Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[signing] Support SPX signing with hsmtool #25702

Open
wants to merge 2 commits into
base: earlgrey_1.0.0
Choose a base branch
from

Conversation

cfrantz
Copy link
Contributor

@cfrantz cfrantz commented Dec 18, 2024

  1. Enhance the signing rules to use the spx signing commands added to hsmtool.

  2. Change the PKCS#11 provider from sc-hsm-embedded to opensc.

    • sc-hsm-embedded supports RSA3072 and ECDSA P256 signatures, but does not support CKO_DATA objects.
    • opensc supports ECDSA P256 signatures and CKO_DATA objects, but does not support RSA3072 signatures.

    We no longer use RSA3072 signatures for signing code; we can use
    CKO_DATA objects to hold SPX keys for signing.

  3. Use the formal NIST names for SPHINCS+ algorithms when saving or serializing keys. Accept the older names as aliases.

    • SLA-DSA-SHAKE-128s
    • SLA-DSA-SHA2-128s

@cfrantz cfrantz requested a review from a team as a code owner December 19, 2024 16:17

Verified

This commit was signed with the committer’s verified signature.
Kobzol Jakub Beránek
1. Enhance the signing rules to use the spx signing commands added to
   hsmtool.
2. Change the PKCS#11 provider from sc-hsm-embedded to opensc.
   - sc-hsm-embedded supports RSA3072 and ECDSA P256 signatures, but does
     not support CKO_DATA objects.
   - opensc supports ECDSA P256 signatures and CKO_DATA objects, but does
     not support RSA3072 signatures.

   We no longer use RSA3072 signatures for signing code; we _can_ use
   CKO_DATA objects to hold SPX keys for signing.

Signed-off-by: Chris Frantz <cfrantz@google.com>

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1. Use the formal NIST names for SPHINCS+ algorithms when saving or
   serializing keys.  Accept the older names as aliases.
   - SLA-DSA-SHAKE-128s
   - SLA-DSA-SHA2-128s

Signed-off-by: Chris Frantz <cfrantz@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants