BCJSSE: Finalize and enable ML-DSA support

- see draft-ietf-tls-mldsa-00

Author: peterdettman

tls/src/main/java/org/bouncycastle/jsse/provider/SignatureSchemeInfo.java

@@ -43,8 +43,8 @@ class SignatureSchemeInfo
     // NOTE: Not all of these are necessarily enabled/supported; it will be checked at runtime
     private enum All
     {
-        ed25519(SignatureScheme.ed25519, "Ed25519", "Ed25519"),
-        ed448(SignatureScheme.ed448, "Ed448", "Ed448"),
+        ed25519(SignatureScheme.ed25519, "Ed25519", true),
+        ed448(SignatureScheme.ed448, "Ed448", true),
 
         ecdsa_secp256r1_sha256(SignatureScheme.ecdsa_secp256r1_sha256, "SHA256withECDSA", "EC"),
         ecdsa_secp384r1_sha384(SignatureScheme.ecdsa_secp384r1_sha384, "SHA384withECDSA", "EC"),
@@ -64,18 +64,18 @@ private enum All
         rsa_pss_rsae_sha384(SignatureScheme.rsa_pss_rsae_sha384, "SHA384withRSAandMGF1", "RSA"),
         rsa_pss_rsae_sha512(SignatureScheme.rsa_pss_rsae_sha512, "SHA512withRSAandMGF1", "RSA"),
 
+        // NOTE: Not supported pre-13, but that is enforced by TLS protocol code rather than at the (BC)JSSE level.
+        mldsa44(SignatureScheme.mldsa44, "ML-DSA-44", false),
+        mldsa65(SignatureScheme.mldsa65, "ML-DSA-65", false),
+        mldsa87(SignatureScheme.mldsa87, "ML-DSA-87", false),
+
+        sm2sig_sm3(SignatureScheme.sm2sig_sm3, "SM3withSM2", "EC"),
+
         // Deprecated: only for certs in 1.3
         rsa_pkcs1_sha256(SignatureScheme.rsa_pkcs1_sha256, "SHA256withRSA", "RSA", true),
         rsa_pkcs1_sha384(SignatureScheme.rsa_pkcs1_sha384, "SHA384withRSA", "RSA", true),
         rsa_pkcs1_sha512(SignatureScheme.rsa_pkcs1_sha512, "SHA512withRSA", "RSA", true),
 
-        sm2sig_sm3(SignatureScheme.sm2sig_sm3, "SM3withSM2", "EC"),
-
-        // TODO[tls] Need mechanism for restricting signature schemes to TLS 1.3+ before adding
-//        DRAFT_mldsa44(SignatureScheme.DRAFT_mldsa44, "ML-DSA-44", "ML-DSA-44"),
-//        DRAFT_mldsa65(SignatureScheme.DRAFT_mldsa65, "ML-DSA-65", "ML-DSA-65"),
-//        DRAFT_mldsa87(SignatureScheme.DRAFT_mldsa87, "ML-DSA-87", "ML-DSA-87"),
-
         /*
          * Legacy/Historical: mostly not supported in 1.3, except ecdsa_sha1 and rsa_pkcs1_sha1 are
          * still permitted as a last resort for certs.
@@ -96,52 +96,58 @@ private enum All
         private final String jcaSignatureAlgorithmBC;
         private final String keyAlgorithm;
         private final String keyType13;
-        private final boolean supportedPost13;
         private final boolean supportedPre13;
+        private final boolean supportedPost13;
         private final boolean supportedCerts13;
         private final int namedGroup13;
 
-        private All(int signatureScheme, String jcaSignatureAlgorithm, String keyAlgorithm)
+        private All(int signatureScheme, String algorithm, boolean supportedPre13)
         {
-            this(signatureScheme, jcaSignatureAlgorithm, keyAlgorithm, true, true,
+            this(signatureScheme, algorithm, algorithm, supportedPre13, true, true,
                 SignatureScheme.getNamedGroup(signatureScheme));
         }
 
