Add unstable support for ML-DSA signature algorithms

djc · djc · commit 25c57cb16929 · 2025-05-07T16:45:05.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -71,14 +71,15 @@ name = "webpki"
 [features]
 default = ["std"]
 alloc = ["ring?/alloc", "pki-types/alloc"]
+__aws-lc-rs-unstable = ["aws-lc-rs", "aws-lc-rs/unstable"]
 aws-lc-rs = ["dep:aws-lc-rs", "aws-lc-rs/aws-lc-sys", "aws-lc-rs/prebuilt-nasm"]
 aws-lc-rs-fips = ["dep:aws-lc-rs", "aws-lc-rs/fips"]
 ring = ["dep:ring"]
 std = ["alloc", "pki-types/std"]
 
 [dependencies]
 aws-lc-rs = { version = "1.9", optional = true, default-features = false }
-pki-types = { package = "rustls-pki-types", version = "1.11", default-features = false }
+pki-types = { package = "rustls-pki-types", version = "1.12", default-features = false }
 ring = { version = "0.17", default-features = false, optional = true }
 untrusted = "0.9"
 
diff --git a/src/aws_lc_rs_algs.rs b/src/aws_lc_rs_algs.rs
@@ -1,3 +1,5 @@
+#[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+use aws_lc_rs::unstable;
 use aws_lc_rs::{signature, try_fips_mode};
 use pki_types::{AlgorithmIdentifier, InvalidSignature, SignatureVerificationAlgorithm, alg_id};
 
@@ -54,6 +56,27 @@ impl SignatureVerificationAlgorithm for AwsLcRsAlgorithm {
     }
 }
 
+#[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+pub static ML_DSA_44: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
+    public_key_alg_id: alg_id::ML_DSA_44,
+    signature_alg_id: alg_id::ML_DSA_44,
+    verification_alg: &unstable::signature::MLDSA_44,
+};
+
+#[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+pub static ML_DSA_65: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
+    public_key_alg_id: alg_id::ML_DSA_65,
+    signature_alg_id: alg_id::ML_DSA_65,
+    verification_alg: &unstable::signature::MLDSA_65,
+};
+
+#[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+pub static ML_DSA_87: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
+    public_key_alg_id: alg_id::ML_DSA_87,
+    signature_alg_id: alg_id::ML_DSA_87,
+    verification_alg: &unstable::signature::MLDSA_87,
+};
+
 /// ECDSA signatures using the P-256 curve and SHA-256.
 pub static ECDSA_P256_SHA256: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
     public_key_alg_id: alg_id::ECDSA_P256,
@@ -194,6 +217,12 @@ mod tests {
         // Algorithms deprecated because they are nonsensical combinations.
         super::ECDSA_P256_SHA384, // Truncates digest.
         super::ECDSA_P384_SHA256, // Digest is unnecessarily short.
+        #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+        super::ML_DSA_44,
+        #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+        super::ML_DSA_65,
+        #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+        super::ML_DSA_87,
     ];
 
     const UNSUPPORTED_SIGNATURE_ALGORITHM_FOR_RSA_KEY: Error =
diff --git a/src/lib.rs b/src/lib.rs
@@ -113,6 +113,8 @@ pub mod aws_lc_rs {
         RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
         RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
     };
+    #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+    pub use super::aws_lc_rs_algs::{ML_DSA_44, ML_DSA_65, ML_DSA_87};
 }
 
 /// An array of all the verification algorithms exported by this crate.

Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,8 @@ pub mod aws_lc_rs {`
`113`	`113`	`RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,`
`114`	`114`	`RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,`
`115`	`115`	`};`
	`116`	`+ #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]`
	`117`	`+ pub use super::aws_lc_rs_algs::{ML_DSA_44, ML_DSA_65, ML_DSA_87};`
`116`	`118`	`}`
`117`	`119`
`118`	`120`	`/// An array of all the verification algorithms exported by this crate.`