Add support for ML-DSA keys and signatures to the PKCS#7 and X.509 implementations.
Signed-off-by: David Howells <[email protected]> cc: Lukas Wunner <[email protected]> cc: Ignat Korchagin <[email protected]> cc: Stephan Mueller <[email protected]> cc: Eric Biggers <[email protected]> cc: Herbert Xu <[email protected]> cc: [email protected] cc: [email protected] --- crypto/asymmetric_keys/pkcs7_parser.c | 15 ++++++++++++++ crypto/asymmetric_keys/public_key.c | 7 +++++++ crypto/asymmetric_keys/x509_cert_parser.c | 24 +++++++++++++++++++++++ include/linux/oid_registry.h | 5 +++++ 4 files changed, 51 insertions(+) diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c index 3cdbab3b9f50..d7c88b90a4fd 100644 --- a/crypto/asymmetric_keys/pkcs7_parser.c +++ b/crypto/asymmetric_keys/pkcs7_parser.c @@ -297,6 +297,21 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen, ctx->sinfo->sig->pkey_algo = "ecrdsa"; ctx->sinfo->sig->encoding = "raw"; break; + case OID_id_ml_dsa_44: + ctx->sinfo->sig->pkey_algo = "ml-dsa44"; + ctx->sinfo->sig->encoding = "raw"; + ctx->sinfo->sig->algo_does_hash = true; + break; + case OID_id_ml_dsa_65: + ctx->sinfo->sig->pkey_algo = "ml-dsa65"; + ctx->sinfo->sig->encoding = "raw"; + ctx->sinfo->sig->algo_does_hash = true; + break; + case OID_id_ml_dsa_87: + ctx->sinfo->sig->pkey_algo = "ml-dsa87"; + ctx->sinfo->sig->encoding = "raw"; + ctx->sinfo->sig->algo_does_hash = true; + break; default: printk("Unsupported pkey algo: %u\n", ctx->last_oid); return -ENOPKG; diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index e5b177c8e842..96e084668d1b 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -142,6 +142,13 @@ software_key_determine_akcipher(const struct public_key *pkey, if (strcmp(hash_algo, "streebog256") != 0 && strcmp(hash_algo, "streebog512") != 0) return -EINVAL; + } else if (strcmp(pkey->pkey_algo, "ml-dsa44") == 0 || + strcmp(pkey->pkey_algo, "ml-dsa65") == 0 || + strcmp(pkey->pkey_algo, "ml-dsa87") == 0) { + if (strcmp(encoding, "raw") != 0) + return -EINVAL; + if (!hash_algo) + return -EINVAL; } else { /* Unknown public key algorithm */ return -ENOPKG; diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 8df3fa60a44f..6a2a77a647a5 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -257,6 +257,15 @@ int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag, case OID_gost2012Signature512: ctx->cert->sig->hash_algo = "streebog512"; goto ecrdsa; + case OID_id_ml_dsa_44: + ctx->cert->sig->pkey_algo = "ml-dsa44"; + goto ml_dsa; + case OID_id_ml_dsa_65: + ctx->cert->sig->pkey_algo = "ml-dsa65"; + goto ml_dsa; + case OID_id_ml_dsa_87: + ctx->cert->sig->pkey_algo = "ml-dsa87"; + goto ml_dsa; } rsa_pkcs1: @@ -274,6 +283,12 @@ int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag, ctx->cert->sig->encoding = "x962"; ctx->sig_algo = ctx->last_oid; return 0; +ml_dsa: + ctx->cert->sig->algo_does_hash = true; + ctx->cert->sig->hash_algo = ctx->cert->sig->pkey_algo; + ctx->cert->sig->encoding = "raw"; + ctx->sig_algo = ctx->last_oid; + return 0; } /* @@ -524,6 +539,15 @@ int x509_extract_key_data(void *context, size_t hdrlen, return -ENOPKG; } break; + case OID_id_ml_dsa_44: + ctx->cert->pub->pkey_algo = "ml-dsa44"; + break; + case OID_id_ml_dsa_65: + ctx->cert->pub->pkey_algo = "ml-dsa65"; + break; + case OID_id_ml_dsa_87: + ctx->cert->pub->pkey_algo = "ml-dsa87"; + break; default: return -ENOPKG; } diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index 6de479ebbe5d..30821a6a4f72 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -145,6 +145,11 @@ enum OID { OID_id_rsassa_pkcs1_v1_5_with_sha3_384, /* 2.16.840.1.101.3.4.3.15 */ OID_id_rsassa_pkcs1_v1_5_with_sha3_512, /* 2.16.840.1.101.3.4.3.16 */ + /* NIST FIPS-204 ML-DSA (Dilithium) */ + OID_id_ml_dsa_44, /* 2.16.840.1.101.3.4.3.17 */ + OID_id_ml_dsa_65, /* 2.16.840.1.101.3.4.3.18 */ + OID_id_ml_dsa_87, /* 2.16.840.1.101.3.4.3.19 */ + OID__NR };