-        // Deprecated/Legacy
-        private All(int signatureScheme, String jcaSignatureAlgorithm, String keyAlgorithm, boolean supportedCerts13)
+        private All(int signatureScheme, String jcaSignatureAlgorithm, String keyAlgorithm)
         {
-            this(signatureScheme, jcaSignatureAlgorithm, keyAlgorithm, false, supportedCerts13, -1);
+            this(signatureScheme, jcaSignatureAlgorithm, keyAlgorithm, true, true, true,
+                SignatureScheme.getNamedGroup(signatureScheme));
         }
 
-        private All(int signatureScheme, String jcaSignatureAlgorithm, String keyAlgorithm, boolean supportedPost13,
-            boolean supportedCerts13, int namedGroup13)
+        private All(int signatureScheme, String jcaSignatureAlgorithm, String keyAlgorithm, boolean supportedPre13,
+            boolean supportedPost13, boolean supportedCerts13, int namedGroup13)
         {
             this(signatureScheme, SignatureScheme.getName(signatureScheme), jcaSignatureAlgorithm, keyAlgorithm,
-                supportedPost13, supportedCerts13, namedGroup13);
+                supportedPre13, supportedPost13, supportedCerts13, namedGroup13);
+        }
+
+        // Deprecated/Legacy
+        private All(int signatureScheme, String jcaSignatureAlgorithm, String keyAlgorithm, boolean supportedCerts13)
+        {
+            this(signatureScheme, jcaSignatureAlgorithm, keyAlgorithm, true, false, supportedCerts13, -1);
         }
 
         // Historical
         private All(int signatureScheme, String name, String jcaSignatureAlgorithm, String keyAlgorithm)
         {
-            this(signatureScheme, name, jcaSignatureAlgorithm, keyAlgorithm, false, false, -1);
+            this(signatureScheme, name, jcaSignatureAlgorithm, keyAlgorithm, true, false, false, -1);
         }
 
         private All(int signatureScheme, String name, String jcaSignatureAlgorithm, String keyAlgorithm,
-            boolean supportedPost13, boolean supportedCerts13, int namedGroup13)
+            boolean supportedPre13, boolean supportedPost13, boolean supportedCerts13, int namedGroup13)
         {
             String keyType13 = JsseUtils.getKeyType13(keyAlgorithm, namedGroup13);
             String jcaSignatureAlgorithmBC = JsseUtils.getJcaSignatureAlgorithmBC(jcaSignatureAlgorithm, keyAlgorithm);
 
-
             this.signatureScheme = signatureScheme;
             this.name = name;
             this.text = name + "(0x" + Integer.toHexString(signatureScheme) + ")";
             this.jcaSignatureAlgorithm = jcaSignatureAlgorithm;
             this.jcaSignatureAlgorithmBC = jcaSignatureAlgorithmBC;
             this.keyAlgorithm = keyAlgorithm;
             this.keyType13 = keyType13;
+            this.supportedPre13 = supportedPre13 &&
+                (namedGroup13 < 0 || NamedGroup.canBeNegotiated(namedGroup13, ProtocolVersion.TLSv12));
             this.supportedPost13 = supportedPost13;
-            this.supportedPre13 = (namedGroup13 < 0) || NamedGroup.canBeNegotiated(namedGroup13, ProtocolVersion.TLSv12);
             this.supportedCerts13 = supportedCerts13;
             this.namedGroup13 = namedGroup13;
         }

tls/src/main/java/org/bouncycastle/tls/SignatureAndHashAlgorithm.java

@@ -21,9 +21,9 @@ public class SignatureAndHashAlgorithm
         create(HashAlgorithm.Intrinsic, SignatureAlgorithm.gostr34102012_256);
     public static final SignatureAndHashAlgorithm gostr34102012_512 =
         create(HashAlgorithm.Intrinsic, SignatureAlgorithm.gostr34102012_512);
-    public static final SignatureAndHashAlgorithm DRAFT_mldsa44 = create(SignatureScheme.DRAFT_mldsa44);
-    public static final SignatureAndHashAlgorithm DRAFT_mldsa65 = create(SignatureScheme.DRAFT_mldsa65);
-    public static final SignatureAndHashAlgorithm DRAFT_mldsa87 = create(SignatureScheme.DRAFT_mldsa87);
+    public static final SignatureAndHashAlgorithm mldsa44 = create(SignatureScheme.mldsa44);
+    public static final SignatureAndHashAlgorithm mldsa65 = create(SignatureScheme.mldsa65);
+    public static final SignatureAndHashAlgorithm mldsa87 = create(SignatureScheme.mldsa87);
     public static final SignatureAndHashAlgorithm rsa_pss_rsae_sha256 =
         create(SignatureScheme.rsa_pss_rsae_sha256);
     public static final SignatureAndHashAlgorithm rsa_pss_rsae_sha384 =

tls/src/main/java/org/bouncycastle/tls/SignatureScheme.java

@@ -48,9 +48,16 @@ public class SignatureScheme
     /*
      * draft-ietf-tls-mldsa-00
      */
-    public static final int DRAFT_mldsa44 = 0x0904;
-    public static final int DRAFT_mldsa65 = 0x0905;
-    public static final int DRAFT_mldsa87 = 0x0906;
+    public static final int mldsa44 = 0x0904;
+    public static final int mldsa65 = 0x0905;
+    public static final int mldsa87 = 0x0906;
+
+    /** @deprecated Use 'mldsa44' instead. */
+    public static final int DRAFT_mldsa44 = mldsa44;
+    /** @deprecated Use 'mldsa65' instead. */
+    public static final int DRAFT_mldsa65 = mldsa65;
+    /** @deprecated Use 'mldsa87' instead. */
+    public static final int DRAFT_mldsa87 = mldsa87;
 
     /*
      * RFC 8446 reserved for private use (0xFE00..0xFFFF)
@@ -77,9 +84,9 @@ public static int getCryptoHashAlgorithm(int signatureScheme)
         {
         case ed25519:
         case ed448:
-        case DRAFT_mldsa44:
-        case DRAFT_mldsa65:
-        case DRAFT_mldsa87:
+        case mldsa44:
+        case mldsa65:
+        case mldsa87:
             return -1;
         case ecdsa_brainpoolP256r1tls13_sha256:
         case rsa_pss_pss_sha256:
@@ -156,12 +163,12 @@ public static String getName(int signatureScheme)
             return "ecdsa_brainpoolP512r1tls13_sha512";
         case sm2sig_sm3:
             return "sm2sig_sm3";
-        case DRAFT_mldsa44:
-            return "DRAFT_mldsa44";
-        case DRAFT_mldsa65:
-            return "DRAFT_mldsa65";
-        case DRAFT_mldsa87:
-            return "DRAFT_mldsa87";
+        case mldsa44:
+            return "mldsa44";
+        case mldsa65:
+            return "mldsa65";
+        case mldsa87:
+            return "mldsa87";
         default:
             return "UNKNOWN";
         }
@@ -233,12 +240,12 @@ public static SignatureAndHashAlgorithm getSignatureAndHashAlgorithm(int signatu
             return SignatureAndHashAlgorithm.ed25519;
         case ed448:
             return SignatureAndHashAlgorithm.ed448;
-        case DRAFT_mldsa44:
-            return SignatureAndHashAlgorithm.DRAFT_mldsa44;
-        case DRAFT_mldsa65:
-            return SignatureAndHashAlgorithm.DRAFT_mldsa65;
-        case DRAFT_mldsa87:
-            return SignatureAndHashAlgorithm.DRAFT_mldsa87;
+        case mldsa44:
+            return SignatureAndHashAlgorithm.mldsa44;
+        case mldsa65:
+            return SignatureAndHashAlgorithm.mldsa65;
+        case mldsa87:
+            return SignatureAndHashAlgorithm.mldsa87;
         default:
             return SignatureAndHashAlgorithm.getInstance(
                 getHashAlgorithm(signatureScheme),
@@ -273,9 +280,9 @@ public static boolean isMLDSA(int signatureScheme)
     {
         switch (signatureScheme)
         {
-        case DRAFT_mldsa44:
-        case DRAFT_mldsa65:
-        case DRAFT_mldsa87:
+        case mldsa44:
+        case mldsa65:
+        case mldsa87:
             return true;
         default:
             return false;

tls/src/main/java/org/bouncycastle/tls/TlsUtils.java

@@ -116,9 +116,9 @@ private static Hashtable createCertSigAlgOIDs()
         addCertSigAlgOID(h, EdECObjectIdentifiers.id_Ed25519, SignatureAndHashAlgorithm.ed25519);
         addCertSigAlgOID(h, EdECObjectIdentifiers.id_Ed448, SignatureAndHashAlgorithm.ed448);
 
