Skip to content

Commit 4ae2fd7

Browse files
Yu-Ma28051503Yu-Ma28051503
committed
fixed value check and comments
1 parent a932517 commit 4ae2fd7

File tree

7 files changed

+117
-92
lines changed

7 files changed

+117
-92
lines changed

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -163,6 +163,8 @@ Following is a scenario creating Chimera (dual algorithms) certificates for PQC(
163163

164164
The following demonstrates how to create a root CA and use it to sign other certificates. This example uses ECC and ML-DSA. In this scenario there are three entities A, B, and C, where A is meant to function as a root CA.
165165

166+
Before running the commands below, ensure you have the `ml-dsa` option enabled in wolfSSL. This can be done by configuring wolfSSL with `--enable-dilithium`, `--enable-dual-alg-certs` and `--enable-experimental`.
167+
166168
The following steps demonstrate how to generate keys and certificates for A, B, and C, where A is self-signed and B and C are signed by A
167169

168170
1. Create private ECC and ML-DSA keys for A, B, and C

src/genkey/clu_genkey.c

Lines changed: 59 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -1043,18 +1043,11 @@ int wolfCLU_genKey_Dilithium(WC_RNG* rng, char* fName, int directive, int fmt,
10431043

10441044
XFILE file = NULL;
10451045
int fNameSz = 0;
1046-
int fExtSz = 6; // size of ".priv\0" or ".pub\0\0"
1046+
int fExtSz = 6; /* size of ".priv\0" or ".pub\0\0" */
10471047
char fExtPriv[6] = ".priv\0";
10481048
char fExtPub[6] = ".pub\0\0";
10491049
char* fOutNameBuf = NULL;
10501050

1051-
#ifdef NO_AES
1052-
/* use 16 bytes for AES block size */
1053-
size_t maxDerBufSz = 4 * keySz * 16;
1054-
#else
1055-
size_t maxDerBufSz = 4 * keySz * AES_BLOCK_SIZE;
1056-
#endif /* NO_AES */
1057-
10581051
byte* derBuf = NULL;
10591052
byte* pemBuf = NULL;
10601053
byte* outBuf = NULL;
@@ -1074,6 +1067,9 @@ int wolfCLU_genKey_Dilithium(WC_RNG* rng, char* fName, int directive, int fmt,
10741067
#endif
10751068

10761069
if (rng == NULL || fName == NULL) {
1070+
#ifdef WOLFSSL_SMALL_STACK
1071+
XFREE(key, HEAP_HINT, DYNAMIC_TYPE_DILITHIUM);
1072+
#endif
10771073
return BAD_FUNC_ARG;
10781074
}
10791075

@@ -1085,7 +1081,6 @@ int wolfCLU_genKey_Dilithium(WC_RNG* rng, char* fName, int directive, int fmt,
10851081
#endif
10861082
return ret;
10871083
}
1088-
XMEMSET(key, 0, sizeof(dilithium_key));
10891084

10901085
/* set the level of the dilithium key */
10911086
if (wc_dilithium_set_level(key, level) != 0) {
@@ -1118,7 +1113,7 @@ int wolfCLU_genKey_Dilithium(WC_RNG* rng, char* fName, int directive, int fmt,
11181113
XMEMSET(fOutNameBuf, 0, fNameSz + fExtSz);
11191114
XMEMCPY(fOutNameBuf, fName, fNameSz);
11201115

1121-
derBuf = (byte*)XMALLOC(maxDerBufSz, HEAP_HINT,
1116+
derBuf = (byte*)XMALLOC(keySz, HEAP_HINT,
11221117
DYNAMIC_TYPE_TMP_BUFFER);
11231118
if (derBuf == NULL) {
11241119
ret = MEMORY_E;
@@ -1137,12 +1132,14 @@ int wolfCLU_genKey_Dilithium(WC_RNG* rng, char* fName, int directive, int fmt,
11371132

11381133
/* Private key to der */
11391134
derBufSz = wc_Dilithium_PrivateKeyToDer(key,
1140-
derBuf, (word32)maxDerBufSz);
1135+
derBuf, (word32)keySz);
11411136
if (derBufSz < 0) {
11421137
ret = derBufSz;
11431138
}
1144-
outBuf = derBuf;
1145-
outBufSz = derBufSz;
1139+
else {
1140+
outBuf = derBuf;
1141+
outBufSz = derBufSz;
1142+
}
11461143

