Missing hash algorithm for HashML-DSA

[gilles-peskine-arm]

As discussed in our call today, FIPS 204 specifies that HashML-DSA may only be used with one of three hash functions: SHA-256, SHA-512, or SHAKE128/256. In order to be able to use these hash functions with psa_sign_hash and psa_verify_hash, we need a hash algorithm identifier for them. We're missing SHAKE128/256. (We have SHAKE256/512 for a similar reason, namely that it's used for Ed448.)

Also consider listing the OID involved in HashML-DSA, similar to the table that #322 adds for RSA-PKCS#1v1.5. I don't know if we can expect all similar algorithms to use the same OIDs. (Certainly there are different OIDs for MD5, SHA1, SHA-256, etc., in different contexts, but until version 1.4 of the API specification, the only place where they appeared in our specification was RSA PKCS#1v1.5.)

Also check if SLH-DSA (FIPS 205) needs something similar.

[athoelke]

SHAKE128/256 is defined for the API in the PQC extension: see PSA_ALG_SHAKE128_256.

For consistency with the RSASSA-PKCS#1v1.5 documentation, I agree that we should list the OIDs for the NIST-approved hashes that can be used with HashML-DSA and HashSLH-DSA.

[athoelke]

I propose to address this when integrating the current PQC extension into the main spec for v1.5