Added sign/verify tests with test vectors

Added ML-DSA hedge support

Author: antoinelochet

.github/workflows/ci.yml

@@ -76,13 +76,13 @@ jobs:
           make check || (find . -name test-suite.log -exec cat {} \; && false)
 
   linux_ossl_35:
-    name: Linux with OpenSSL 3.5.2
+    name: Linux with OpenSSL 3.5.4
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
       - name: Prepare
         env:
-          OPENSSL_VERSION: 3.5.2
+          OPENSSL_VERSION: 3.5.4
           OPENSSL_INSTALL_DIR: /usr/local/openssl-3.5
           LDFLAGS: "-Wl,-rpath,/usr/local/openssl-3.5/lib64 -L/usr/local/openssl-3.5/lib64"
           PKG_CONFIG_PATH: "/usr/local/openssl-3.5/lib64/pkgconfig"
@@ -97,7 +97,7 @@ jobs:
           make -j$(nproc) > build.log
           sudo make install > install.log
           cd ${{ env.OPENSSL_INSTALL_DIR }}
-          sudo ln -s lib64 lib
+          sudo ln -sf lib64 lib
       - name: Build
         env:
           # Once all OpenSSL deprecations fixed, uncomment this

src/lib/SoftHSM.cpp

@@ -884,7 +884,7 @@ void SoftHSM::prepareSupportedMechanisms(std::map<std::string, CK_MECHANISM_TYPE
 				else
 					supportedMechanisms.remove(mechanism);
 			}
-			catch (const std::out_of_range& e)
+			catch (const std::out_of_range&)
 			{
 				WARNING_MSG("Unknown mechanism provided: %s", token.c_str());
 			}
@@ -4195,6 +4195,7 @@ CK_RV SoftHSM::AsymSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechan
 #endif
 #ifdef WITH_ML_DSA
 	bool isMLDSA = false;
+	SIGN_ADDITIONAL_CONTEXT additionalContext = {};
 #endif
 	switch(pMechanism->mechanism) {
 		case CKM_RSA_PKCS:
@@ -4467,6 +4468,51 @@ CK_RV SoftHSM::AsymSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechan
 			mechanism = AsymMech::MLDSA;
 			bAllowMultiPartOp = false;
 			isMLDSA = true;
+			if (pMechanism->pParameter != NULL_PTR) {
+				if(pMechanism->ulParameterLen != sizeof(CK_SIGN_ADDITIONAL_CONTEXT))
+				{
+					ERROR_MSG("Invalid parameters");
+					return CKR_ARGUMENTS_BAD;
+				}
+				else
+				{
+					const CK_SIGN_ADDITIONAL_CONTEXT* ckSignAdditionalContext = (const CK_SIGN_ADDITIONAL_CONTEXT*) pMechanism->pParameter;
+					if (ckSignAdditionalContext->ulContextLen > 255)
+					{
+						ERROR_MSG("ML-DSA: Invalid parameters, context length > 255");
+						return CKR_ARGUMENTS_BAD;
+					}
+					
+					// Always initialize context fields
+					additionalContext.contextAsChar = NULL;
+					additionalContext.contextLength = 0;
+					if (ckSignAdditionalContext->ulContextLen > 0)
+					{
+						if (ckSignAdditionalContext->pContext == NULL)
+						{
+							ERROR_MSG("ML-DSA: Invalid parameters, pContext is NULL");
+							return CKR_ARGUMENTS_BAD;
+						}
+						additionalContext.contextAsChar = (unsigned char*) ckSignAdditionalContext->pContext;
+        				additionalContext.contextLength = ckSignAdditionalContext->ulContextLen;
+					}
+					switch (ckSignAdditionalContext->hedgeVariant) {
+						case CKH_HEDGE_REQUIRED:
+							additionalContext.hedgeType = Hedge::HEDGE_REQUIRED;
+							break;
+						case CKH_DETERMINISTIC_REQUIRED:
+							additionalContext.hedgeType = Hedge::DETERMINISTIC_REQUIRED;
