TLS: Initial work on draft-tls-westerbaan-mldsa-00

Author: peterdettman

tls/src/main/java/org/bouncycastle/jsse/provider/SignatureSchemeInfo.java

@@ -71,6 +71,11 @@ private enum All
 
         sm2sig_sm3(SignatureScheme.sm2sig_sm3, "SM3withSM2", "EC"),
 
+        // TODO[tls] Need mechanism for restricting signature schemes to TLS 1.3+ before adding
+//        DRAFT_mldsa44(SignatureScheme.DRAFT_mldsa44, "ML-DSA-44", "ML-DSA-44"),
+//        DRAFT_mldsa65(SignatureScheme.DRAFT_mldsa65, "ML-DSA-65", "ML-DSA-65"),
+//        DRAFT_mldsa87(SignatureScheme.DRAFT_mldsa87, "ML-DSA-87", "ML-DSA-87"),
+
         /*
          * Legacy/Historical: mostly not supported in 1.3, except ecdsa_sha1 and rsa_pkcs1_sha1 are
          * still permitted as a last resort for certs.

tls/src/main/java/org/bouncycastle/tls/SignatureScheme.java

@@ -45,6 +45,13 @@ public class SignatureScheme
 
     public static final int sm2sig_sm3 = 0x0708;
 
+    /*
+     * draft-tls-westerbaan-mldsa-00
+     */
+    public static final int DRAFT_mldsa44 = 0x0904;
+    public static final int DRAFT_mldsa65 = 0x0905;
+    public static final int DRAFT_mldsa87 = 0x0906;
+
     /*
      * RFC 8446 reserved for private use (0xFE00..0xFFFF)
      */
@@ -70,6 +77,9 @@ public static int getCryptoHashAlgorithm(int signatureScheme)
         {
         case ed25519:
         case ed448:
+        case DRAFT_mldsa44:
+        case DRAFT_mldsa65:
+        case DRAFT_mldsa87:
             return -1;
         case ecdsa_brainpoolP256r1tls13_sha256:
         case rsa_pss_pss_sha256:
@@ -146,6 +156,12 @@ public static String getName(int signatureScheme)
             return "ecdsa_brainpoolP512r1tls13_sha512";
         case sm2sig_sm3:
             return "sm2sig_sm3";
+        case DRAFT_mldsa44:
+            return "DRAFT_mldsa44";
+        case DRAFT_mldsa65:
+            return "DRAFT_mldsa65";
+        case DRAFT_mldsa87:
+            return "DRAFT_mldsa87";
         default:
             return "UNKNOWN";
         }
@@ -238,6 +254,19 @@ public static boolean isECDSA(int signatureScheme)
         }
     }
 
+    public static boolean isMLDSA(int signatureScheme)
+    {
+        switch (signatureScheme)
+        {
+        case DRAFT_mldsa44:
+        case DRAFT_mldsa65:
+        case DRAFT_mldsa87:
+            return true;
+        default:
+            return false;
+        }
+    }
+
     public static boolean isRSAPSS(int signatureScheme)
     {
         switch (signatureScheme)

