MLDSA support is not complete #5740
Description
Security issue notifications
If you discover a potential security issue in s2n we ask that you notify
AWS Security via our vulnerability reporting page. Please do not create a public github issue.
Problem:
We need more verification of MLDSA keys before we actually say we support this algorithm. Right now s2n-tls can't tell the difference between MLDSA parameters(44, 87 etc.). This has significance for our signature verification as well as our certificate key preferences feature.
The problem is that TLS keeps adding new dimensions to signature algorithms, so it's hard to remember to go check the signature curve if ECDSA, parameter size if MLDSA, etc..
Need By Date:
Ideally soon. We have already released our support for MLDSA. Right now this doesn't cause a problem because all security policies that support MLDSA support all MDLSA parameters. But we should fix it.
Solution:
Use EVP_PKEY_pqdsa_get_type to parse the specific MDLSA parameter size. Note that this API is only available in awslc.
Requirements / Acceptance Criteria:
Handshake fails if security policy doesn't support MLDSA44 but peer offers MLDSA44 key for auth.