feat: support parsing certs with MLDSA public keys (#411)

Author: zachwajda

ffi/src/key.rs

@@ -46,6 +46,7 @@ impl From<KeyKind> for picky::key::KeyKind {
             KeyKind::Rsa => picky::key::KeyKind::Rsa,
             KeyKind::Ec => picky::key::KeyKind::Ec,
             KeyKind::Ed => picky::key::KeyKind::Ed,
+            KeyKind::Mldsa => picky::key::KeyKind::Mldsa,
         }
     }
 }
@@ -56,6 +57,7 @@ impl From<picky::key::KeyKind> for KeyKind {
             picky::key::KeyKind::Rsa => KeyKind::Rsa,
             picky::key::KeyKind::Ec => KeyKind::Ec,
             picky::key::KeyKind::Ed => KeyKind::Ed,
+            picky::key::KeyKind::Mldsa => KeyKind::Mldsa,
         }
     }
 }
@@ -94,6 +96,8 @@ pub mod ffi {
         Ec,
         /// Edwards-curve
         Ed,
+        /// MLDSA (Module-Lattice-Based Digital Signature Algorithm)
+        Mldsa,
     }
 
     #[diplomat::opaque]

picky-asn1-x509/src/algorithm_identifier.rs

@@ -297,6 +297,27 @@ impl AlgorithmIdentifier {
             parameters: AlgorithmIdentifierParameters::None,
         }
     }
+
+    pub fn new_mldsa_44() -> Self {
+        Self {
+            algorithm: oids::id_mldsa_44().into(),
+            parameters: AlgorithmIdentifierParameters::None,
+        }
+    }
+
+    pub fn new_mldsa_65() -> Self {
+        Self {
+            algorithm: oids::id_mldsa_65().into(),
+            parameters: AlgorithmIdentifierParameters::None,
+        }
+    }
+
+    pub fn new_mldsa_87() -> Self {
+        Self {
+            algorithm: oids::id_mldsa_87().into(),
+            parameters: AlgorithmIdentifierParameters::None,
+        }
+    }
 }
 
 impl ser::Serialize for AlgorithmIdentifier {
@@ -379,7 +400,10 @@ impl<'de> de::Deserialize<'de> for AlgorithmIdentifier {
                     | oids::ED25519
                     | oids::ED448
                     | oids::X25519
-                    | oids::X448 => AlgorithmIdentifierParameters::None,
+                    | oids::X448
+                    | oids::ID_MLDSA_44
+                    | oids::ID_MLDSA_65
+                    | oids::ID_MLDSA_87 => AlgorithmIdentifierParameters::None,
                     oids::DSA_WITH_SHA1 => {
                         // A note from [RFC 3927](https://www.ietf.org/rfc/rfc3279.txt)
                         // When the id-dsa-with-sha1 algorithm identifier appears as the
@@ -1324,4 +1348,31 @@ mod tests {
         pretty_assertions::assert_eq!(decoded, expected);
         check_serde!(decoded: RawAlgorithmIdentifier in encoded);
     }
+
+    #[test]
+    fn mldsa_44() {
+        let expected = [
+            0x30, 0x0B, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x11,
+        ];
+        let mldsa = AlgorithmIdentifier::new_mldsa_44();
+        check_serde!(mldsa: AlgorithmIdentifier in expected);
+    }
+
+    #[test]
+    fn mldsa_65() {
+        let expected = [
+            0x30, 0x0B, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x12,
+        ];
+        let mldsa = AlgorithmIdentifier::new_mldsa_65();
+        check_serde!(mldsa: AlgorithmIdentifier in expected);
+    }
+
+    #[test]
+    fn mldsa_87() {
+        let expected = [
+            0x30, 0x0B, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x13,
+        ];
+        let mldsa = AlgorithmIdentifier::new_mldsa_87();
+        check_serde!(mldsa: AlgorithmIdentifier in expected);
+    }
 }

picky-asn1-x509/src/oids.rs

@@ -64,6 +64,10 @@ define_oid! {
     ID_RSASSA_PKCS1_V1_5_WITH_SHA3_256 => id_rsassa_pkcs1_v1_5_with_sha3_256 => "2.16.840.1.101.3.4.3.14",
     ID_RSASSA_PKCS1_V1_5_WITH_SHA3_384 => id_rsassa_pkcs1_v1_5_with_sha3_384 => "2.16.840.1.101.3.4.3.15",
     ID_RSASSA_PKCS1_V1_5_WITH_SHA3_512 => id_rsassa_pkcs1_v1_5_with_sha3_512 => "2.16.840.1.101.3.4.3.16",
+    ID_MLDSA_44 => id_mldsa_44 => "2.16.840.1.101.3.4.3.17",
+    ID_MLDSA_65 => id_mldsa_65 => "2.16.840.1.101.3.4.3.18",
+    ID_MLDSA_87 => id_mldsa_87 => "2.16.840.1.101.3.4.3.19",
+
 
