Merge pull request #161 from Frauschi/pkcs11_mldsa

Add ML-DSA support

Author: dgarske

.github/workflows/build-workflow.yml

@@ -35,7 +35,7 @@ jobs:
       working-directory: ./wolfssl
       run: |
         ./configure --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --enable-md5 \
-            C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"
+            --enable-mldsa C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"
     - name: wolfssl make install
       working-directory: ./wolfssl
       run: make

.github/workflows/clang-tidy.yml

@@ -29,19 +29,21 @@ on:
 jobs:
   clang-tidy:
     runs-on: ubuntu-latest
-    
+
     strategy:
       fail-fast: false
       matrix:
         config:
           - name: "Standard Build"
             configure_flags: ""
-          - name: "NSS Build" 
+          - name: "NSS Build"
             configure_flags: "--enable-nss"
           - name: "TPM Build"
             configure_flags: "--enable-tpm"
           - name: "NSS+TPM Build"
             configure_flags: "--enable-nss --enable-tpm"
+          - name: "PKCS#11 V3.2 PQC Build"
+            configure_flags: "--enable-pkcs11v32 --enable-mldsa"
 
     steps:
     # Checkout wolfPKCS11
@@ -70,7 +72,7 @@ jobs:
         cd wolfssl
         ./autogen.sh
         ./configure --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --enable-md5 \
-            C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"
+            --enable-mldsa C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"
         make -j$(nproc)
         sudo make install
         sudo ldconfig

.github/workflows/cmake.yml

@@ -61,7 +61,9 @@ jobs:
             -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DWOLFPKCS11_INSTALL:BOOL=yes -DWOLFPKCS11_DEBUG:BOOL=yes \
             -DWOLFPKCS11_AESKEYWRAP:BOOL=yes -DWOLFPKCS11_AESCTR:BOOL=yes -DWOLFPKCS11_AESCCM:BOOL=yes \
             -DWOLFPKCS11_AESECB:BOOL=yes -DWOLFPKCS11_AESCTS:BOOL=yes -DWOLFPKCS11_AESCMAC:BOOL=yes \
-            -DWOLFPKCS11_PBKDF2:BOOL=yes -DCMAKE_MODULE_PATH="$GITHUB_WORKSPACE/install/${CMAKE_INSTALL_LIBDIR}" \
+            -DWOLFPKCS11_PBKDF2:BOOL=yes -DWOLFPKCS11_SHA3:BOOL=yes -DWOLFPKCS11_PKCS11_V3_0:BOOL=yes \
+            -DWOLFPKCS11_PKCS11_V3_2:BOOL=yes -DWOLFPKCS11_MLDSA:BOOL=yes \
+            -DCMAKE_MODULE_PATH="$GITHUB_WORKSPACE/install/${CMAKE_INSTALL_LIBDIR}" \
             ..
         cmake --build .
         ctest -j $(nproc)

.github/workflows/sanitizer-tests.yml

@@ -19,12 +19,14 @@ jobs:
         config:
           - name: "Standard Build"
             configure_flags: ""
-          - name: "NSS Build" 
+          - name: "NSS Build"
             configure_flags: "--enable-nss"
           - name: "TPM Build"
             configure_flags: "--enable-tpm"
           - name: "NSS+TPM Build"
             configure_flags: "--enable-nss --enable-tpm"
+          - name: "PKCS#11 V3.2 PQC Build"
+            configure_flags: "--enable-pkcs11v32 --enable-mldsa"
 
     steps:
 #pull wolfPKCS11
@@ -73,7 +75,7 @@ jobs:
             ;;
         esac
         ./configure --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --enable-md5 --enable-debug \
-            C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"
+            --enable-mldsa C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"
     - name: wolfssl make
       working-directory: ./wolfssl
       run: |

.github/workflows/scan-build.yml

@@ -44,6 +44,8 @@ jobs:
             configure_flags: "--enable-tpm"
           - name: "NSS+TPM Build"
             configure_flags: "--enable-nss --enable-tpm"
+          - name: "PKCS#11 V3.2 PQC Build"
+            configure_flags: "--enable-pkcs11v32 --enable-mldsa"
 
     steps:
     # Checkout wolfPKCS11
@@ -72,7 +74,7 @@ jobs:
         cd wolfssl
         ./autogen.sh
         ./configure --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --enable-md5 \
-            C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"
+            --enable-mldsa C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP"
         make -j$(nproc)
         sudo make install
         sudo ldconfig

.github/workflows/unit-test.yml

@@ -102,6 +102,10 @@ jobs:
     uses: ./.github/workflows/build-workflow.yml
     with:
       config: --enable-pkcs11v32 --disable-shared
+  mldsa:
+    uses: ./.github/workflows/build-workflow.yml
+    with:
+      config: --enable-mldsa
   debug:
     uses: ./.github/workflows/build-workflow.yml
     with:

CMakeLists.txt

@@ -462,6 +462,24 @@ if(WOLFPKCS11_PKCS11_V3_2)
 endif()
 
 
+# ML-DSA
+add_option("WOLFPKCS11_MLDSA"
+    "Enable wolfPKCS11 ML-DSA support (default: disabled)"
+    "no" "yes;no"
+)
+
+if(NOT WOLFPKCS11_SHA3)
+    override_cache(WOLFPKCS11_MLDSA "no")
+endif()
+
+if(WOLFPKCS11_MLDSA)
+    if(NOT WOLFPKCS11_PKCS11_V3_2)
+        message(FATAL_ERROR "ML-DSA requires PKCS#11 Version 3.2 support (enable WOLFPKCS11_PKCS11_V3_2)")
+    endif()
+    list(APPEND WOLFPKCS11_DEFINITIONS "-DWOLFPKCS11_MLDSA")
+endif()
+
+
 # If wolfpkcs11/options.h exists, delete it to avoid
 # a mixup with build/wolfpkcs11/options.h.
 if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/wolfpkcs11/options.h")

README.md

@@ -54,6 +54,16 @@ configure step.
 WARNING: ECB (Electronic Code Book) mode AES is generally considered to be
 insecure. Please consider using a different mode of AES.
 
