aws · jakemas · Feb 13, 2025 · Feb 13, 2025 · Feb 18, 2025 · Feb 19, 2025
@@ -20,6 +20,9 @@ static void pqdsa_free(EVP_PKEY *pkey) {
 
 static int pqdsa_get_priv_raw(const EVP_PKEY *pkey, uint8_t *out,
                                    size_t *out_len) {
+  GUARD_PTR(pkey);
+  GUARD_PTR(out_len);
+
   if (pkey->pkey.pqdsa_key == NULL) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_NO_PARAMETERS_SET);
     return 0;
@@ -153,49 +156,68 @@ static int pqdsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key, CBS *pubkey)
     return 0;
   }
 
-  // check the size of the provided input against the private key and seed len
-  if (CBS_len(key) != out->pkey.pqdsa_key->pqdsa->private_key_len &&
-      CBS_len(key) != out->pkey.pqdsa_key->pqdsa->keygen_seed_len) {
-    OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
-    return 0;
-  }
+  // Try to parse as one of the three ASN.1 formats defined in ML-DSA-XX-PrivateKey
+  // Currently only the following cases are supported:
+  // Case 1: seed [0] OCTET STRING
+  // Case 2: expandedKey OCTET STRING
 
-  // See https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/
-  // The caller can either provide the full key of size |private_key_len| or
-  // |keygen_seed_len|.
-  if (CBS_len(key) == out->pkey.pqdsa_key->pqdsa->private_key_len) {
+  // Once https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/
+  // is stable we will implement:
+  // Case 3: both SEQUENCE { seed, expandedKey }
 
-    // Set the private key
-    if (!PQDSA_KEY_set_raw_private_key(out->pkey.pqdsa_key, key)) {
-      // PQDSA_KEY_set_raw_private_key sets the appropriate error.
+  if (CBS_peek_asn1_tag(key, CBS_ASN1_CONTEXT_SPECIFIC | 0)) {
+    // Case 1: seed [0] OCTET STRING
+    CBS seed;
+    if (!CBS_get_asn1(key, &seed, CBS_ASN1_CONTEXT_SPECIFIC | 0)) {
+      OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
       return 0;
     }
 
-  } else if (CBS_len(key) == out->pkey.pqdsa_key->pqdsa->keygen_seed_len) {
-    if (!PQDSA_KEY_set_raw_keypair_from_seed(out->pkey.pqdsa_key, key)) {
-      // PQDSA_KEY_set_raw_keypair_from_seed sets the appropriate error.
+    if (CBS_len(&seed) != out->pkey.pqdsa_key->pqdsa->keygen_seed_len) {
+      OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
       return 0;
     }
+
+    return PQDSA_KEY_set_raw_keypair_from_seed(out->pkey.pqdsa_key, &seed);
+  } else if (CBS_peek_asn1_tag(key, CBS_ASN1_OCTETSTRING)) {
+    // Case 2: expandedKey OCTET STRING
+    CBS expanded_key;
+    if (!CBS_get_asn1(key, &expanded_key, CBS_ASN1_OCTETSTRING)) {
+      OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+      return 0;
+    }
+
+    if (CBS_len(&expanded_key) != out->pkey.pqdsa_key->pqdsa->private_key_len) {
+      OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
+      return 0;
+    }
+
+    return PQDSA_KEY_set_raw_private_key(out->pkey.pqdsa_key, &expanded_key);
+  }else {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
   }
-  return 1;
 }
 
 static int pqdsa_priv_encode(CBB *out, const EVP_PKEY *pkey) {
   PQDSA_KEY *key = pkey->pkey.pqdsa_key;
   const PQDSA *pqdsa = key->pqdsa;
-  if (key->private_key == NULL) {
+  if (key->seed == NULL) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);
     return 0;
   }
   // See https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ section 6.
-  CBB pkcs8, algorithm, oid, private_key;
+  CBB pkcs8, algorithm, oid, private_key, seed_choice;
   if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||
-      !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||
+      !CBB_add_asn1_uint64(&pkcs8, PKCS8_VERSION_ONE /* version */) ||
       !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) ||
       !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||
       !CBB_add_bytes(&oid, pqdsa->oid, pqdsa->oid_len) ||
       !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) ||
-      !CBB_add_bytes(&private_key, key->private_key, pqdsa->private_key_len) ||
+      !CBB_add_asn1(&private_key, &seed_choice, CBS_ASN1_CONTEXT_SPECIFIC | 0) ||
+      !CBB_add_bytes(&seed_choice, key->seed, pqdsa->keygen_seed_len) ||
+      //!CBB_add_asn1(&private_key, &seed_choice, CBS_ASN1_OCTETSTRING) ||
+      //!CBB_add_bytes(&seed_choice, key->private_key, pqdsa->private_key_len) ||
       !CBB_flush(out)) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);
     return 0;