-        addCertSigAlgOID(h, NISTObjectIdentifiers.id_ml_dsa_44, SignatureAndHashAlgorithm.DRAFT_mldsa44);
-        addCertSigAlgOID(h, NISTObjectIdentifiers.id_ml_dsa_65, SignatureAndHashAlgorithm.DRAFT_mldsa65);
-        addCertSigAlgOID(h, NISTObjectIdentifiers.id_ml_dsa_87, SignatureAndHashAlgorithm.DRAFT_mldsa87);
+        addCertSigAlgOID(h, NISTObjectIdentifiers.id_ml_dsa_44, SignatureAndHashAlgorithm.mldsa44);
+        addCertSigAlgOID(h, NISTObjectIdentifiers.id_ml_dsa_65, SignatureAndHashAlgorithm.mldsa65);
+        addCertSigAlgOID(h, NISTObjectIdentifiers.id_ml_dsa_87, SignatureAndHashAlgorithm.mldsa87);
 
         addCertSigAlgOID(h, RosstandartObjectIdentifiers.id_tc26_signwithdigest_gost_3410_12_256,
             SignatureAndHashAlgorithm.gostr34102012_256);

tls/src/main/java/org/bouncycastle/tls/crypto/impl/PQCUtil.java

@@ -12,11 +12,11 @@ public static ASN1ObjectIdentifier getMLDSAObjectidentifier(int signatureScheme)
     {
         switch (signatureScheme)
         {
-        case SignatureScheme.DRAFT_mldsa44:
+        case SignatureScheme.mldsa44:
             return NISTObjectIdentifiers.id_ml_dsa_44;
-        case SignatureScheme.DRAFT_mldsa65:
+        case SignatureScheme.mldsa65:
             return NISTObjectIdentifiers.id_ml_dsa_65;
-        case SignatureScheme.DRAFT_mldsa87:
+        case SignatureScheme.mldsa87:
             return NISTObjectIdentifiers.id_ml_dsa_87;
         default:
             throw new IllegalArgumentException();
@@ -27,15 +27,15 @@ public static int getMLDSASignatureScheme(MLDSAParameters parameters)
     {
         if (MLDSAParameters.ml_dsa_44 == parameters)
         {
-            return SignatureScheme.DRAFT_mldsa44;
+            return SignatureScheme.mldsa44;
         }
         if (MLDSAParameters.ml_dsa_65 == parameters)
         {
-            return SignatureScheme.DRAFT_mldsa65;
+            return SignatureScheme.mldsa65;
         }
         if (MLDSAParameters.ml_dsa_87 == parameters)
         {
-            return SignatureScheme.DRAFT_mldsa87;
+            return SignatureScheme.mldsa87;
         }
         throw new IllegalArgumentException();
     }

tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java

@@ -457,10 +457,9 @@ public boolean hasSignatureAndHashAlgorithm(SignatureAndHashAlgorithm sigAndHash
         int signatureScheme = SignatureScheme.from(sigAndHashAlgorithm);
         if (SignatureScheme.isMLDSA(signatureScheme))
         {
-            // TODO[tls-mldsa] Finish ML-DSA support before enabling
-            return false;
+            return true;
         }
-        
+
         short signature = sigAndHashAlgorithm.getSignature();
 
         switch (sigAndHashAlgorithm.getHash())
@@ -478,11 +477,10 @@ public boolean hasSignatureScheme(int signatureScheme)
         {
         case SignatureScheme.sm2sig_sm3:
             return false;
-        case SignatureScheme.DRAFT_mldsa44:
-        case SignatureScheme.DRAFT_mldsa65:
-        case SignatureScheme.DRAFT_mldsa87:
-            // TODO[tls-mldsa] Finish ML-DSA support before enabling
-            return false;
+        case SignatureScheme.mldsa44:
+        case SignatureScheme.mldsa65:
+        case SignatureScheme.mldsa87:
+            return true;
         default:
         {
             short signature = SignatureScheme.getSignatureAlgorithm(signatureScheme);

tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsRawKeyCertificate.java

@@ -250,9 +250,9 @@ public Tls13Verifier createVerifier(int signatureScheme) throws IOException
 //            return new BcTls13Verifier(verifier);
 //        }
 