11471144
/* check if should convert to PEM format */
11481145
if (ret == WOLFCLU_SUCCESS && fmt == PEM_FORM) {
@@ -1151,8 +1148,10 @@ int wolfCLU_genKey_Dilithium(WC_RNG* rng, char* fName, int directive, int fmt,
11511148
if (pemBufSz <= 0 || pemBuf == NULL) {
11521149
ret = WOLFCLU_FAILURE;
11531150
}
1154-
outBuf = pemBuf;
1155-
outBufSz = pemBufSz;
1151+
else {
1152+
outBuf = pemBuf;
1153+
outBufSz = pemBufSz;
1154+
}
11561155
}
11571156

11581157
/* open file and write Private key */
@@ -1171,7 +1170,7 @@ int wolfCLU_genKey_Dilithium(WC_RNG* rng, char* fName, int directive, int fmt,
11711170
}
11721171
}
11731172

1174-
if (directive != PRIV_AND_PUB_FILES) {
1173+
if (ret != WOLFCLU_SUCCESS || directive != PRIV_AND_PUB_FILES) {
11751174
break;
11761175
}
11771176

@@ -1188,14 +1187,14 @@ int wolfCLU_genKey_Dilithium(WC_RNG* rng, char* fName, int directive, int fmt,
11881187
XMEMCPY(fOutNameBuf + fNameSz, fExtPub, fExtSz);
11891188
WOLFCLU_LOG(WOLFCLU_L0, "Public key file = %s", fOutNameBuf);
11901189

1191-
derBuf = (byte*)XMALLOC(maxDerBufSz, HEAP_HINT,
1190+
derBuf = (byte*)XMALLOC(keySz, HEAP_HINT,
11921191
DYNAMIC_TYPE_TMP_BUFFER);
11931192
if (derBuf == NULL) {
11941193
ret = MEMORY_E;
11951194
}
1196-
1195+
11971196
derBufSz = wc_Dilithium_PublicKeyToDer(key, derBuf,
1198-
(word32)maxDerBufSz, withAlg);
1197+
(word32)keySz, withAlg);
11991198
if (derBufSz < 0) {
12001199
ret = derBufSz;
12011200
}
@@ -1211,8 +1210,10 @@ int wolfCLU_genKey_Dilithium(WC_RNG* rng, char* fName, int directive, int fmt,
12111210
if (pemBufSz <= 0 || pemBuf == NULL) {
12121211
ret = WOLFCLU_FAILURE;
12131212
}
1214-
outBuf = pemBuf;
1215-
outBufSz = pemBufSz;
1213+
else {
1214+
outBuf = pemBuf;
1215+
outBufSz = pemBufSz;
1216+
}
12161217
}
12171218

12181219
/* open file and write Public key */
@@ -1242,7 +1243,7 @@ int wolfCLU_genKey_Dilithium(WC_RNG* rng, char* fName, int directive, int fmt,
12421243
XFCLOSE(file);
12431244

12441245
if (derBuf != NULL) {
1245-
wolfCLU_ForceZero(derBuf, (unsigned int)maxDerBufSz);
1246+
wolfCLU_ForceZero(derBuf, keySz);
12461247
XFREE(derBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
12471248
}
12481249

@@ -1275,25 +1276,18 @@ int wolfCLU_genKey_Dilithium(WC_RNG* rng, char* fName, int directive, int fmt,
12751276
}
12761277

12771278
int wolfCLU_genKey_ML_DSA(WC_RNG* rng, char* fName, int directive, int fmt,
1278-
int keySz, int level, int withAlg)
1279+
int keySz, int level, int withAlg)
12791280
{
12801281
#ifdef HAVE_DILITHIUM
12811282
int ret = WOLFCLU_SUCCESS;
12821283

12831284
XFILE file = NULL;
12841285
int fNameSz = 0;
1285-
int fExtSz = 6; // size of ".priv\0" or ".pub\0\0"
1286+
int fExtSz = 6; /* size of ".priv\0" or ".pub\0\0" */
12861287
char fExtPriv[6] = ".priv\0";
12871288
char fExtPub[6] = ".pub\0\0";
12881289
char* fOutNameBuf = NULL;
12891290

