Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EVP_PKEY refactoring for keygen/sign/verify; Start of ML-DSA impl #689

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

EVP_PKEY refactoring for keygen/sign/verify; Start of ML-DSA impl #689

wants to merge 5 commits into from

Conversation

justsmth
Copy link
Contributor

@justsmth justsmth commented Feb 6, 2025

Description of changes:

  • Consolidates various places we call EVP_PKEY_keygen
  • Consolidates various placeswe call EVP_DigestSign and EVP_DigestVerify.
  • Start of implementation for ML-DSA

Call-outs:

  • RSA key generation will now use EVP_PKEY_keygen. When the "fips" feature is enabled, the FIPS-approved key generation mechanism will be used for all RSA keys.

Testing:

  • RSA "fips" tests had slight modification due to change mentioned above.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@justsmth justsmth requested a review from a team as a code owner February 6, 2025 22:10
@codecov-commenter
Copy link

codecov-commenter commented Feb 6, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 87.90036% with 34 lines in your changes missing coverage. Please review.

Project coverage is 92.96%. Comparing base (c358484) to head (b083095).
Report is 167 commits behind head on main.

Files with missing lines Patch % Lines
aws-lc-rs/src/evp_pkey.rs 91.17% 8 Missing and 7 partials ⚠️
aws-lc-rs/src/ed25519.rs 33.33% 4 Missing and 2 partials ⚠️
aws-lc-rs/src/rsa/key.rs 75.00% 2 Missing and 2 partials ⚠️
aws-lc-rs/src/ec/key_pair.rs 71.42% 0 Missing and 2 partials ⚠️
aws-lc-rs/src/rsa/encryption.rs 0.00% 1 Missing and 1 partial ⚠️
aws-lc-rs/src/ec.rs 83.33% 1 Missing ⚠️
aws-lc-rs/src/ec/signature.rs 50.00% 0 Missing and 1 partial ⚠️
aws-lc-rs/src/kem.rs 83.33% 1 Missing ⚠️
aws-lc-rs/src/pq.rs 98.24% 1 Missing ⚠️
aws-lc-rs/src/rsa/signature.rs 80.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #689      +/-   ##
==========================================
- Coverage   95.80%   92.96%   -2.84%     
==========================================
  Files          61       70       +9     
  Lines        8143     9508    +1365     
  Branches        0     9508    +9508     
==========================================
+ Hits         7801     8839    +1038     
- Misses        342      403      +61     
- Partials        0      266     +266

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

samuel40791765
samuel40791765 reviewed Feb 11, 2025
View reviewed changes
aws-lc-rs/src/evp_pkey.rs
Comment on lines +276 to +283
1312 => Self::new(unsafe {
EVP_PKEY_pqdsa_new_raw_public_key(NID_MLDSA44, bytes.as_ptr(), bytes.len())
}),
1952 => Self::new(unsafe {
EVP_PKEY_pqdsa_new_raw_public_key(NID_MLDSA65, bytes.as_ptr(), bytes.len())
}),
2592 => Self::new(unsafe {
EVP_PKEY_pqdsa_new_raw_public_key(NID_MLDSA87, bytes.as_ptr(), bytes.len())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not for this PR, but should we consider exposing the Byte lengths for ML-DSA in AWS-LC? Seems like these are useful values for downstream consumers (like us) to depend on. Same for the private key lengths used above.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I could make that available from the API in the next PR. I have that information setup internally, I'll need to think about how to expose it.

aws-lc-rs/src/evp_pkey.rs
&self,
message: &[u8],
digest: Option<&'static digest::Algorithm>,
padding_fn: Option<F>,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Genuinely curious, is there a particular reason for the workaround and why we can't do Option<*mut EVP_PKEY_CTX>? Is it due to Option not being able to take mutable pointers?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would probably use an LcPtr for that approach. I'm sure it could be done that way, but I'd need to look at whether ownership also needs to transfer when passed.

aws-lc-rs/src/pq.rs
let key_private2 =
LcPtr::<EVP_PKEY>::parse_raw_private_key(&raw_private_buffer, EVP_PKEY_PQDSA).unwrap();

// TODO: Currently the public key is not populated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this meant to say private? Is this an issue that the ML-DSA APIs still to iron out or support we're in the midst of adding

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At the time I wrote the code, only the private key was populated by AWS-LC. That's since been fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuel40791765 samuel40791765 samuel40791765 left review comments

@skmcgrail skmcgrail skmcgrail approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@justsmth @codecov-commenter @skmcgrail @samuel40791765