@@ -1089,20 +1089,20 @@ const char *mldsa_87_pub_pem_str =
 // C.1.  Example Private Key
 const char *mldsa_44_priv_pem_str =
 "-----BEGIN PRIVATE KEY-----\n"
-"MDICAQAwCwYJYIZIAWUDBAMRBCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRob\n"
-"HB0eHw==\n"
+"MDQCAQAwCwYJYIZIAWUDBAMRBCKAIAABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZ\n"
+"GhscHR4f\n"
 "-----END PRIVATE KEY-----\n";
 
 const char *mldsa_65_priv_pem_str =
 "-----BEGIN PRIVATE KEY-----\n"
-"MDICAQAwCwYJYIZIAWUDBAMSBCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRob\n"
-"HB0eHw==\n"
+"MDQCAQAwCwYJYIZIAWUDBAMSBCKAIAABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZ\n"
+"GhscHR4f\n"
 "-----END PRIVATE KEY-----\n";
 
 const char *mldsa_87_priv_pem_str =
 "-----BEGIN PRIVATE KEY-----\n"
-"MDICAQAwCwYJYIZIAWUDBAMTBCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRob\n"
-"HB0eHw==\n"
+"MDQCAQAwCwYJYIZIAWUDBAMTBCKAIAABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZ\n"
+"GhscHR4f\n"
 "-----END PRIVATE KEY-----\n";
 
 struct PQDSATestVector {
@@ -1463,11 +1463,10 @@ TEST_P(PQDSAParameterTest, RawFunctions) {
   EXPECT_NE(private_pkey->pkey.pqdsa_key->private_key, nullptr);
 
   // ---- 5. Test get_raw public/private failure modes ----
-  uint8_t *buf = nullptr;
-  size_t buf_size;
+  std::vector<uint8_t> get_sk(sk_len);
 
   // Attempting to get a private key that is not present must fail correctly
-  EXPECT_FALSE(EVP_PKEY_get_raw_private_key(public_pkey.get(), buf, &buf_size));
+  EXPECT_FALSE(EVP_PKEY_get_raw_private_key(public_pkey.get(), get_sk.data(), &sk_len));
   GET_ERR_AND_CHECK_REASON(EVP_R_NOT_A_PRIVATE_KEY);
 
   // Null PKEY must fail correctly.
@@ -1754,6 +1753,15 @@ TEST_P(PQDSAParameterTest, ParsePrivateKey) {
   // the public key that was parsed from PEM.
   ASSERT_EQ(1, EVP_PKEY_cmp(pkey1.get(), pkey2.get()));
 
+  // ---- 5. test failure modes ----
+  // Test case in which a parsed key does not contain a seed
+  bssl::ScopedCBB cbb;
+  void *tmp = (void*) pkey1.get()->pkey.pqdsa_key->seed;
+  pkey1.get()->pkey.pqdsa_key->seed =nullptr;
+  ASSERT_TRUE(CBB_init(cbb.get(), 0));
+  ASSERT_FALSE(EVP_marshal_private_key(cbb.get(), pkey1.get()));
+  pkey1.get()->pkey.pqdsa_key->seed = (uint8_t *)tmp;
+
   // Clean up
   OPENSSL_free(der_pub);
   OPENSSL_free(der_priv);
@@ -1780,7 +1788,7 @@ TEST_P(PQDSAParameterTest, KeyConsistencyTest) {
   // ---- 3. Generate a raw public key from the raw private key ----
   ASSERT_TRUE(GetParam().pack_key(pk.data(), sk.data()));
 
-  // ---- 4. Generate a raw public key from the raw private key ----
+  // ---- 4. Test that the calculated pk is equal to original pkey ----
   CMP_VEC_AND_PKEY_PUBLIC(pk, pkey, pk_len);
 }
 

@@ -49,7 +49,7 @@ static int pkey_pqdsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
   PQDSA_KEY *key = PQDSA_KEY_new();
   if (key == NULL ||
       !PQDSA_KEY_init(key, pqdsa) ||
-      !pqdsa->method->pqdsa_keygen(key->public_key, key->private_key) ||
+      !pqdsa->method->pqdsa_keygen(key->public_key, key->private_key, key->seed) ||
       !EVP_PKEY_assign(pkey, EVP_PKEY_PQDSA, key)) {
     PQDSA_KEY_free(key);
     return 0;