1290-
#ifdef NO_AES
1291-
/* use 16 bytes for AES block size */
1292-
size_t maxDerBufSz = 4 * keySz * 16;
1293-
#else
1294-
size_t maxDerBufSz = 4 * keySz * AES_BLOCK_SIZE;
1295-
#endif /* NO_AES */
1296-
12971291
byte* derBuf = NULL;
12981292
byte* pemBuf = NULL;
12991293
byte* outBuf = NULL;
@@ -1313,21 +1307,24 @@ int wolfCLU_genKey_ML_DSA(WC_RNG* rng, char* fName, int directive, int fmt,
13131307
#endif
13141308

13151309
if (rng == NULL || fName == NULL) {
1310+
#ifdef WOLFSSL_SMALL_STACK
1311+
XFREE(key, HEAP_HINT, DYNAMIC_TYPE_DILITHIUM);
1312+
#endif
13161313
return BAD_FUNC_ARG;
13171314
}
13181315

13191316
/* init the ML-DSA key */
13201317
if (wc_MlDsaKey_Init(key, NULL, 0) != 0) {
1321-
wolfCLU_LogError("Failed to initialize ML-DSA Key.\nRET: %d", ret);
1318+
wolfCLU_LogError("Failed to initialize ML-DSA Key");
13221319
#ifdef WOLFSSL_SMALL_STACK
13231320
XFREE(key, HEAP_HINT, DYNAMIC_TYPE_DILITHIUM);
13241321
#endif
1325-
return ret;
1322+
return WOLFCLU_FAILURE;
13261323
}
1327-
XMEMSET(key, 0, sizeof(MlDsaKey));
13281324

13291325
/* set the level of the ML-DSA key */
13301326
if (wc_MlDsaKey_SetParams(key, level) != 0) {
1327+
wolfCLU_LogError("Failed to set ML-DSA Key parameters");
13311328
wc_MlDsaKey_Free(key);
13321329
#ifdef WOLFSSL_SMALL_STACK
13331330
XFREE(key, HEAP_HINT, DYNAMIC_TYPE_DILITHIUM);
@@ -1337,6 +1334,7 @@ int wolfCLU_genKey_ML_DSA(WC_RNG* rng, char* fName, int directive, int fmt,
13371334

13381335
/* make the ML-DSA key */
13391336
if (wc_MlDsaKey_MakeKey(key, rng) != 0) {
1337+
wolfCLU_LogError("Failed to make ML-DSA Key");
13401338
wc_MlDsaKey_Free(key);
13411339
#ifdef WOLFSSL_SMALL_STACK
13421340
XFREE(key, HEAP_HINT, DYNAMIC_TYPE_DILITHIUM);
@@ -1358,7 +1356,7 @@ int wolfCLU_genKey_ML_DSA(WC_RNG* rng, char* fName, int directive, int fmt,
13581356
XMEMSET(fOutNameBuf, 0, fNameSz + fExtSz);
13591357
XMEMCPY(fOutNameBuf, fName, fNameSz);
13601358

1361-
derBuf = (byte*)XMALLOC(maxDerBufSz, HEAP_HINT,
1359+
derBuf = (byte*)XMALLOC(keySz, HEAP_HINT,
13621360
DYNAMIC_TYPE_TMP_BUFFER);
13631361
if (derBuf == NULL) {
13641362
ret = MEMORY_E;
@@ -1377,12 +1375,14 @@ int wolfCLU_genKey_ML_DSA(WC_RNG* rng, char* fName, int directive, int fmt,
13771375

13781376
/* Private key to der */
13791377
derBufSz = wc_MlDsaKey_PrivateKeyToDer(key,
1380-
derBuf, (word32)maxDerBufSz);
1378+
derBuf, (word32)keySz);
13811379
if (derBufSz < 0) {
13821380
ret = derBufSz;
13831381
}
1384-
outBuf = derBuf;
1385-
outBufSz = derBufSz;
1382+
else {
1383+
outBuf = derBuf;
1384+
outBufSz = derBufSz;
1385+
}
13861386

13871387
/* check if should convert to PEM format */
13881388
if (ret == WOLFCLU_SUCCESS && fmt == PEM_FORM) {
@@ -1391,8 +1391,10 @@ int wolfCLU_genKey_ML_DSA(WC_RNG* rng, char* fName, int directive, int fmt,
13911391
if (pemBufSz <= 0 || pemBuf == NULL) {
13921392
ret = WOLFCLU_FAILURE;
13931393
}
1394-
outBuf = pemBuf;
1395-
outBufSz = pemBufSz;
1394+
else {
1395+
outBuf = pemBuf;
1396+
outBufSz = pemBufSz;
1397+
}
13961398
}
13971399

