mldsa->recyclePrivateKey(priv);
-	CryptoFactory::i()->recycleAsymmetricAlgorithm(mldsa);
-
-	return bOK;
-}
-
 bool SoftHSM::setGOSTPrivateKey(OSObject* key, const ByteString &ber, Token* token, bool isPrivate) const
 {
 	AsymmetricAlgorithm* gost = CryptoFactory::i()->getAsymmetricAlgorithm(AsymAlgo::GOST);

src/lib/SoftHSM.h

@@ -52,8 +52,10 @@
 #include "DHPrivateKey.h"
 #include "GOSTPublicKey.h"
 #include "GOSTPrivateKey.h"
+#ifdef WITH_ML_DSA
 #include "MLDSAPublicKey.h"
 #include "MLDSAPrivateKey.h"
+#endif
 
 #include <memory>
 
@@ -373,6 +375,7 @@ class SoftHSM
 		CK_BBOOL isOnToken,
 		CK_BBOOL isPrivate
 	);
+#ifdef WITH_ML_DSA
 	CK_RV generateMLDSA
 	(
 		CK_SESSION_HANDLE hSession,
@@ -387,6 +390,7 @@ class SoftHSM
 		CK_BBOOL isPrivateKeyOnToken,
 		CK_BBOOL isPrivateKeyPrivate
 	);
+#endif
 #ifdef WITH_ECC
 	CK_RV deriveECDH
 	(
@@ -451,8 +455,6 @@ class SoftHSM
 	CK_RV getGOSTPrivateKey(GOSTPrivateKey* privateKey, Token* token, OSObject* key);
 	CK_RV getGOSTPublicKey(GOSTPublicKey* publicKey, Token* token, OSObject* key);
 	CK_RV getSymmetricKey(SymmetricKey* skey, Token* token, OSObject* key);
-	CK_RV getMLDSAPrivateKey(MLDSAPrivateKey* privateKey, Token* token, OSObject* key);
-	CK_RV getMLDSAPublicKey(MLDSAPublicKey* publicKey, Token* token, OSObject* key);
 
 	ByteString getECDHPubData(ByteString& pubData);
 
@@ -462,7 +464,6 @@ class SoftHSM
 	bool setECPrivateKey(OSObject* key, const ByteString &ber, Token* token, bool isPrivate) const;
 	bool setEDPrivateKey(OSObject* key, const ByteString &ber, Token* token, bool isPrivate) const;
 	bool setGOSTPrivateKey(OSObject* key, const ByteString &ber, Token* token, bool isPrivate) const;
-	bool setMLDSAPrivateKey(OSObject* key, const ByteString &ber, Token* token, bool isPrivate) const;
 
 
 	CK_RV WrapKeyAsym

src/lib/crypto/CMakeLists.txt

@@ -31,6 +31,7 @@ set(SOURCES AESKey.cpp
             MLDSAParameters.cpp
             MLDSAPrivateKey.cpp
             MLDSAPublicKey.cpp
+            MLDSAUtil.cpp
             RSAParameters.cpp
             RSAPrivateKey.cpp
             RSAPublicKey.cpp