Merge pull request #5 from disentangle-network/feature/pq-certificates

Post-quantum certificate support (ML-DSA-87 + ML-KEM-1024)

Author: disentangle-network

cert/cert_v1.pb.go

@@ -8,6 +8,8 @@ option go_package = "github.com/slackhq/nebula/cert";
 enum Curve {
   CURVE25519 = 0;
   P256 = 1;
+  // Post-Quantum: ML-DSA-87 (signing) + ML-KEM-1024 (key agreement)
+  PQ = 2;
 }
 
 message RawNebulaCertificate {

cert/cert_v1.proto

@@ -15,6 +15,8 @@ import (
 	"slices"
 	"time"
 
+	"github.com/cloudflare/circl/kem/mlkem/mlkem1024"
+	"github.com/cloudflare/circl/sign/mldsa/mldsa87"
 	"golang.org/x/crypto/cryptobyte"
 	"golang.org/x/crypto/cryptobyte/asn1"
 	"golang.org/x/crypto/curve25519"
@@ -159,6 +161,16 @@ func (c *certificateV2) CheckSignature(key []byte) bool {
 		}
 		hashed := sha256.Sum256(b)
 		return ecdsa.VerifyASN1(pubKey, hashed[:], c.signature)
+	case Curve_PQ:
+		// ML-DSA-87 (FIPS 204) verification
+		if len(key) != mldsa87.PublicKeySize {
+			return false
+		}
+		var pk mldsa87.PublicKey
+		var pkBuf [mldsa87.PublicKeySize]byte
+		copy(pkBuf[:], key)
+		pk.Unpack(&pkBuf)
+		return mldsa87.Verify(&pk, b, nil, c.signature)
 	default:
 		return false
 	}
@@ -192,6 +204,19 @@ func (c *certificateV2) VerifyPrivateKey(curve Curve, key []byte) error {
 			if !bytes.Equal(pub, c.publicKey) {
 				return ErrPublicPrivateKeyMismatch
 			}
+		case Curve_PQ:
+			// CA certs use ML-DSA-87 signing keys
+			if len(key) != mldsa87.PrivateKeySize {
+				return ErrInvalidPrivateKey
+			}
+			var sk mldsa87.PrivateKey
+			var skBuf [mldsa87.PrivateKeySize]byte
+			copy(skBuf[:], key)
+			sk.Unpack(&skBuf)
+			derivedPub := sk.Public().(*mldsa87.PublicKey).Bytes()
+			if !bytes.Equal(derivedPub, c.publicKey) {
+				return ErrPublicPrivateKeyMismatch
+			}
 		default:
 			return fmt.Errorf("invalid curve: %s", curve)
 		}
@@ -212,6 +237,19 @@ func (c *certificateV2) VerifyPrivateKey(curve Curve, key []byte) error {
 			return ErrInvalidPrivateKey
 		}
 		pub = privkey.PublicKey().Bytes()
+	case Curve_PQ:
+		// Host certs use ML-KEM-1024 key agreement keys
+		if len(key) != mlkem1024.PrivateKeySize {
+			return ErrInvalidPrivateKey
+		}
+		_, sk := mlkem1024.NewKeyFromSeed(key[:mlkem1024.KeySeedSize])
+		pub, _ = sk.MarshalBinary()
+		// Compare only the public key portion
+		derivedPub := pub[:mlkem1024.PublicKeySize]
+		if !bytes.Equal(derivedPub, c.publicKey) {
+			return ErrPublicPrivateKeyMismatch
+		}
+		return nil
 	default:
 		return fmt.Errorf("invalid curve: %s", curve)
 	}

cert/cert_v2.go

@@ -185,6 +185,8 @@ func EncryptAndMarshalSigningPrivateKey(curve Curve, b []byte, passphrase []byte
 		return pem.EncodeToMemory(&pem.Block{Type: EncryptedEd25519PrivateKeyBanner, Bytes: b}), nil
 	case Curve_P256:
 		return pem.EncodeToMemory(&pem.Block{Type: EncryptedECDSAP256PrivateKeyBanner, Bytes: b}), nil
+	case Curve_PQ:
+		return pem.EncodeToMemory(&pem.Block{Type: EncryptedMLDSA87PrivateKeyBanner, Bytes: b}), nil
 	default:
 		return nil, fmt.Errorf("invalid curve: %v", curve)
 	}
@@ -265,8 +267,10 @@ func DecryptAndUnmarshalSigningPrivateKey(passphrase, b []byte) (Curve, []byte,
 		curve = Curve_CURVE25519
 	case EncryptedECDSAP256PrivateKeyBanner:
 		curve = Curve_P256
+	case EncryptedMLDSA87PrivateKeyBanner:
+		curve = Curve_PQ
 	default:
-		return curve, nil, r, fmt.Errorf("bytes did not contain a proper nebula encrypted Ed25519/ECDSA private key banner")
+		return curve, nil, r, fmt.Errorf("bytes did not contain a proper nebula encrypted Ed25519/ECDSA/MLDSA87 private key banner")
 	}
 
 	ned, err := UnmarshalNebulaEncryptedData(k.Bytes)

cert/crypto.go

@@ -75,7 +75,7 @@ qrlJ69wer3ZUHFXA
 
 	// Fail due to invalid banner
 	curve, k, rest, err = DecryptAndUnmarshalSigningPrivateKey(passphrase, rest)
-	require.EqualError(t, err, "bytes did not contain a proper nebula encrypted Ed25519/ECDSA private key banner")
+	require.EqualError(t, err, "bytes did not contain a proper nebula encrypted Ed25519/ECDSA/MLDSA87 private key banner")
 	assert.Nil(t, k)
 	assert.Equal(t, rest, invalidPem)
 

cert/crypto_test.go

@@ -9,6 +9,8 @@ import (
 	"net/netip"
 	"time"
 
+	"github.com/cloudflare/circl/kem/mlkem/mlkem1024"
+	"github.com/cloudflare/circl/sign/mldsa/mldsa87"
 	"golang.org/x/crypto/curve25519"
 	"golang.org/x/crypto/ed25519"
 )
@@ -29,6 +31,14 @@ func NewTestCaCert(version Version, curve Curve, before, after time.Time, networ
 
 		pub = elliptic.Marshal(elliptic.P256(), privk.PublicKey.X, privk.PublicKey.Y)
 		priv = privk.D.FillBytes(make([]byte, 32))
+	case Curve_PQ:
+		// CA certs use ML-DSA-87 signing keys
+		pk, sk, err := mldsa87.GenerateKey(rand.Reader)
+		if err != nil {
+			panic(err)
+		}
+		pub = pk.Bytes()
+		priv = sk.Bytes()
 	default:
 		// There is no default to allow the underlying lib to respond with an error
 	}
@@ -87,6 +97,8 @@ func NewTestCert(v Version, curve Curve, ca Certificate, key []byte, name string
 		pub, priv = X25519Keypair()
 	case Curve_P256:
 		pub, priv = P256Keypair()
+	case Curve_PQ:
+		pub, priv = MLKEM1024Keypair()
 	default:
 		panic("unknown curve")
 	}
@@ -139,3 +151,15 @@ func P256Keypair() ([]byte, []byte) {
 	pubkey := privkey.PublicKey()
 	return pubkey.Bytes(), privkey.Bytes()
 }
+
+// MLKEM1024Keypair generates an ML-KEM-1024 key pair for PQ host certificates.
+// Returns (publicKey, privateKey) as raw byte slices.
+func MLKEM1024Keypair() ([]byte, []byte) {
+	pk, sk, err := mlkem1024.GenerateKeyPair(rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+	pubBytes, _ := pk.MarshalBinary()
+	privBytes, _ := sk.MarshalBinary()
+	return pubBytes, privBytes
+}

cert/helper_test.go

@@ -4,6 +4,8 @@ import (
 	"encoding/pem"
 	"fmt"
 
+	"github.com/cloudflare/circl/kem/mlkem/mlkem1024"
+	"github.com/cloudflare/circl/sign/mldsa/mldsa87"
 	"golang.org/x/crypto/ed25519"
 )
 
@@ -13,20 +15,25 @@ const ( //cert banners
 )
 
 const ( //key-agreement-key banners
-	X25519PrivateKeyBanner = "NEBULA X25519 PRIVATE KEY"
-	X25519PublicKeyBanner  = "NEBULA X25519 PUBLIC KEY"
-	P256PrivateKeyBanner   = "NEBULA P256 PRIVATE KEY"
-	P256PublicKeyBanner    = "NEBULA P256 PUBLIC KEY"
+	X25519PrivateKeyBanner  = "NEBULA X25519 PRIVATE KEY"
+	X25519PublicKeyBanner   = "NEBULA X25519 PUBLIC KEY"
+	P256PrivateKeyBanner    = "NEBULA P256 PRIVATE KEY"
+	P256PublicKeyBanner     = "NEBULA P256 PUBLIC KEY"
+	MLKEM1024PrivateKeyBanner = "NEBULA MLKEM1024 PRIVATE KEY"
+	MLKEM1024PublicKeyBanner  = "NEBULA MLKEM1024 PUBLIC KEY"
 )
 
