Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[signing] Support SPX signing with hsmtool #25702

Merged
merged 2 commits into from
Jan 13, 2025
Merged

[signing] Support SPX signing with hsmtool #25702

merged 2 commits into from
Jan 13, 2025

Conversation

cfrantz
Copy link
Contributor

@cfrantz cfrantz commented Dec 18, 2024
edited
Loading

  1. Enhance the signing rules to use the spx signing commands added to hsmtool.

  2. Change the PKCS#11 provider from sc-hsm-embedded to opensc.

    • sc-hsm-embedded supports RSA3072 and ECDSA P256 signatures, but does not support CKO_DATA objects.
    • opensc supports ECDSA P256 signatures and CKO_DATA objects, but does not support RSA3072 signatures.

    We no longer use RSA3072 signatures for signing code; we can use
    CKO_DATA objects to hold SPX keys for signing.

  3. Use the formal NIST names for SPHINCS+ algorithms when saving or serializing keys. Accept the older names as aliases.

    • SLA-DSA-SHAKE-128s
    • SLA-DSA-SHA2-128s

@cfrantz cfrantz requested a review from a team as a code owner December 19, 2024 16:17
@cfrantz
[signing] Support SPX signing with hsmtool
de6187c 
1. Enhance the signing rules to use the spx signing commands added to
   hsmtool.
2. Change the PKCS#11 provider from sc-hsm-embedded to opensc.
   - sc-hsm-embedded supports RSA3072 and ECDSA P256 signatures, but does
     not support CKO_DATA objects.
   - opensc supports ECDSA P256 signatures and CKO_DATA objects, but does
     not support RSA3072 signatures.

   We no longer use RSA3072 signatures for signing code; we _can_ use
   CKO_DATA objects to hold SPX keys for signing.

Signed-off-by: Chris Frantz <[email protected]>
@cfrantz
[sphincsplus] Use NIST standard algorithm names
6a47720 
1. Use the formal NIST names for SPHINCS+ algorithms when saving or
   serializing keys.  Accept the older names as aliases.
   - SLA-DSA-SHAKE-128s
   - SLA-DSA-SHA2-128s

Signed-off-by: Chris Frantz <[email protected]>
@cfrantz cfrantz merged commit a58c7b6 into lowRISC:earlgrey_1.0.0 Jan 13, 2025
32 checks passed
@cfrantz cfrantz added the CherryPick:master This PR should be cherry-picked to master label Jan 30, 2025
@github-actions GitHub Actions
Copy link

Successfully created backport PR for master:

@github-actions github-actions bot mentioned this pull request Jan 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moidx moidx moidx approved these changes

@jadephilipoom jadephilipoom jadephilipoom approved these changes

@timothytrippel timothytrippel Awaiting requested review from timothytrippel

Assignees
No one assigned
Labels
CherryPick:master This PR should be cherry-picked to master
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cfrantz @moidx @jadephilipoom