[Do not merge] Post-quantum signature scheme - ML-DSA #216
+90
โ2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
Great job, no security vulnerabilities found in this Pull Request |
quexten
added a commit
that referenced
this pull request
Jun 16, 2025
## ๐๏ธ Tracking https://bitwarden.atlassian.net/browse/PM-20361 ## ๐ Objective ### Signing operations This PR adds signing/verifying operations, and keys, including serialization to COSE for both the keys, and for the signatures. We enforce strong domain separation by adding a namespace. This ensures not having to worry about cross-protocol attacks / swapping messages between contexts. Two signing operations are provided; sign and sign detached. The former signs an object and returns a signedobject, containing the payload. To get the payload, the signature *must* be verified (guaranteed by the interface). The latter returns signature and serialized message. This is useful when multiple signatures are needed for one message; in this case a countersignature can be created, so that we can have multiple signatures for the same object, in case a trust relationship needs to be proven in multiple directions. Signing is implemented in 3 layers documented at the top of `sign.rs`. The high level layer accepts a struct that is serializable and namespace, and returns a signature and the serialized representation, or the signedobject. The serialization may not be canonical, so the consumer should store the serialized representation instead of their input struct. The reverse operation - verify / getverifiedpayload - returns the deserialized struct. The middle layer accepts byte array plus namespace. The low layer is the direct implementation of the signature, and accepts byte array (no namespace). This ensures that implementing a new signature scheme only requires implementing this low level operation. The one implemented algorithm type is ed25519. Keys are represented as enums such that it is easy to add other signing key types (ML-DSA for post-quantum crypto, PoC here: #216) later on. The signature is represented as a Cose Sign1 message (https://www.rfc-editor.org/rfc/rfc9052.html#name-signing-with-one-signer). The namespace is separated by setting the protected header. Since this is included in the signed data, and since this is validated on verifying the signature, and since the values are unique, domain separation is enforced. We only ever want to expose the safe function outside of the crate (if we even expose it out of the crate). ### SignedPublicKey Public encryption keys should have their owner identity verified. Thus, a new SignedPublicKey that is a signed object containing the public key is created. Consumers must verify the signature before being able to access the public encryption key. ### Public key changes Public keys are hardcoded at the moment to expect DER encoding and RSA-OAEP encryption. This is not the case long-term, and the signature format above makes this clear by including format types. This PR also includes some prep-work, applying the same per-encryption-time enum variant split in the asymmetric encryption keys. Follow-up work can further clean this up, and clean up the folder structure / file split. ## โฐ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## ๐ฆฎ Reviewer guidelines <!-- Suggested interactions but feel free to use (or not) as you desire! --> - ๐ (`:+1:`) or similar for great changes - ๐ (`:memo:`) or โน๏ธ (`:information_source:`) for notes or general info - โ (`:question:`) for questions - ๐ค (`:thinking:`) or ๐ญ (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - ๐จ (`:art:`) for suggestions / improvements - โ (`:x:`) orโ ๏ธ (`:warning:`) for more significant problems or concerns needing attention - ๐ฑ (`:seedling:`) or โป๏ธ (`:recycle:`) for future improvements or indications of technical debt - โ (`:pick:`) for minor or nitpick changes --------- Co-authored-by: Matt Gibson <[email protected]> Co-authored-by: Daniel Garcรญa <[email protected]> Co-authored-by: Oscar Hinton <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
๐๏ธ Tracking
๐ Objective
Pending https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/ and changes to coset for COSE encoding.
โฐ Reminders before review
team
๐ฆฎ Reviewer guidelines
:+1:) or similar for great changes:memo:) or โน๏ธ (:information_source:) for notes or general info:question:) for questions:thinking:) or ๐ญ (:thought_balloon:) for more open inquiry that's not quite a confirmedissue and could potentially benefit from discussion
:art:) for suggestions / improvements:x:) or:warning:) for more significant problems or concerns needing attention:seedling:) or โป๏ธ (:recycle:) for future improvements or indications of technical debt:pick:) for minor or nitpick changes