Refactor key matching to support ML-DSA

The function for matching a private key with its corresponding certificate has
been refactored to be more generic. Instead of separate, hardcoded logic for
each key type (RSA, EC), a general loop now compares the relevant attributes.

This change was made to add support for matching ML-DSA keys. For ML-DSA, the
public key is represented by the CKA_VALUE attribute, which is now correctly
extracted from the certificate and compared against the public key object.

Signed-off-by: Simo Sorce <simo@redhat.com>

Author: simo5

src/obj/export.c

@@ -90,6 +90,18 @@ CK_RV get_attrs_from_cert(P11PROV_OBJ *crt, CK_ATTRIBUTE *attrs, int num)
                 break;
             }
         }
+    } else if (EVP_PKEY_is_a(pkey, MLDSA_44) || EVP_PKEY_is_a(pkey, MLDSA_65)
+               || EVP_PKEY_is_a(pkey, MLDSA_87)) {
+        for (int i = 0; i < num; i++) {
+            switch (attrs[i].type) {
+            case CKA_VALUE:
+                types[attrnum] = CKA_VALUE;
+                params[attrnum] = OSSL_PARAM_construct_octet_string(
+                    OSSL_PKEY_PARAM_PUB_KEY, NULL, 0);
+                attrnum++;
+                break;
+            }
+        }
     } else {
         rv = CKR_OBJECT_HANDLE_INVALID;
         goto done;

src/obj/keymgmt.c

@@ -623,6 +623,14 @@ static int match_key_with_cert(P11PROV_OBJ *priv_key, P11PROV_OBJ *pub_key)
         attrs[0].type = CKA_P11PROV_PUB_KEY;
         num = 1;
         break;
+    case CKK_ML_DSA:
+        attrs[0].type = CKA_VALUE;
+        num = 1;
+        break;
+    default:
+        P11PROV_raise(priv_key->ctx, CKR_GENERAL_ERROR,
+                      "Unknown public key type");
+        return RET_OSSL_ERR;
     }
 
     ret = get_attrs_from_cert(cert, attrs, num);
@@ -633,37 +641,17 @@ static int match_key_with_cert(P11PROV_OBJ *priv_key, P11PROV_OBJ *pub_key)
         goto done;
     }
 
-    switch (pub_key->data.key.type) {
-    case CKK_RSA:
-        x = p11prov_obj_get_attr(pub_key, CKA_MODULUS);
-        if (!x || x->ulValueLen != attrs[0].ulValueLen
-            || memcmp(x->pValue, attrs[0].pValue, x->ulValueLen) != 0) {
-            ret = RET_OSSL_ERR;
-            goto done;
-        }
-
-        x = p11prov_obj_get_attr(pub_key, CKA_PUBLIC_EXPONENT);
-        if (!x || x->ulValueLen != attrs[1].ulValueLen
-            || memcmp(x->pValue, attrs[1].pValue, x->ulValueLen) != 0) {
-            ret = RET_OSSL_ERR;
-            goto done;
-        }
-
-        ret = RET_OSSL_OK;
-        break;
-    case CKK_EC:
-    case CKK_EC_EDWARDS:
-        x = p11prov_obj_get_attr(pub_key, CKA_P11PROV_PUB_KEY);
-        if (!x || x->ulValueLen != attrs[0].ulValueLen
-            || memcmp(x->pValue, attrs[0].pValue, x->ulValueLen) != 0) {
+    for (int i = 0; i < num; i++) {
+        x = p11prov_obj_get_attr(pub_key, attrs[i].type);
+        if (!x || x->ulValueLen != attrs[i].ulValueLen
+            || memcmp(x->pValue, attrs[i].pValue, x->ulValueLen) != 0) {
             ret = RET_OSSL_ERR;
             goto done;
         }
-
-        ret = RET_OSSL_OK;
-        break;
     }
 
+    ret = RET_OSSL_OK;
+
 done:
     for (int i = 0; i < num; i++) {
         OPENSSL_free(attrs[i].pValue);