     // Certicom Object Identifiers
     SECP384R1 => secp384r1 => "1.3.132.0.34",

picky-asn1-x509/src/subject_public_key_info.rs

@@ -713,6 +713,11 @@ fn encode_impl(mut jwe: Jwe, mode: EncoderMode) -> Result<String, JweError> {
 
                 (encrypted_key_base64, jwe_cek)
             }
+            RfcPublicKey::Mldsa(_) => {
+                return Err(JweError::UnsupportedAlgorithm {
+                    algorithm: "mldsa".to_string(),
+                });
+            }
         },
     };
 
@@ -1155,6 +1160,11 @@ fn generate_ecdh_shared_secret(
                 algorithm: format!("RSA key can't be used with `{:?}` algorithm", alg),
             });
         }
+        RfcPublicKey::Mldsa(_) => {
+            return Err(JweError::UnsupportedAlgorithm {
+                algorithm: format!("MLDSA key can't be used with `{:?}` algorithm", alg),
+            });
+        }
     };
 
     // Apply concact KDF to raw shared secret

picky/src/jose/jwe.rs

@@ -406,6 +406,9 @@ impl Jwk {
 
                 Ok(Self::new(JwkKeyType::new_ed_key(algorithm, ed_key.data())))
             }
+            SerdePublicKey::Mldsa(_) => Err(JwkError::UnsupportedAlgorithm {
+                algorithm: "JWK unsupported with MLDSA keys",
+            }),
         }
     }
 

picky/src/jose/jwk.rs

@@ -293,6 +293,9 @@ impl<'a> TryFrom<&'a PublicKey> for EcdsaPublicKey<'a> {
             InnerPublicKey::Ed(_) => Err(KeyError::EC {
                 context: "EC public key cannot be constructed from ED25519 public key".to_string(),
             }),
+            InnerPublicKey::Mldsa(_) => Err(KeyError::EC {
+                context: "EC public key cannot be constructed from MLDSA public key".to_string(),
+            }),
         }
     }
 }

picky/src/key/ec.rs

@@ -184,6 +184,9 @@ impl<'a> TryFrom<&'a PublicKey> for EdPublicKey<'a> {
                     algorithm: NamedEdAlgorithm::from(oid),
                 })
             }
+            InnerPublicKey::Mldsa(_) => Err(KeyError::ED {
+                context: "Ed public key cannot be constructed from Mldsa public key".to_string(),
+            }),
         }
     }
 }

picky/src/key/ed.rs

@@ -105,6 +105,7 @@ pub enum KeyKind {
     Rsa,
     Ec,
     Ed,
+    Mldsa,
 }
 
 // === private key === //
@@ -885,6 +886,7 @@ impl TryFrom<&'_ PublicKey> for RsaPublicKey {
             InnerPublicKey::Ed(_) => Err(KeyError::UnsupportedAlgorithm {
                 algorithm: "edwards curves",
             }),
+            InnerPublicKey::Mldsa(_) => Err(KeyError::UnsupportedAlgorithm { algorithm: "mldsa" }),
         }
     }
 }
@@ -1084,6 +1086,7 @@ impl PublicKey {
             picky_asn1_x509::PublicKey::Rsa(_) => KeyKind::Rsa,
             picky_asn1_x509::PublicKey::Ec(_) => KeyKind::Ec,
             picky_asn1_x509::PublicKey::Ed(_) => KeyKind::Ed,
+            picky_asn1_x509::PublicKey::Mldsa(_) => KeyKind::Mldsa,
         }
     }
 

picky/src/key/mod.rs

@@ -53,6 +53,10 @@ impl KeyIdGenMethod {
                     let der = bitstring.0.payload_view();
                     Ok(hash_algo.digest(der)[..20].to_vec())
                 }
+                InnerPublicKey::Mldsa(bitstring) => {
+                    let der = bitstring.0.payload_view();
+                    Ok(hash_algo.digest(der)[..20].to_vec())
+                }
             },
             KeyIdGenMethod::SPKFullDER(hash_algo) => {
                 let der = public_key