+### Optional: PQC ML-DSA Support
+
+To have ML-DSA support in wolfPKCS11, configure wolfSSL with ML-DSA (Dilithium)
+support enabled, either by adding `--enable-mldsa` to `./configure` or by
+setting `WOLFSSL_DILITHIUM` to `yes` in CMake.
+
+As ML-DSA is a feature of PKCS#11 version 3.2, support for that is required,
+too. Hence, to enable all in wolfPKCS11, add `--enable-pkcs11v32 --enable-mldsa`
+during the configure step.
+
 ### Build options and defines
 
 #### Define WOLFPKCS11_TPM_STORE
@@ -116,7 +126,8 @@ cmake -DCMAKE_INSTALL_PREFIX=/usr/local \
     -DWOLFSSL_SHA=yes -DWOLFSSL_SHA224=yes -DWOLFSSL_SHA3=yes \
     -DWOLFSSL_SHA384=yes -DWOLFSSL_SHA512=yes \
     -DWOLFSSL_SP_MATH_ALL=yes -DWOLFSSL_PUBLIC_MP=yes \
-    -DWOLFSSL_WC_RSA_DIRECT=yes -DCMAKE_BUILD_TYPE=Release \
+    -DWOLFSSL_WC_RSA_DIRECT=yes -DWOLFSSL_DILITHIUM=yes \
+    -DCMAKE_BUILD_TYPE=Release \
     ..
 cmake --build .
 sudo cmake --install .
@@ -147,6 +158,8 @@ cmake -DWOLFPKCS11_DEBUG=yes \
     -DWOLFPKCS11_AESCTS=yes \
     -DWOLFPKCS11_AESCMAC=yes \
     -DWOLFPKCS11_PBKDF2=yes \
+    -DWOLFPKCS11_PKCS11_V3_2=yes \
+    -DWOLFPKCS11_MLDSA=yes \
     ..
 cmake --build .
 ctest
@@ -194,6 +207,7 @@ cmake -DCMAKE_PREFIX_PATH=/path/to/wolfssl/install ..
 | `WOLFPKCS11_NSS` | `no` | NSS-specific modifications |
 | `WOLFPKCS11_PKCS11_V3_0` | `yes` | PKCS#11 v3.0 support |
 | `WOLFPKCS11_PKCS11_V3_2` | `no` | PKCS#11 v3.2 support |
+| `WOLFPKCS11_MLDSA` | `no`| ML-DSA support |
 | `WOLFPKCS11_EXAMPLES` | `yes` | Build examples |
 | `WOLFPKCS11_TESTS` | `yes` | Build and register tests |
 | `WOLFPKCS11_COVERAGE` | `no` | Code coverage support |

cmake/options.h.in

@@ -92,6 +92,8 @@ extern "C" {
 #cmakedefine WOLFSSL_SHA512
 #undef WOLFSSL_SHA3
 #cmakedefine WOLFSSL_SHA3
+#undef WOLFPKCS11_MLDSA
+#cmakedefine WOLFPKCS11_MLDSA
 #undef WOLFPKCS11_TPM
 #cmakedefine WOLFPKCS11_TPM
 #undef WOLFPKCS11_NSS

configure.ac

@@ -516,6 +516,27 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_2"
 fi
 
+AC_ARG_ENABLE([mldsa],
+    [AS_HELP_STRING([--enable-mldsa],[Enable ML-DSA (default: disabled)])],
+    [ ENABLED_MLDSA=$enableval ],
+    [ ENABLED_MLDSA=no ]
+    )
+
+if test "$ENABLED_SHA3" = "no"
+then
+    echo "ML-DSA requires SHA-3 support (disabled), disabling ML-DSA"
+    ENABLED_MLDSA=no
+fi
+
+if test "$ENABLED_MLDSA" = "yes"
+then
+    if test "$ENABLED_PKCS11V3_2" = "no"; then
+        ENABLED_PKCS11V3_2=yes
+        AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_PKCS11_V3_2"
+    fi
+    AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_MLDSA"
+fi
+
 
 AM_CONDITIONAL([BUILD_STATIC],[test "x$enable_shared" = "xno"])
 
@@ -703,6 +724,7 @@ echo "   * RSA-PSS:                    $ENABLED_RSAPSS"
 echo "   * DH:                         $ENABLED_DH"
 echo "   * ECC:                        $ENABLED_ECC"
 echo "   * HKDF:                       $ENABLED_HKDF"
+echo "   * ML-DSA:                     $ENABLED_MLDSA"
 echo "   * NSS modifications:          $ENABLED_NSS"
 echo "   * Default token path:         $WOLFPKCS11_DEFAULT_TOKEN_PATH"
 echo "   * PKCS#11 Version 3.0:        $ENABLED_PKCS11V3_0"