 /* including "ECDSA" in the P256 banners is a clue that these keys should be used only for signing */
 const ( //signing key banners
-	EncryptedECDSAP256PrivateKeyBanner = "NEBULA ECDSA P256 ENCRYPTED PRIVATE KEY"
-	ECDSAP256PrivateKeyBanner          = "NEBULA ECDSA P256 PRIVATE KEY"
-	ECDSAP256PublicKeyBanner           = "NEBULA ECDSA P256 PUBLIC KEY"
-	EncryptedEd25519PrivateKeyBanner   = "NEBULA ED25519 ENCRYPTED PRIVATE KEY"
-	Ed25519PrivateKeyBanner            = "NEBULA ED25519 PRIVATE KEY"
-	Ed25519PublicKeyBanner             = "NEBULA ED25519 PUBLIC KEY"
+	EncryptedECDSAP256PrivateKeyBanner   = "NEBULA ECDSA P256 ENCRYPTED PRIVATE KEY"
+	ECDSAP256PrivateKeyBanner            = "NEBULA ECDSA P256 PRIVATE KEY"
+	ECDSAP256PublicKeyBanner             = "NEBULA ECDSA P256 PUBLIC KEY"
+	EncryptedEd25519PrivateKeyBanner     = "NEBULA ED25519 ENCRYPTED PRIVATE KEY"
+	Ed25519PrivateKeyBanner              = "NEBULA ED25519 PRIVATE KEY"
+	Ed25519PublicKeyBanner               = "NEBULA ED25519 PUBLIC KEY"
+	EncryptedMLDSA87PrivateKeyBanner     = "NEBULA MLDSA87 ENCRYPTED PRIVATE KEY"
+	MLDSA87PrivateKeyBanner              = "NEBULA MLDSA87 PRIVATE KEY"
+	MLDSA87PublicKeyBanner               = "NEBULA MLDSA87 PUBLIC KEY"
 )
 
 // UnmarshalCertificateFromPEM will try to unmarshal the first pem block in a byte array, returning any non consumed
@@ -74,6 +81,8 @@ func MarshalPublicKeyToPEM(curve Curve, b []byte) []byte {
 		return pem.EncodeToMemory(&pem.Block{Type: X25519PublicKeyBanner, Bytes: b})
 	case Curve_P256:
 		return pem.EncodeToMemory(&pem.Block{Type: P256PublicKeyBanner, Bytes: b})
+	case Curve_PQ:
+		return pem.EncodeToMemory(&pem.Block{Type: MLKEM1024PublicKeyBanner, Bytes: b})
 	default:
 		return nil
 	}
@@ -87,6 +96,8 @@ func MarshalSigningPublicKeyToPEM(curve Curve, b []byte) []byte {
 		return pem.EncodeToMemory(&pem.Block{Type: Ed25519PublicKeyBanner, Bytes: b})
 	case Curve_P256:
 		return pem.EncodeToMemory(&pem.Block{Type: ECDSAP256PublicKeyBanner, Bytes: b})
+	case Curve_PQ:
+		return pem.EncodeToMemory(&pem.Block{Type: MLDSA87PublicKeyBanner, Bytes: b})
 	default:
 		return nil
 	}
@@ -107,6 +118,12 @@ func UnmarshalPublicKeyFromPEM(b []byte) ([]byte, []byte, Curve, error) {
 		// Uncompressed
 		expectedLen = 65
 		curve = Curve_P256
+	case MLKEM1024PublicKeyBanner:
+		expectedLen = mlkem1024.PublicKeySize
+		curve = Curve_PQ
+	case MLDSA87PublicKeyBanner:
+		expectedLen = mldsa87.PublicKeySize
+		curve = Curve_PQ
 	default:
 		return nil, r, 0, fmt.Errorf("bytes did not contain a proper public key banner")
 	}
@@ -122,6 +139,8 @@ func MarshalPrivateKeyToPEM(curve Curve, b []byte) []byte {
 		return pem.EncodeToMemory(&pem.Block{Type: X25519PrivateKeyBanner, Bytes: b})
 	case Curve_P256:
 		return pem.EncodeToMemory(&pem.Block{Type: P256PrivateKeyBanner, Bytes: b})
+	case Curve_PQ:
+		return pem.EncodeToMemory(&pem.Block{Type: MLKEM1024PrivateKeyBanner, Bytes: b})
 	default:
 		return nil
 	}
@@ -133,6 +152,8 @@ func MarshalSigningPrivateKeyToPEM(curve Curve, b []byte) []byte {
 		return pem.EncodeToMemory(&pem.Block{Type: Ed25519PrivateKeyBanner, Bytes: b})
 	case Curve_P256:
 		return pem.EncodeToMemory(&pem.Block{Type: ECDSAP256PrivateKeyBanner, Bytes: b})
+	case Curve_PQ:
+		return pem.EncodeToMemory(&pem.Block{Type: MLDSA87PrivateKeyBanner, Bytes: b})
 	default:
 		return nil
 	}
@@ -154,6 +175,9 @@ func UnmarshalPrivateKeyFromPEM(b []byte) ([]byte, []byte, Curve, error) {
 	case P256PrivateKeyBanner:
 		expectedLen = 32
 		curve = Curve_P256
+	case MLKEM1024PrivateKeyBanner:
+		expectedLen = mlkem1024.PrivateKeySize
+		curve = Curve_PQ
 	default:
 		return nil, r, 0, fmt.Errorf("bytes did not contain a proper private key banner")
 	}
@@ -184,8 +208,15 @@ func UnmarshalSigningPrivateKeyFromPEM(b []byte) ([]byte, []byte, Curve, error)
 		if len(k.Bytes) != 32 {
 			return nil, r, 0, fmt.Errorf("key was not 32 bytes, is invalid ECDSA P256 private key")
 		}
+	case EncryptedMLDSA87PrivateKeyBanner:
+		return nil, nil, Curve_PQ, ErrPrivateKeyEncrypted
+	case MLDSA87PrivateKeyBanner:
+		curve = Curve_PQ
+		if len(k.Bytes) != mldsa87.PrivateKeySize {
+			return nil, r, 0, fmt.Errorf("key was not %d bytes, is invalid ML-DSA-87 private key", mldsa87.PrivateKeySize)
+		}
 	default:
-		return nil, r, 0, fmt.Errorf("bytes did not contain a proper Ed25519/ECDSA private key banner")
+		return nil, r, 0, fmt.Errorf("bytes did not contain a proper Ed25519/ECDSA/MLDSA87 private key banner")
 	}
 	return k.Bytes, r, curve, nil
 }

cert/pem.go

@@ -104,7 +104,7 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 	k, rest, curve, err = UnmarshalSigningPrivateKeyFromPEM(rest)
 	assert.Nil(t, k)
 	assert.Equal(t, rest, invalidPem)
-	require.EqualError(t, err, "bytes did not contain a proper Ed25519/ECDSA private key banner")
+	require.EqualError(t, err, "bytes did not contain a proper Ed25519/ECDSA/MLDSA87 private key banner")
 
 	// Fail due to invalid PEM format, because
 	// it's missing the requisite pre-encapsulation boundary.

cert/pem_test.go

@@ -10,6 +10,7 @@ import (
 	"net/netip"
 	"time"
 
+	"github.com/cloudflare/circl/sign/mldsa/mldsa87"
 	"github.com/slackhq/nebula/cert/p256"
 )
 
@@ -67,6 +68,24 @@ func (t *TBSCertificate) Sign(signer Certificate, curve Curve, key []byte) (Cert
 			return ecdsa.SignASN1(rand.Reader, pk, hashed[:])
 		}
 		return t.SignWith(signer, curve, sp)
+	case Curve_PQ:
+		// ML-DSA-87 (FIPS 204) signing via cloudflare/circl
+		if len(key) != mldsa87.PrivateKeySize {
+			return nil, fmt.Errorf("invalid ML-DSA-87 private key size: got %d, want %d", len(key), mldsa87.PrivateKeySize)
+		}
+		var sk mldsa87.PrivateKey
+		var skBuf [mldsa87.PrivateKeySize]byte
+		copy(skBuf[:], key)
+		sk.Unpack(&skBuf)
+		sp := func(certBytes []byte) ([]byte, error) {
+			sig := make([]byte, mldsa87.SignatureSize)
+			err := mldsa87.SignTo(&sk, certBytes, nil, false, sig)
+			if err != nil {
+				return nil, fmt.Errorf("ML-DSA-87 signing failed: %w", err)
+			}
+			return sig, nil
+		}
+		return t.SignWith(signer, curve, sp)
 	default:
 		return nil, fmt.Errorf("invalid curve: %s", t.Curve)
 	}