ML_DSA: Make apps.c do_X509_REQ_verify() call work correctly.

- Added sigid_algs for ML_DSA such that OBJ_find_sigid_algs() works. - OBJ_sn2nid() was also being called, so the SN form of ML_DSA algorithms needed to be added to the provider dispatch tables. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/26636)
2025-04-06 20:20:50 +08:00 · 2025-02-05 10:20:50 +11:00 · 2025-02-05 10:20:50 +11:00 · 1036be4384
commit 1036be4384
parent f207938711
4 changed files with 23 additions and 5 deletions
--- a/crypto/objects/obj_xref.h
+++ b/crypto/objects/obj_xref.h
@ -84,6 +84,9 @@ static const nid_triple sigoid_srt[] = {
    {NID_RSA_SHA3_384, NID_sha3_384, NID_rsaEncryption},
    {NID_RSA_SHA3_512, NID_sha3_512, NID_rsaEncryption},
    {NID_SM2_with_SM3, NID_sm3, NID_sm2},
+    {NID_ML_DSA_44, NID_undef, NID_ML_DSA_44},
+    {NID_ML_DSA_65, NID_undef, NID_ML_DSA_65},
+    {NID_ML_DSA_87, NID_undef, NID_ML_DSA_87},
 };

 static const nid_triple *const sigoid_srt_xref[] = {
--- a/crypto/objects/obj_xref.txt
+++ b/crypto/objects/obj_xref.txt
@ -23,6 +23,9 @@ RSA_SHA3_512		sha3_512 rsaEncryption
 rsassaPss		undef	rsassaPss
 ED25519		    undef	ED25519
 ED448		    undef	ED448
+ML_DSA_44  undef ML_DSA_44
+ML_DSA_65  undef ML_DSA_65
+ML_DSA_87  undef ML_DSA_87

 # Alternative deprecated OIDs. By using the older "rsa" OID this
 # type will be recognized by not normally used.
--- a/providers/implementations/include/prov/names.h
+++ b/providers/implementations/include/prov/names.h
@ -384,9 +384,9 @@
 #define PROV_DESCS_RSA_PSS "OpenSSL RSA-PSS implementation"
 #define PROV_NAMES_SM2 "SM2:1.2.156.10197.1.301"
 #define PROV_DESCS_SM2 "OpenSSL SM2 implementation"
-#define PROV_NAMES_ML_DSA_44 "ML-DSA-44:2.16.840.1.101.3.4.3.17"
+#define PROV_NAMES_ML_DSA_44 "ML-DSA-44:2.16.840.1.101.3.4.3.17:id-ml-dsa-44"
 #define PROV_DESCS_ML_DSA_44 "OpenSSL ML-DSA-44 implementation"
-#define PROV_NAMES_ML_DSA_65 "ML-DSA-65:2.16.840.1.101.3.4.3.18"
+#define PROV_NAMES_ML_DSA_65 "ML-DSA-65:2.16.840.1.101.3.4.3.18:id-ml-dsa-65"
 #define PROV_DESCS_ML_DSA_65 "OpenSSL ML-DSA-65 implementation"
-#define PROV_NAMES_ML_DSA_87 "ML-DSA-87:2.16.840.1.101.3.4.3.19"
+#define PROV_NAMES_ML_DSA_87 "ML-DSA-87:2.16.840.1.101.3.4.3.19:id-ml-dsa-87"
 #define PROV_DESCS_ML_DSA_87 "OpenSSL ML-DSA-87 implementation"
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@ -356,10 +356,10 @@ subtest "generating SM2 certificate requests" => sub {
 };

 subtest "generating certificate requests with ML-DSA" => sub {
-    plan tests => 3;
+    plan tests => 5;

    SKIP: {
-        skip "ML-DSA is not supported by this OpenSSL build", 3
+        skip "ML-DSA is not supported by this OpenSSL build", 5
            if disabled("ml-dsa");

        ok(run(app(["openssl", "req",
@ -389,6 +389,18 @@ subtest "generating certificate requests with ML-DSA" => sub {
                    "-subj", "/CN=test-self-signed",
                    "-addext","keyUsage=digitalSignature"])),
                    "Generating self signed ML-DSA-87 cert and private key");
+        ok(run(app(["openssl", "req",
+                    "-config", srctop_file("test", "test.cnf"),
+                    "-new",
+                    "-sigopt","hextest-entropy:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+                    "-out", "csr_ml_dsa_87.pem",
+                    "-newkey", "ML-DSA-87",
+                    "-passout", "pass:x"])),
+                    "Generating ML-DSA-87 csr");
+        ok(run(app(["openssl", "req",
+                    "-config", srctop_file("test", "test.cnf"),
+                    "-in", "csr_ml_dsa_87.pem"])),
+                    "verifying ML-DSA-87 csr");
    }
 };