-        case SignatureScheme.DRAFT_mldsa44:
-        case SignatureScheme.DRAFT_mldsa65:
-        case SignatureScheme.DRAFT_mldsa87:
+        case SignatureScheme.mldsa44:
+        case SignatureScheme.mldsa65:
+        case SignatureScheme.mldsa87:
         {
             ASN1ObjectIdentifier mlDsaAlgOid = PQCUtil.getMLDSAObjectidentifier(signatureScheme);
             validateMLDSA(mlDsaAlgOid);

tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaDefaultTlsCredentialedSigner.java

@@ -68,15 +68,15 @@ else if ("Ed448".equalsIgnoreCase(algorithm))
         }
         else if ("ML-DSA-44".equalsIgnoreCase(algorithm))
         {
-            signer = new JcaTlsMLDSASigner(crypto, privateKey, SignatureScheme.DRAFT_mldsa44);
+            signer = new JcaTlsMLDSASigner(crypto, privateKey, SignatureScheme.mldsa44);
         }
         else if ("ML-DSA-65".equalsIgnoreCase(algorithm))
         {
-            signer = new JcaTlsMLDSASigner(crypto, privateKey, SignatureScheme.DRAFT_mldsa65);
+            signer = new JcaTlsMLDSASigner(crypto, privateKey, SignatureScheme.mldsa65);
         }
         else if ("ML-DSA-87".equalsIgnoreCase(algorithm))
         {
-            signer = new JcaTlsMLDSASigner(crypto, privateKey, SignatureScheme.DRAFT_mldsa87);
+            signer = new JcaTlsMLDSASigner(crypto, privateKey, SignatureScheme.mldsa87);
         }
         else
         {

tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCertificate.java

@@ -274,9 +274,9 @@ public Tls13Verifier createVerifier(int signatureScheme) throws IOException
         // TODO[RFC 8998]
 //        case SignatureScheme.sm2sig_sm3:
 
-        case SignatureScheme.DRAFT_mldsa44:
-        case SignatureScheme.DRAFT_mldsa65:
-        case SignatureScheme.DRAFT_mldsa87:
+        case SignatureScheme.mldsa44:
+        case SignatureScheme.mldsa65:
+        case SignatureScheme.mldsa87:
             return crypto.createTls13Verifier("ML-DSA", null, getPubKeyMLDSA());
 
         default:

tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java

@@ -775,8 +775,7 @@ public boolean hasSignatureAndHashAlgorithm(SignatureAndHashAlgorithm sigAndHash
         int signatureScheme = SignatureScheme.from(sigAndHashAlgorithm);
         if (SignatureScheme.isMLDSA(signatureScheme))
         {
-            // TODO[tls-mldsa] Finish ML-DSA support before enabling
-            return false;
+            return true;
         }
 
         short signature = sigAndHashAlgorithm.getSignature();
@@ -799,11 +798,10 @@ public boolean hasSignatureScheme(int signatureScheme)
         {
         case SignatureScheme.sm2sig_sm3:
             return false;
-        case SignatureScheme.DRAFT_mldsa44:
-        case SignatureScheme.DRAFT_mldsa65:
-        case SignatureScheme.DRAFT_mldsa87:
-            // TODO[tls-mldsa] Finish ML-DSA support before enabling
-            return false;
+        case SignatureScheme.mldsa44:
+        case SignatureScheme.mldsa65:
+        case SignatureScheme.mldsa87:
+            return true;
         default:
         {
             short signature = SignatureScheme.getSignatureAlgorithm(signatureScheme);