Add unstable support for ML-DSA signature algorithms

Author: djc

Cargo.lock

@@ -71,14 +71,15 @@ name = "webpki"
 [features]
 default = ["std"]
 alloc = ["ring?/alloc", "pki-types/alloc"]
+__aws-lc-rs-unstable = ["aws-lc-rs", "aws-lc-rs/unstable"]
 aws-lc-rs = ["dep:aws-lc-rs", "aws-lc-rs/aws-lc-sys", "aws-lc-rs/prebuilt-nasm"]
 aws-lc-rs-fips = ["dep:aws-lc-rs", "aws-lc-rs/fips"]
 ring = ["dep:ring"]
 std = ["alloc", "pki-types/std"]
 
 [dependencies]
 aws-lc-rs = { version = "1.9", optional = true, default-features = false }
-pki-types = { package = "rustls-pki-types", version = "1.11", default-features = false }
+pki-types = { package = "rustls-pki-types", version = "1.12", default-features = false }
 ring = { version = "0.17", default-features = false, optional = true }
 untrusted = "0.9"
 

Cargo.toml

@@ -1,3 +1,5 @@
+#[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+use aws_lc_rs::unstable;
 use aws_lc_rs::{signature, try_fips_mode};
 use pki_types::{AlgorithmIdentifier, InvalidSignature, SignatureVerificationAlgorithm, alg_id};
 
@@ -54,6 +56,27 @@ impl SignatureVerificationAlgorithm for AwsLcRsAlgorithm {
     }
 }
 
+#[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+pub static ML_DSA_44: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
+    public_key_alg_id: alg_id::ML_DSA_44,
+    signature_alg_id: alg_id::ML_DSA_44,
+    verification_alg: &unstable::signature::MLDSA_44,
+};
+
+#[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+pub static ML_DSA_65: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
+    public_key_alg_id: alg_id::ML_DSA_65,
+    signature_alg_id: alg_id::ML_DSA_65,
+    verification_alg: &unstable::signature::MLDSA_65,
+};
+
+#[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+pub static ML_DSA_87: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
+    public_key_alg_id: alg_id::ML_DSA_87,
+    signature_alg_id: alg_id::ML_DSA_87,
+    verification_alg: &unstable::signature::MLDSA_87,
+};
+
 /// ECDSA signatures using the P-256 curve and SHA-256.
 pub static ECDSA_P256_SHA256: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
     public_key_alg_id: alg_id::ECDSA_P256,
@@ -194,6 +217,12 @@ mod tests {
         // Algorithms deprecated because they are nonsensical combinations.
         super::ECDSA_P256_SHA384, // Truncates digest.
         super::ECDSA_P384_SHA256, // Digest is unnecessarily short.
+        #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+        super::ML_DSA_44,
+        #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+        super::ML_DSA_65,
+        #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+        super::ML_DSA_87,
     ];
 
     const UNSUPPORTED_SIGNATURE_ALGORITHM_FOR_RSA_KEY: Error =

src/aws_lc_rs_algs.rs

@@ -113,6 +113,8 @@ pub mod aws_lc_rs {
         RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
         RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
     };
+    #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+    pub use super::aws_lc_rs_algs::{ML_DSA_44, ML_DSA_65, ML_DSA_87};
 }
 
 /// An array of all the verification algorithms exported by this crate.
@@ -173,6 +175,12 @@ pub static ALL_VERIFICATION_ALGS: &[&dyn pki_types::SignatureVerificationAlgorit
     aws_lc_rs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
     #[cfg(feature = "aws-lc-rs")]
     aws_lc_rs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
+    #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+    aws_lc_rs::ML_DSA_44,
+    #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+    aws_lc_rs::ML_DSA_65,
+    #[cfg(all(feature = "__aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
+    aws_lc_rs::ML_DSA_87,
 ];
 
 fn public_values_eq(a: untrusted::Input<'_>, b: untrusted::Input<'_>) -> bool {