tls/src/main/java/org/bouncycastle/tls/crypto/impl/PQCUtil.java

@@ -0,0 +1,65 @@
+package org.bouncycastle.tls.crypto.impl;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.pqc.crypto.mldsa.MLDSAParameters;
+import org.bouncycastle.tls.SignatureScheme;
+
+public class PQCUtil
+{
+    public static ASN1ObjectIdentifier getMLDSAObjectidentifier(int signatureScheme)
+    {
+        switch (signatureScheme)
+        {
+        case SignatureScheme.DRAFT_mldsa44:
+            return NISTObjectIdentifiers.id_ml_dsa_44;
+        case SignatureScheme.DRAFT_mldsa65:
+            return NISTObjectIdentifiers.id_ml_dsa_65;
+        case SignatureScheme.DRAFT_mldsa87:
+            return NISTObjectIdentifiers.id_ml_dsa_87;
+        default:
+            throw new IllegalArgumentException();
+        }
+    }
+
+    public static ASN1ObjectIdentifier getMLDSAObjectidentifier(MLDSAParameters parameters)
+    {
+        if (MLDSAParameters.ml_dsa_44 == parameters)
+        {
+            return NISTObjectIdentifiers.id_ml_dsa_44;
+        }
+        if (MLDSAParameters.ml_dsa_65 == parameters)
+        {
+            return NISTObjectIdentifiers.id_ml_dsa_65;
+        }
+        if (MLDSAParameters.ml_dsa_87 == parameters)
+        {
+            return NISTObjectIdentifiers.id_ml_dsa_87;
+        }
+        throw new IllegalArgumentException();
+    }
+
+    public static int getMLDSASignatureScheme(MLDSAParameters parameters)
+    {
+        if (MLDSAParameters.ml_dsa_44 == parameters)
+        {
+            return SignatureScheme.DRAFT_mldsa44;
+        }
+        if (MLDSAParameters.ml_dsa_65 == parameters)
+        {
+            return SignatureScheme.DRAFT_mldsa65;
+        }
+        if (MLDSAParameters.ml_dsa_87 == parameters)
+        {
+            return SignatureScheme.DRAFT_mldsa87;
+        }
+        throw new IllegalArgumentException();
+    }
+
+    public static boolean supportsMLDSA(AlgorithmIdentifier pubKeyAlgID, ASN1ObjectIdentifier algorithm)
+    {
+        return pubKeyAlgID.getAlgorithm().equals(algorithm)
+            && pubKeyAlgID.getParameters() == null;
+    }
+}

tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcDefaultTlsCredentialedSigner.java

@@ -6,6 +6,7 @@
 import org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters;
 import org.bouncycastle.crypto.params.Ed448PrivateKeyParameters;
 import org.bouncycastle.crypto.params.RSAKeyParameters;
+import org.bouncycastle.pqc.crypto.mldsa.MLDSAPrivateKeyParameters;
 import org.bouncycastle.tls.Certificate;
 import org.bouncycastle.tls.DefaultTlsCredentialedSigner;
 import org.bouncycastle.tls.SignatureAndHashAlgorithm;
@@ -22,7 +23,6 @@ public class BcDefaultTlsCredentialedSigner
     private static TlsSigner makeSigner(BcTlsCrypto crypto, AsymmetricKeyParameter privateKey, Certificate certificate,
         SignatureAndHashAlgorithm signatureAndHashAlgorithm)
     {
-        TlsSigner signer;
         if (privateKey instanceof RSAKeyParameters)
         {
             RSAKeyParameters privKeyRSA = (RSAKeyParameters)privateKey;
@@ -36,11 +36,11 @@ private static TlsSigner makeSigner(BcTlsCrypto crypto, AsymmetricKeyParameter p
                 }
             }
 
-            signer = new BcTlsRSASigner(crypto, privKeyRSA);
+            return new BcTlsRSASigner(crypto, privKeyRSA);
         }
         else if (privateKey instanceof DSAPrivateKeyParameters)
         {
-            signer = new BcTlsDSASigner(crypto, (DSAPrivateKeyParameters)privateKey);
+            return new BcTlsDSASigner(crypto, (DSAPrivateKeyParameters)privateKey);
         }
         else if (privateKey instanceof ECPrivateKeyParameters)
         {
@@ -63,22 +63,34 @@ else if (privateKey instanceof ECPrivateKeyParameters)
                 }
             }
 
-            signer = new BcTlsECDSASigner(crypto, privKeyEC);
+            return new BcTlsECDSASigner(crypto, privKeyEC);
         }
         else if (privateKey instanceof Ed25519PrivateKeyParameters)
         {
-            signer = new BcTlsEd25519Signer(crypto, (Ed25519PrivateKeyParameters)privateKey);
+            return new BcTlsEd25519Signer(crypto, (Ed25519PrivateKeyParameters)privateKey);
         }
         else if (privateKey instanceof Ed448PrivateKeyParameters)
         {
-            signer = new BcTlsEd448Signer(crypto, (Ed448PrivateKeyParameters)privateKey);
+            return new BcTlsEd448Signer(crypto, (Ed448PrivateKeyParameters)privateKey);
+        }
+        else if (privateKey instanceof MLDSAPrivateKeyParameters)
+        {
+            if (signatureAndHashAlgorithm != null)
+            {
+                TlsSigner signer = BcTlsMLDSASigner.create(crypto, (MLDSAPrivateKeyParameters)privateKey,
+                    SignatureScheme.from(signatureAndHashAlgorithm));
+                if (signer != null)
+                {
+                    return signer;
+                }
+            }
+
+            throw new IllegalArgumentException("ML-DSA private key of wrong type for signature algorithm");
         }
         else
         {
             throw new IllegalArgumentException("'privateKey' type not supported: " + privateKey.getClass().getName());
         }
-
-        return signer;
     }
 