+							break;
+						case CKH_HEDGE_PREFERRED:
+						// Per PKCS11v3.2 section 6.67.5
+						// "If no parameter is supplied the hedgeVariant will be CKH_HEDGE_PREFERRED"
+						default:
+							additionalContext.hedgeType = Hedge::HEDGE_PREFERRED;
+					}
+					param = &additionalContext;
+					paramLen = sizeof(SIGN_ADDITIONAL_CONTEXT);
+				}
+			}
 			break;
 #endif
 		default:
@@ -5229,6 +5275,7 @@ CK_RV SoftHSM::AsymVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 #endif
 #ifdef WITH_ML_DSA
 	bool isMLDSA = false;
+	SIGN_ADDITIONAL_CONTEXT additionalContext = {};
 #endif
 	switch(pMechanism->mechanism) {
 		case CKM_RSA_PKCS:
@@ -5499,6 +5546,49 @@ CK_RV SoftHSM::AsymVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 			mechanism = AsymMech::MLDSA;
 			bAllowMultiPartOp = false;
 			isMLDSA = true;
+			if (pMechanism->pParameter != NULL_PTR) {
+				if(pMechanism->ulParameterLen != sizeof(CK_SIGN_ADDITIONAL_CONTEXT))
+				{
+					ERROR_MSG("Invalid parameters");
+					return CKR_ARGUMENTS_BAD;
+				}
+				else
+				{
+					const CK_SIGN_ADDITIONAL_CONTEXT* ckSignAdditionalContext = (const CK_SIGN_ADDITIONAL_CONTEXT*) pMechanism->pParameter;
+					if (ckSignAdditionalContext->ulContextLen > 255) {
+						ERROR_MSG("ML-DSA: Invalid parameters, context length > 255");
+						return CKR_ARGUMENTS_BAD;
+					}
+					// Always initialize context fields
+					additionalContext.contextAsChar = NULL;
+					additionalContext.contextLength = 0;
+					if (ckSignAdditionalContext->ulContextLen > 0) {
+						if (ckSignAdditionalContext->pContext == NULL)
+						{
+							ERROR_MSG("ML-DSA: Invalid parameters, pContext is NULL");
+							return CKR_ARGUMENTS_BAD;
+						}
+						additionalContext.contextAsChar = (unsigned char*) ckSignAdditionalContext->pContext;
+						additionalContext.contextLength = ckSignAdditionalContext->ulContextLen;
+					}
+
+					switch (ckSignAdditionalContext->hedgeVariant) {
+						case CKH_HEDGE_REQUIRED:
+							additionalContext.hedgeType = Hedge::HEDGE_REQUIRED;
+							break;
+						case CKH_DETERMINISTIC_REQUIRED:
+							additionalContext.hedgeType = Hedge::DETERMINISTIC_REQUIRED;
+							break;
+						// Per PKCS11v3.2 section 6.67.5
+						// "If no parameter is supplied the hedgeVariant will be CKH_HEDGE_PREFERRED"
+						case CKH_HEDGE_PREFERRED:
+						default:
+							additionalContext.hedgeType = Hedge::HEDGE_PREFERRED;
+					}
+					param = &additionalContext;
+					paramLen = sizeof(SIGN_ADDITIONAL_CONTEXT);
+				}
+			}
 			break;
 #endif
 		default:
@@ -10274,7 +10364,6 @@ CK_RV SoftHSM::generateMLDSA
 				bOK = bOK && osobject->setAttribute(CKA_NEVER_EXTRACTABLE, bNeverExtractable);
 
 				// MLDSA Private Key Attributes
-				ByteString parameterSet;
 				ByteString value;
 				ByteString seed;
 				if (isPrivateKeyPrivate)

src/lib/SoftHSM.h

@@ -52,10 +52,6 @@
 #include "DHPrivateKey.h"
 #include "GOSTPublicKey.h"
 #include "GOSTPrivateKey.h"
-#ifdef WITH_ML_DSA
-#include "MLDSAPublicKey.h"
-#include "MLDSAPrivateKey.h"
-#endif
 
 #include <memory>
 

src/lib/crypto/AsymmetricAlgorithm.h

@@ -118,6 +118,40 @@ struct RSA_PKCS_PSS_PARAMS
 	size_t sLen;
 };
 
+struct Hedge
+{
+	enum Type
+	{
+		HEDGE_PREFERRED,
+		HEDGE_REQUIRED,
+		DETERMINISTIC_REQUIRED
+	};
+};
+
+struct SIGN_ADDITIONAL_CONTEXT
+{
+	Hedge::Type hedgeType;
+	const unsigned char* contextAsChar;
+	size_t contextLength;
+
+	// Prevent shallow copies (Session::setParameters handles deep-copy)
+	SIGN_ADDITIONAL_CONTEXT(const SIGN_ADDITIONAL_CONTEXT&) = delete;
+	SIGN_ADDITIONAL_CONTEXT& operator=(const SIGN_ADDITIONAL_CONTEXT&) = delete;
+
+	SIGN_ADDITIONAL_CONTEXT(): 
+		hedgeType(Hedge::Type::HEDGE_PREFERRED),
+		contextAsChar(NULL),
+		contextLength(0){}
+	SIGN_ADDITIONAL_CONTEXT(Hedge::Type hedgeType): 
+		hedgeType(hedgeType),
+		contextAsChar(NULL),
+		contextLength(0){}
+	SIGN_ADDITIONAL_CONTEXT(Hedge::Type hedgeType, const unsigned char* contextAsChar, size_t contextLength): 
+		hedgeType(hedgeType),
+		contextAsChar(contextAsChar),
+		contextLength(contextLength){}
+};
+
 class AsymmetricAlgorithm
 {
 public:

src/lib/crypto/MLDSAPrivateKey.cpp

@@ -24,7 +24,7 @@ unsigned long MLDSAPrivateKey::getBitLength() const
 	return getValue().bits();
 }
 
-// Get the bit length
+// Get the parameter set
 unsigned long MLDSAPrivateKey::getParameterSet() const
 {
 	switch(value.size()) {
@@ -81,17 +81,17 @@ ByteString MLDSAPrivateKey::serialise() const
 
 bool MLDSAPrivateKey::deserialise(ByteString& serialised)
 {
-	ByteString seed = ByteString::chainDeserialise(serialised);
-	ByteString value = ByteString::chainDeserialise(serialised);
+	ByteString deserializedSeed = ByteString::chainDeserialise(serialised);
+	ByteString deserializedValue = ByteString::chainDeserialise(serialised);
 
-	if ((seed.size() == 0) ||
-	    (value.size() == 0))
+	if ((deserializedSeed.size() == 0) ||
+	    (deserializedValue.size() == 0))
 	{
 		return false;
 	}
 
-	setSeed(seed);
-	setValue(value);
+	setSeed(deserializedSeed);
+	setValue(deserializedValue);
 
 	return true;
 }

src/lib/crypto/MLDSAPublicKey.cpp

@@ -70,14 +70,14 @@ ByteString MLDSAPublicKey::serialise() const
 
 bool MLDSAPublicKey::deserialise(ByteString& serialised)
 {
-	ByteString value = ByteString::chainDeserialise(serialised);
+	ByteString deserializedValue = ByteString::chainDeserialise(serialised);
 
-	if ((value.size() == 0))
+	if ((deserializedValue.size() == 0))
 	{
 		return false;
 	}
 
-	setValue(value);
+	setValue(deserializedValue);
 
 	return true;
 }

src/lib/crypto/MLDSAPublicKey.h

@@ -20,7 +20,7 @@ class MLDSAPublicKey : public PublicKey
 	// Check if the key is of the given type
 	virtual bool isOfType(const char* inType);
 
-	// Get the bit length
+	// Get the parameter set
 	virtual unsigned long getParameterSet() const;
 
 	// Get the signature length

src/lib/crypto/MLDSAUtil.h

@@ -26,5 +26,5 @@ class MLDSAUtil
 	static bool setMLDSAPrivateKey(OSObject* key, const ByteString &ber, Token* token, bool isPrivate);
 };
 
-#endif // !_SOFTHSM_V2_MLDSAUTIL_H
-#endif
+#endif // WITH_ML_DSA
+#endif // !_SOFTHSM_V2_MLDSAUTIL_H