unstable API for ML-DSA

aws-lc-rs/Makefile

@@ -28,26 +28,32 @@ coverage:
 coverage-fips:
 	cargo llvm-cov --features "${AWS_LC_RS_COV_EXTRA_FEATURES},fips" --no-fail-fast --fail-under-lines 95 --ignore-filename-regex "aws-lc(-fips|)-sys/*" --lcov --output-path lcov.info
 
+test: export AWS_LC_RS_DISABLE_SLOW_TESTS = 1
 test:
+	cargo test --all-targets
 	cargo test --all-targets --features unstable
-	cargo test --release --all-targets
 	cargo test --release --all-targets --features bindgen,unstable
-	cargo test --release --all-targets --features fips,unstable
-	cargo test --no-default-features --all-targets --features fips,unstable
+	cargo test --release --all-targets --features fips,bindgen,unstable
+	cargo test --no-default-features --all-targets --features aws-lc-sys
 	cargo test --no-default-features --all-targets --features aws-lc-sys,unstable
-	cargo test --no-default-features --all-targets --features aws-lc-sys,ring-sig-verify,unstable
-	cargo test --no-default-features --all-targets --features aws-lc-sys,ring-io,unstable
-	cargo test --no-default-features --all-targets --features aws-lc-sys,alloc,unstable
+	cargo test --no-default-features --all-targets --features fips
+	cargo test --no-default-features --all-targets --features fips,unstable
+	cargo test --no-default-features --all-targets --features aws-lc-sys,ring-sig-verify
+	cargo test --no-default-features --all-targets --features aws-lc-sys,ring-io
+	cargo test --no-default-features --all-targets --features aws-lc-sys,alloc
 
 msrv:
 	cargo msrv verify
 
 clippy:
 	cargo +nightly clippy --all-targets --features bindgen,fips,unstable -- -W clippy::all  -W clippy::pedantic
 
-clippy-fix:
+clippy-fips-fix:
 	cargo +nightly clippy --all-targets --features bindgen,fips,unstable --fix --allow-dirty -- -W clippy::all  -W clippy::pedantic
 
+clippy-fix:
+	cargo +nightly clippy --all-targets --features bindgen,unstable --fix --allow-dirty -- -W clippy::all  -W clippy::pedantic
+
 ci: format clippy msrv test coverage api-diff-pub
 
 readme:

aws-lc-rs/src/ec.rs

@@ -31,8 +31,6 @@ pub(crate) mod signature;
 const ELEM_MAX_BITS: usize = 521;
 pub(crate) const ELEM_MAX_BYTES: usize = (ELEM_MAX_BITS + 7) / 8;
 
-pub(crate) const SCALAR_MAX_BYTES: usize = ELEM_MAX_BYTES;
-
 /// The maximum length, in bytes, of an encoded public key.
 pub(crate) const PUBLIC_KEY_MAX_LEN: usize = 1 + (2 * ELEM_MAX_BYTES);
 
@@ -62,7 +60,7 @@ pub(crate) fn verify_evp_key_nid(
 }
 
 #[inline]
-pub(crate) fn validate_evp_key(
+pub(crate) fn validate_ec_evp_key(
     evp_pkey: &ConstPointer<EVP_PKEY>,
     expected_curve_nid: i32,
 ) -> Result<(), KeyRejected> {

aws-lc-rs/src/ec/encoding.rs

@@ -3,7 +3,7 @@
 
 use crate::aws_lc::{EVP_PKEY, EVP_PKEY_EC};
 use crate::ec::encoding::sec1::parse_sec1_public_point;
-use crate::ec::validate_evp_key;
+use crate::ec::validate_ec_evp_key;
 
 use crate::error::KeyRejected;
 use crate::ptr::LcPtr;
@@ -23,7 +23,7 @@ pub(crate) mod sec1 {
     use crate::cbb::LcCBB;
     use crate::ec::{
         compressed_public_key_size_bytes, ec_group_from_nid, uncompressed_public_key_size_bytes,
-        validate_evp_key, KeyRejected,
+        validate_ec_evp_key, KeyRejected,
     };
     use crate::error::Unspecified;
     use crate::ptr::{ConstPointer, DetachableLcPtr, LcPtr};
@@ -72,7 +72,7 @@ pub(crate) mod sec1 {
 
         ec_key.detach();
 
-        validate_evp_key(&pkey.as_const(), nid)?;
+        validate_ec_evp_key(&pkey.as_const(), nid)?;
 
         Ok(pkey)
     }
@@ -126,7 +126,7 @@ pub(crate) mod sec1 {
         ec_key.detach();
 
         // Validate the EC_KEY before returning it.
-        validate_evp_key(&pkey.as_const(), expected_curve_nid)?;
+        validate_ec_evp_key(&pkey.as_const(), expected_curve_nid)?;
 
         Ok(pkey)
     }
@@ -250,5 +250,5 @@ pub(crate) fn parse_ec_public_key(
 ) -> Result<LcPtr<EVP_PKEY>, KeyRejected> {
     LcPtr::<EVP_PKEY>::parse_rfc5280_public_key(key_bytes, EVP_PKEY_EC)
         .or(parse_sec1_public_point(key_bytes, expected_curve_nid))
-        .and_then(|key| validate_evp_key(&key.as_const(), expected_curve_nid).map(|()| key))
+        .and_then(|key| validate_ec_evp_key(&key.as_const(), expected_curve_nid).map(|()| key))
 }

aws-lc-rs/src/ec/key_pair.rs

@@ -3,15 +3,14 @@
 // Modifications copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
-use crate::aws_lc::{EVP_DigestSign, EVP_DigestSignInit, EVP_PKEY, EVP_PKEY_EC};
+use crate::aws_lc::{EVP_PKEY, EVP_PKEY_EC};
 use core::fmt;
 use core::fmt::{Debug, Formatter};
 
-use crate::digest::digest_ctx::DigestContext;
 use crate::ec::evp_key_generate;
 use crate::ec::signature::{EcdsaSignatureFormat, EcdsaSigningAlgorithm, PublicKey};
 #[cfg(feature = "fips")]
-use crate::ec::validate_evp_key;
+use crate::ec::validate_ec_evp_key;
 #[cfg(not(feature = "fips"))]
 use crate::ec::verify_evp_key_nid;
 
@@ -98,7 +97,7 @@ impl EcdsaKeyPair {
         #[cfg(not(feature = "fips"))]
         verify_evp_key_nid(&evp_pkey.as_const(), alg.id.nid())?;
         #[cfg(feature = "fips")]
-        validate_evp_key(&evp_pkey.as_const(), alg.id.nid())?;
+        validate_ec_evp_key(&evp_pkey.as_const(), alg.id.nid())?;
 
         let key_pair = Self::new(alg, evp_pkey)?;
 

aws-lc-rs/src/encoding.rs

@@ -63,7 +63,8 @@ generated_encodings!(
     PublicKeyX509Der,
     Curve25519SeedBin,
     Pkcs8V1Der,
-    Pkcs8V2Der
+    Pkcs8V2Der,
+    PqdsaPrivateKeyBin
 );
 
 /// Trait for types that can be serialized into a DER format.
@@ -83,3 +84,12 @@ pub trait AsBigEndian<T> {
     /// Returns Unspecified if serialization fails.
     fn as_be_bytes(&self) -> Result<T, crate::error::Unspecified>;
 }
+
+/// Trait for values that can be serialized into a raw format
+pub trait AsRawBytes<T> {
+    /// Serializes into a raw format.
+    ///
+    /// # Errors
+    /// Returns Unspecified if serialization fails.
+    fn as_raw_bytes(&self) -> Result<T, crate::error::Unspecified>;
+}

aws-lc-rs/src/evp_pkey.rs

@@ -10,7 +10,7 @@ use crate::aws_lc::{
     EVP_parse_private_key, EVP_parse_public_key, EC_KEY, EVP_PKEY, EVP_PKEY_CTX, EVP_PKEY_ED25519,
     RSA,
 };
-#[cfg(not(feature = "fips"))]
+#[cfg(all(feature = "unstable", not(feature = "fips")))]
 use crate::aws_lc::{
     EVP_PKEY_pqdsa_new_raw_private_key, EVP_PKEY_pqdsa_new_raw_public_key, EVP_PKEY_PQDSA,
     NID_MLDSA44, NID_MLDSA65, NID_MLDSA87,
@@ -243,7 +243,7 @@ impl LcPtr<EVP_PKEY> {
         bytes: &[u8],
         evp_pkey_type: c_int,
     ) -> Result<Self, KeyRejected> {
-        #[cfg(not(feature = "fips"))]
+        #[cfg(all(feature = "unstable", not(feature = "fips")))]
         if evp_pkey_type == EVP_PKEY_PQDSA {
             return match bytes.len() {
                 2560 => Self::new(unsafe {
@@ -270,7 +270,7 @@ impl LcPtr<EVP_PKEY> {
         bytes: &[u8],
         evp_pkey_type: c_int,
     ) -> Result<Self, KeyRejected> {
-        #[cfg(not(feature = "fips"))]
+        #[cfg(all(feature = "unstable", not(feature = "fips")))]
         if evp_pkey_type == EVP_PKEY_PQDSA {
             return match bytes.len() {
                 1312 => Self::new(unsafe {

aws-lc-rs/src/lib.rs

@@ -194,8 +194,8 @@ pub mod iv;
 pub mod kdf;
 #[allow(clippy::module_name_repetitions)]
 pub mod kem;
-#[cfg(not(feature = "fips"))]
-mod pq;
+#[cfg(all(feature = "unstable", not(feature = "fips")))]
+mod pqdsa;
 mod ptr;
 pub mod rsa;
 pub mod tls_prf;