13981400
/* open file and write Private key */
@@ -1411,7 +1413,7 @@ int wolfCLU_genKey_ML_DSA(WC_RNG* rng, char* fName, int directive, int fmt,
14111413
}
14121414
}
14131415

1414-
if (directive != PRIV_AND_PUB_FILES) {
1416+
if (ret != WOLFCLU_SUCCESS || directive != PRIV_AND_PUB_FILES) {
14151417
break;
14161418
}
14171419

@@ -1428,20 +1430,22 @@ int wolfCLU_genKey_ML_DSA(WC_RNG* rng, char* fName, int directive, int fmt,
14281430
XMEMCPY(fOutNameBuf + fNameSz, fExtPub, fExtSz);
14291431
WOLFCLU_LOG(WOLFCLU_L0, "Public key file = %s", fOutNameBuf);
14301432

1431-
derBuf = (byte*)XMALLOC(maxDerBufSz, HEAP_HINT,
1433+
derBuf = (byte*)XMALLOC(keySz, HEAP_HINT,
14321434
DYNAMIC_TYPE_TMP_BUFFER);
14331435
if (derBuf == NULL) {
14341436
ret = MEMORY_E;
14351437
}
14361438

1437-
derBufSz = wc_MlDsaKey_PublicKeyToDer(key, derBuf,
1438-
(word32)maxDerBufSz, withAlg);
1439-
if (derBufSz < 0) {
1440-
ret = derBufSz;
1441-
}
1442-
else {
1443-
outBuf = derBuf;
1444-
outBufSz = derBufSz;
1439+
if (ret == WOLFCLU_SUCCESS) {
1440+
derBufSz = wc_MlDsaKey_PublicKeyToDer(key, derBuf,
1441+
(word32)keySz, withAlg);
1442+
if (derBufSz < 0) {
1443+
ret = derBufSz;
1444+
}
1445+
else {
1446+
outBuf = derBuf;
1447+
outBufSz = derBufSz;
1448+
}
14451449
}
14461450

14471451
/* check if should convert to PEM format */
@@ -1451,8 +1455,10 @@ int wolfCLU_genKey_ML_DSA(WC_RNG* rng, char* fName, int directive, int fmt,
14511455
if (pemBufSz <= 0 || pemBuf == NULL) {
14521456
ret = WOLFCLU_FAILURE;
14531457
}
1454-
outBuf = pemBuf;
1455-
outBufSz = pemBufSz;
1458+
else {
1459+
outBuf = pemBuf;
1460+
outBufSz = pemBufSz;
1461+
}
14561462
}
14571463

14581464
/* open file and write Public key */
@@ -1483,7 +1489,7 @@ int wolfCLU_genKey_ML_DSA(WC_RNG* rng, char* fName, int directive, int fmt,
14831489
}
14841490

14851491
if (derBuf != NULL) {
1486-
wolfCLU_ForceZero(derBuf, (unsigned int)maxDerBufSz);
1492+
wolfCLU_ForceZero(derBuf, keySz);
14871493
XFREE(derBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14881494
}
14891495

src/genkey/clu_genkey_setup.c

Lines changed: 10 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -339,18 +339,17 @@ int wolfCLU_genKeySetup(int argc, char** argv)
339339
#else
340340
wolfCLU_LogError("Invalid option, Dithium not enabled.");
341341
WOLFCLU_LOG(WOLFCLU_L0, "Please re-configure wolfSSL with "
342-
"--enable-dilithium, --enable-experimental and try again");
342+
"--enable-dilithium and try again");
343343
wc_FreeRng(&rng);
344344
return NOT_COMPILED_IN;
345345
#endif /* HAVE_DILITHIUM */
346346
}
347347
else if (XSTRNCMP(keyType, "ml-dsa", 6) == 0) {
348348
#if defined(HAVE_DILITHIUM) && defined(WOLFSSL_KEY_GEN)
349349
int directiveArg = PRIV_AND_PUB_FILES;
350-
int keySz = DILITHIUM_ML_DSA_44_PRV_KEY_SIZE;
350+
int keySz = ML_DSA_LEVEL2_BOTH_KEY_DER_SIZE;
351351
int level = WC_ML_DSA_44;
352352
int withAlg = DILITHIUM_LEVEL2k;
353-
const char* levelStr;
354353