@@ -39,11 +39,12 @@ int ml_dsa_44_keypair_internal_no_self_test(uint8_t *public_key   /* OUT */,
 }
 
 int ml_dsa_44_keypair(uint8_t *public_key   /* OUT */,
-                      uint8_t *private_key  /* OUT */) {
+                      uint8_t *private_key  /* OUT */,
+                      uint8_t *seed         /* OUT */) {
   boringssl_ensure_ml_dsa_self_test();
   ml_dsa_params params;
   ml_dsa_44_params_init(&params);
-  return (ml_dsa_keypair(&params, public_key, private_key) == 0);
+  return (ml_dsa_keypair(&params, public_key, private_key, seed) == 0);
 }
 
 int ml_dsa_44_pack_pk_from_sk(uint8_t *public_key          /* OUT */,
@@ -186,11 +187,12 @@ int ml_dsa_extmu_44_verify_internal(const uint8_t *public_key /* IN */,
 }
 
 int ml_dsa_65_keypair(uint8_t *public_key   /* OUT */,
-                      uint8_t *private_key  /* OUT */) {
+                      uint8_t *private_key  /* OUT */,
+                      uint8_t *seed         /* OUT */) {
   boringssl_ensure_ml_dsa_self_test();
   ml_dsa_params params;
   ml_dsa_65_params_init(&params);
-  return (ml_dsa_keypair(&params, public_key, private_key) == 0);
+  return (ml_dsa_keypair(&params, public_key, private_key, seed) == 0);
 }
 
 int ml_dsa_65_pack_pk_from_sk(uint8_t *public_key          /* OUT */,
@@ -318,11 +320,12 @@ int ml_dsa_extmu_65_verify_internal(const uint8_t *public_key /* IN */,
 }
 
 int ml_dsa_87_keypair(uint8_t *public_key   /* OUT */,
-                      uint8_t *private_key  /* OUT */) {
+                      uint8_t *private_key  /* OUT */,
+                      uint8_t *seed         /* OUT */) {
   boringssl_ensure_ml_dsa_self_test();
   ml_dsa_params params;
   ml_dsa_87_params_init(&params);
-  return (ml_dsa_keypair(&params, public_key, private_key) == 0);
+  return (ml_dsa_keypair(&params, public_key, private_key, seed) == 0);
 }
 
 int ml_dsa_87_pack_pk_from_sk(uint8_t *public_key          /* OUT */,

@@ -31,7 +31,8 @@
 extern "C" {
 #endif
 OPENSSL_EXPORT int ml_dsa_44_keypair(uint8_t *public_key,
-                                     uint8_t *secret_key);
+                                     uint8_t *secret_key,
+                                     uint8_t *seed);
 
 OPENSSL_EXPORT int ml_dsa_44_pack_pk_from_sk(uint8_t *public_key,
                                              const uint8_t *private_key);
@@ -96,7 +97,8 @@ OPENSSL_EXPORT int ml_dsa_extmu_44_verify_internal(const uint8_t *public_key,
                                                    const uint8_t *pre, size_t pre_len);
 
 OPENSSL_EXPORT int ml_dsa_65_keypair(uint8_t *public_key,
-                                     uint8_t *secret_key);
+                                     uint8_t *secret_key,
+                                     uint8_t *seed);
 
 OPENSSL_EXPORT int ml_dsa_65_pack_pk_from_sk(uint8_t *public_key,
                                              const uint8_t *private_key);
@@ -146,7 +148,8 @@ OPENSSL_EXPORT int ml_dsa_extmu_65_verify_internal(const uint8_t *public_key,
                                                    const uint8_t *pre, size_t pre_len);
 
 OPENSSL_EXPORT int ml_dsa_87_keypair(uint8_t *public_key,
-                                     uint8_t *secret_key);
+                                     uint8_t *secret_key,
+                                     uint8_t *seed);
 
 OPENSSL_EXPORT int ml_dsa_87_pack_pk_from_sk(uint8_t *public_key,
                                              const uint8_t *private_key);

@@ -127,20 +127,20 @@ int ml_dsa_keypair_internal(ml_dsa_params *params,
 *              Generates public and private key.
 *
 * Arguments:   - ml_dsa_params: parameter struct
-*              - uint8_t *pk: pointer to output public key (allocated
-*                             array of CRYPTO_PUBLICKEYBYTES bytes)
-*              - uint8_t *sk: pointer to output private key (allocated
-*                             array of CRYPTO_SECRETKEYBYTES bytes)
+*              - uint8_t *pk:   pointer to output public key (allocated
+*                               array of CRYPTO_PUBLICKEYBYTES bytes)
+*              - uint8_t *sk:   pointer to output private key (allocated
+*                               array of CRYPTO_SECRETKEYBYTES bytes)
+*              - uint8_t *seed: pointer to output keygen seed (allocated
+*                               array of ML_DSA_SEEDBYTES bytes)
 *
 * Returns 0 (success) -1 on failure
 **************************************************/
-int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) {
-  uint8_t seed[ML_DSA_SEEDBYTES];
+int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk, uint8_t *seed) {
   if (!RAND_bytes(seed, ML_DSA_SEEDBYTES)) {
     return -1;
   }
   int result = ml_dsa_keypair_internal(params, pk, sk, seed);
-  OPENSSL_cleanse(seed, sizeof(seed));
   return result;
 }
 