     public BcDefaultTlsCredentialedSigner(TlsCryptoParameters cryptoParams, BcTlsCrypto crypto,

tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java

@@ -455,6 +455,10 @@ public boolean hasSignatureScheme(int signatureScheme)
         switch (signatureScheme)
         {
         case SignatureScheme.sm2sig_sm3:
+        // TODO[tls] Test coverage before adding
+        case SignatureScheme.DRAFT_mldsa44:
+        case SignatureScheme.DRAFT_mldsa65:
+        case SignatureScheme.DRAFT_mldsa87:
             return false;
         default:
         {

tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsMLDSASigner.java

@@ -0,0 +1,52 @@
+package org.bouncycastle.tls.crypto.impl.bc;
+
+import java.io.IOException;
+
+import org.bouncycastle.crypto.params.ParametersWithRandom;
+import org.bouncycastle.pqc.crypto.mldsa.MLDSAPrivateKeyParameters;
+import org.bouncycastle.pqc.crypto.mldsa.MLDSASigner;
+import org.bouncycastle.tls.SignatureAndHashAlgorithm;
+import org.bouncycastle.tls.SignatureScheme;
+import org.bouncycastle.tls.crypto.TlsStreamSigner;
+import org.bouncycastle.tls.crypto.impl.PQCUtil;
+
+public class BcTlsMLDSASigner
+    extends BcTlsSigner
+{
+    public static BcTlsMLDSASigner create(BcTlsCrypto crypto, MLDSAPrivateKeyParameters privateKey, int signatureScheme)
+    {
+        if (signatureScheme != PQCUtil.getMLDSASignatureScheme(privateKey.getParameters()))
+        {
+            return null;
+        }
+
+        return new BcTlsMLDSASigner(crypto, privateKey, signatureScheme);
+    }
+
+    private final int signatureScheme;
+
+    private BcTlsMLDSASigner(BcTlsCrypto crypto, MLDSAPrivateKeyParameters privateKey, int signatureScheme)
+    {
+        super(crypto, privateKey);
+
+        this.signatureScheme = signatureScheme;
+    }
+
+    public byte[] generateRawSignature(SignatureAndHashAlgorithm algorithm, byte[] hash) throws IOException
+    {
+        throw new UnsupportedOperationException();
+    }
+
+    public TlsStreamSigner getStreamSigner(SignatureAndHashAlgorithm algorithm)
+    {
+        if (algorithm == null || SignatureScheme.from(algorithm) != signatureScheme)
+        {
+            throw new IllegalStateException("Invalid algorithm: " + algorithm);
+        }
+
+        MLDSASigner signer = new MLDSASigner();
+        signer.init(true, new ParametersWithRandom(privateKey, crypto.getSecureRandom()));
+
+        return new BcTlsStreamSigner(signer);
+    }
+}

tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsRawKeyCertificate.java

@@ -26,6 +26,9 @@
 import org.bouncycastle.crypto.signers.PSSSigner;
 import org.bouncycastle.crypto.signers.RSADigestSigner;
 import org.bouncycastle.crypto.util.PublicKeyFactory;
+import org.bouncycastle.pqc.crypto.mldsa.MLDSAParameters;
+import org.bouncycastle.pqc.crypto.mldsa.MLDSAPublicKeyParameters;
+import org.bouncycastle.pqc.crypto.mldsa.MLDSASigner;
 import org.bouncycastle.tls.AlertDescription;
 import org.bouncycastle.tls.HashAlgorithm;
 import org.bouncycastle.tls.SignatureAlgorithm;
@@ -39,6 +42,7 @@
 import org.bouncycastle.tls.crypto.TlsEncryptor;
 import org.bouncycastle.tls.crypto.TlsVerifier;
 import org.bouncycastle.tls.crypto.impl.LegacyTls13Verifier;
+import org.bouncycastle.tls.crypto.impl.PQCUtil;
 import org.bouncycastle.tls.crypto.impl.RSAUtil;
 