355354
WOLFCLU_LOG(WOLFCLU_L0, "Generate ML-DSA Key");
356355

@@ -360,16 +359,16 @@ int wolfCLU_genKeySetup(int argc, char** argv)
360359
level = XATOI(argv[ret+1]);
361360
switch (level) {
362361
case WC_ML_DSA_44:
363-
keySz = DILITHIUM_ML_DSA_44_PRV_KEY_SIZE;
364-
withAlg = ML_DSA_LEVEL2k;
362+
keySz = ML_DSA_LEVEL2_BOTH_KEY_DER_SIZE;
363+
withAlg = ML_DSA_LEVEL2k;
365364
break;
366365
case WC_ML_DSA_65:
367-
keySz = DILITHIUM_ML_DSA_65_PRV_KEY_SIZE;
368-
withAlg = ML_DSA_LEVEL3k;
366+
keySz = ML_DSA_LEVEL3_BOTH_KEY_DER_SIZE;
367+
withAlg = ML_DSA_LEVEL3k;
369368
break;
370369
case WC_ML_DSA_87:
371-
keySz = DILITHIUM_ML_DSA_87_PRV_KEY_SIZE;
372-
withAlg = ML_DSA_LEVEL5k;
370+
keySz = ML_DSA_LEVEL5_BOTH_KEY_DER_SIZE;
371+
withAlg = ML_DSA_LEVEL5k;
373372
break;
374373
default:
375374
WOLFCLU_LOG(WOLFCLU_L0, "Invalid -level (%s), using level%d",
@@ -400,16 +399,12 @@ int wolfCLU_genKeySetup(int argc, char** argv)
400399
WOLFCLU_LOG(WOLFCLU_L0, "DEFAULT: output public and private key pair");
401400
}
402401

403-
levelStr = (level == WC_ML_DSA_44) ? "44" :
404-
(level == WC_ML_DSA_65) ? "65" :
405-
(level == WC_ML_DSA_87) ? "87" : "Unknown";
406-
WOLFCLU_LOG(WOLFCLU_L0, "using ML-DSA-%s", levelStr);
407402
ret = wolfCLU_genKey_ML_DSA(&rng, keyOutFName, directiveArg,
408-
formatArg, keySz, level, withAlg);
403+
formatArg, keySz, level, withAlg);
409404
#else
410405
wolfCLU_LogError("Invalid option, ML-DSA not enabled.");
411406
WOLFCLU_LOG(WOLFCLU_L0, "Please re-configure wolfSSL with "
412-
"--enable-dilithium, --enable-experimental and try again");
407+
"--enable-dilithium and try again");
413408
wc_FreeRng(&rng);
414409
return NOT_COMPILED_IN;
415410
#endif /* HAVE_DILITHIUM */

src/x509/clu_ca_setup.c

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -149,8 +149,8 @@ int wolfCLU_CASetup(int argc, char** argv)
149149
case WOLFCLU_ALTPUB:
150150
altKeyPub = wolfSSL_BIO_new_file(optarg, "rb");
151151
if (altKeyPub == NULL) {
152-
wolfCLU_LogError("Unable to open alternate public key file \
153-
%s", optarg);
152+
wolfCLU_LogError("Unable to open \
153+
alternate public key file %s", optarg);
154154
ret = WOLFCLU_FATAL_ERROR;
155155
}
156156
break;
@@ -166,6 +166,11 @@ int wolfCLU_CASetup(int argc, char** argv)
166166
ca = wolfSSL_X509_load_certificate_file(optarg,
167167
WOLFSSL_FILETYPE_ASN1);
168168
}
169+
170+
if (ca == NULL) {
171+
wolfCLU_LogError("Unable to open CA file %s", optarg);
172+
ret = WOLFCLU_FATAL_ERROR;
173+
}
169174
break;
170175

171176
case WOLFCLU_MD:
@@ -277,7 +282,7 @@ int wolfCLU_CASetup(int argc, char** argv)
277282
wolfCLU_GetTypeFromPKEY(pkey));
278283
}
279284
else if (altSign) {
280-
wolfCLU_GenChimeraCertSign(keyIn, altKey, altKeyPub, subjKey, ca,
285+
ret = wolfCLU_GenChimeraCertSign(keyIn, altKey, altKeyPub, subjKey, ca,
281286
wolfSSL_X509_NAME_oneline(wolfSSL_X509_get_subject_name(x509), 0, 0),
282287
out, outForm);
283288
}

0 commit comments

Comments
 (0)