@@ -5,7 +5,10 @@
 #include <stdint.h>
 #include "params.h"
 
-int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk);
+int ml_dsa_keypair(ml_dsa_params *params,
+                   uint8_t *pk,
+                   uint8_t *sk,
+                   uint8_t *seed);
 
 int ml_dsa_keypair_internal(ml_dsa_params *params,
                             uint8_t *pk,

@@ -13,7 +13,8 @@ extern "C" {
 // PQDSA_METHOD structure and helper functions.
 typedef struct {
   int (*pqdsa_keygen)(uint8_t *public_key,
-                      uint8_t *private_key);
+                      uint8_t *private_key,
+                      uint8_t *keygen_seed);
 
   int (*pqdsa_keygen_internal)(uint8_t *public_key,
                              uint8_t *private_key,
@@ -70,6 +71,7 @@ struct pqdsa_key_st {
   const PQDSA *pqdsa;
   uint8_t *public_key;
   uint8_t *private_key;
+  uint8_t *seed;
 };
 
 int PQDSA_KEY_init(PQDSA_KEY *key, const PQDSA *pqdsa);

@@ -34,8 +34,10 @@ static void PQDSA_KEY_clear(PQDSA_KEY *key) {
   key->pqdsa = NULL;
   OPENSSL_free(key->public_key);
   OPENSSL_free(key->private_key);
+  OPENSSL_free(key->seed);
   key->public_key = NULL;
   key->private_key = NULL;
+  key->seed = NULL;
 }
 
 int PQDSA_KEY_init(PQDSA_KEY *key, const PQDSA *pqdsa) {
@@ -48,7 +50,8 @@ int PQDSA_KEY_init(PQDSA_KEY *key, const PQDSA *pqdsa) {
   key->pqdsa = pqdsa;
   key->public_key = OPENSSL_malloc(pqdsa->public_key_len);
   key->private_key = OPENSSL_malloc(pqdsa->private_key_len);
-  if (key->public_key == NULL || key->private_key == NULL) {
+  key->seed = OPENSSL_malloc(pqdsa->keygen_seed_len);
+  if (key->public_key == NULL || key->private_key == NULL || key->seed == NULL) {
     PQDSA_KEY_clear(key);
     return 0;
   }
@@ -101,18 +104,37 @@ int PQDSA_KEY_set_raw_keypair_from_seed(PQDSA_KEY *key, CBS *in) {
     return 0;
   }
 
+  uint8_t *seed = OPENSSL_malloc(key->pqdsa->keygen_seed_len);
+  if (seed == NULL) {
+    OPENSSL_free(private_key);
+    OPENSSL_free(public_key);
+    return 0;
+  }
+
   // attempt to generate the key from the provided seed
   if (!key->pqdsa->method->pqdsa_keygen_internal(public_key,
                                                  private_key,
                                                  CBS_data(in))) {
+    OPENSSL_free(public_key);
+    OPENSSL_free(private_key);
+    OPENSSL_free(seed);
     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
 
-  // set the public and private key
+  // copy the seed data
+  if (!CBS_copy_bytes(in, seed, key->pqdsa->keygen_seed_len)) {
+    OPENSSL_free(public_key);
+    OPENSSL_free(private_key);
+    OPENSSL_free(seed);
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
+  // set the public key, private key, and seed
   key->public_key = public_key;
   key->private_key = private_key;
-
+  key->seed = seed;
   return 1;
 }
 

@@ -249,7 +249,7 @@ OPENSSL_EXPORT EVP_PKEY *EVP_parse_private_key(CBS *cbs);
 
 // EVP_marshal_private_key marshals |key| as a DER-encoded PrivateKeyInfo
 // structure (RFC 5208) and appends the result to |cbb|. It returns one on
-// success and zero on error.
+// success and zero on error. For ML-DSA, the private seed is encoded.
 OPENSSL_EXPORT int EVP_marshal_private_key(CBB *cbb, const EVP_PKEY *key);
 
 // EVP_marshal_private_key_v2 marshals |key| as a DER-encoded