 /**
@@ -247,6 +251,27 @@ public Tls13Verifier createVerifier(int signatureScheme) throws IOException
 //            return new BcTls13Verifier(verifier);
 //        }
 
+        case SignatureScheme.DRAFT_mldsa44:
+        case SignatureScheme.DRAFT_mldsa65:
+        case SignatureScheme.DRAFT_mldsa87:
+        {
+            ASN1ObjectIdentifier algorithm = PQCUtil.getMLDSAObjectidentifier(signatureScheme);
+            validateMLDSA(algorithm);
+
+            MLDSAPublicKeyParameters publicKey = getPubKeyMLDSA();
+            MLDSAParameters parameters = publicKey.getParameters();
+            if (!PQCUtil.getMLDSAObjectidentifier(parameters).equals(algorithm))
+            {
+                throw new TlsFatalAlert(AlertDescription.certificate_unknown,
+                    "ML-DSA public key not for " + SignatureScheme.getText(signatureScheme));
+            }
+
+            MLDSASigner verifier = new MLDSASigner();
+            verifier.init(false, publicKey);
+
+            return new BcTls13Verifier(verifier);
+        }
+
         default:
             throw new TlsFatalAlert(AlertDescription.internal_error);
         }
@@ -387,6 +412,18 @@ public Ed448PublicKeyParameters getPubKeyEd448() throws IOException
         }
     }
 
+    public MLDSAPublicKeyParameters getPubKeyMLDSA() throws IOException
+    {
+        try
+        {
+            return (MLDSAPublicKeyParameters)getPublicKey();
+        }
+        catch (ClassCastException e)
+        {
+            throw new TlsFatalAlert(AlertDescription.certificate_unknown, "Public key not ML-DSA", e);
+        }
+    }
+
     public RSAKeyParameters getPubKeyRSA() throws IOException
     {
         try
@@ -448,6 +485,12 @@ protected boolean supportsKeyUsage(int keyUsageBit)
         return true;
     }
 
+    protected boolean supportsMLDSA(ASN1ObjectIdentifier algorithm)
+    {
+        AlgorithmIdentifier pubKeyAlgID = keyInfo.getAlgorithm();
+        return PQCUtil.supportsMLDSA(pubKeyAlgID, algorithm);
+    }
+
     protected boolean supportsRSA_PKCS1()
     {
         AlgorithmIdentifier pubKeyAlgID = keyInfo.getAlgorithm();
@@ -539,6 +582,15 @@ public void validateKeyUsage(int keyUsageBit)
         }
     }
 
+    protected void validateMLDSA(ASN1ObjectIdentifier algorithm)
+        throws IOException
+    {
+        if (!supportsMLDSA(algorithm))
+        {
+            throw new TlsFatalAlert(AlertDescription.certificate_unknown, "No support for ML-DSA signature scheme");
+        }
+    }
+
     protected void validateRSA_PKCS1()
         throws IOException
     {

tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCertificate.java

@@ -274,6 +274,10 @@ public Tls13Verifier createVerifier(int signatureScheme) throws IOException
         // TODO[RFC 8998]
 //        case SignatureScheme.sm2sig_sm3:
 
+        case SignatureScheme.DRAFT_mldsa44:
+        case SignatureScheme.DRAFT_mldsa65:
+        case SignatureScheme.DRAFT_mldsa87:
+
         default:
             throw new TlsFatalAlert(AlertDescription.internal_error);
         }

tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java

@@ -778,6 +778,10 @@ public boolean hasSignatureScheme(int signatureScheme)
         switch (signatureScheme)
         {
         case SignatureScheme.sm2sig_sm3:
+        // TODO[tls] Implement before adding
+        case SignatureScheme.DRAFT_mldsa44:
+        case SignatureScheme.DRAFT_mldsa65:
+        case SignatureScheme.DRAFT_mldsa87:
             return false;
         default:
         {

tls/src/main/jdk1.4/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCertificate.java

@@ -274,6 +274,10 @@ public Tls13Verifier createVerifier(int signatureScheme) throws IOException
         // TODO[RFC 8998]
 //        case SignatureScheme.sm2sig_sm3:
 
+        case SignatureScheme.DRAFT_mldsa44:
+        case SignatureScheme.DRAFT_mldsa65:
+        case SignatureScheme.DRAFT_mldsa87:
+
         default:
             throw new TlsFatalAlert(AlertDescription.internal_error);
         }