Post-Quantum Cryptography

Cargo.toml

@@ -56,6 +56,9 @@ hmac = "0.12"
 sha-1 = { version = "0.10", default-features = false, optional = true }
 sha2 = { version = "0.10", default-features = false }
 
+# PQC
+pqcrypto-mldsa = { version = "0.1.0", optional = true }
+
 # ours
 cosey = "0.3"
 delog = "0.1.0"
@@ -153,6 +156,11 @@ ui-client = ["trussed-core/ui-client"]
 
 test-attestation-cert-ids = []
 
+# If any PQC algorithm is set, it loads the dependency
+mldsa44 = ["dep:pqcrypto-mldsa", "cosey/mldsa44", "trussed-core/mldsa44"]
+mldsa65 = ["dep:pqcrypto-mldsa", "cosey/mldsa65", "trussed-core/mldsa65"]
+mldsa87 = ["dep:pqcrypto-mldsa", "cosey/mldsa87", "trussed-core/mldsa87"]
+
 [[test]]
 name = "aes256cbc"
 required-features = ["crypto-client", "default-mechanisms", "virt"]

core/Cargo.toml

@@ -10,13 +10,17 @@ license.workspace = true
 repository.workspace = true
 
 [dependencies]
+cfg-if = "1.0"
 heapless-bytes.workspace = true
 littlefs2-core.workspace = true
 postcard.workspace = true
 rand_core.workspace = true
 serde.workspace = true
 serde-indexed = "0.1"
 
+# PQC
+pqcrypto-mldsa = { version = "0.1.0", optional = true }
+
 [features]
 serde-extensions = []
 
@@ -54,5 +58,10 @@ totp = []
 trng = []
 x255 = []
 
+# PQC
+mldsa44 = ["dep:pqcrypto-mldsa"]
+mldsa65 = ["dep:pqcrypto-mldsa"]
+mldsa87 = ["dep:pqcrypto-mldsa"]
+
 [package.metadata.docs.rs]
 all-features = true

core/src/config.rs

@@ -1,9 +1,5 @@
-pub const MAX_MESSAGE_LENGTH: usize = 1024;
 pub const MAX_MEDIUM_DATA_LENGTH: usize = 256;
 pub const MAX_SHORT_DATA_LENGTH: usize = 128;
-pub const MAX_SIGNATURE_LENGTH: usize = 512 * 2;
-// FIXME: Value from https://stackoverflow.com/questions/5403808/private-key-length-bytes for Rsa2048 Private key
-pub const MAX_KEY_MATERIAL_LENGTH: usize = 1160 * 2 + 72;
 pub const MAX_USER_ATTRIBUTE_LENGTH: usize = 256;
 
 // request size is chosen to not exceed the largest standard syscall, Decrypt, so that the Request
@@ -13,3 +9,47 @@ pub const SERDE_EXTENSION_REQUEST_LENGTH: usize =
 // reply size is chosen to not exceed the largest standard syscall, Encrypt, so that the Reply enum
 // does not grow from this variant
 pub const SERDE_EXTENSION_REPLY_LENGTH: usize = MAX_MESSAGE_LENGTH + 2 * MAX_SHORT_DATA_LENGTH;
+
+// Must be MAX_KEY_MATERIAL_LENGTH + 4
+// Note that this is not the serialized key material (e.g. serialized PKCS#8), but
+// the internal Trussed serialization that adds flags and such
+pub const MAX_SERIALIZED_KEY_LENGTH: usize = MAX_KEY_MATERIAL_LENGTH + 4;
+
+// For the PQC algorithms, public and private key are generated at the same time and stored together as
+// the private key. Then in the derive call, it just pulls the public key from the private key store
+// and re-saves it as a public-only key. Therefore, the max material length is both keys together, plus
+// the PKCS8 DER encoding overhead (31 bytes).
+cfg_if::cfg_if! {
+    if #[cfg(feature = "mldsa87")] {
+        pub const MAX_SIGNATURE_LENGTH: usize = pqcrypto_mldsa::ffi::PQCLEAN_MLDSA87_CLEAN_CRYPTO_BYTES;
+        pub const MAX_KEY_MATERIAL_LENGTH: usize = pqcrypto_mldsa::ffi::PQCLEAN_MLDSA87_CLEAN_CRYPTO_PUBLICKEYBYTES
+        + pqcrypto_mldsa::ffi::PQCLEAN_MLDSA87_CLEAN_CRYPTO_SECRETKEYBYTES
+        + 31;
+        //pub const MAX_MESSAGE_LENGTH: usize = MAX_KEY_MATERIAL_LENGTH;
+        pub const MAX_FIDO_WRAPPED_KEY_LENGTH: usize =  MAX_SERIALIZED_KEY_LENGTH + 57;
+    } else if #[cfg(feature = "mldsa65")] {
+        pub const MAX_SIGNATURE_LENGTH: usize = pqcrypto_mldsa::ffi::PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES;
+        pub const MAX_KEY_MATERIAL_LENGTH: usize = pqcrypto_mldsa::ffi::PQCLEAN_MLDSA65_CLEAN_CRYPTO_PUBLICKEYBYTES
+        + pqcrypto_mldsa::ffi::PQCLEAN_MLDSA65_CLEAN_CRYPTO_SECRETKEYBYTES
+        + 31;
+        //pub const MAX_MESSAGE_LENGTH: usize = MAX_KEY_MATERIAL_LENGTH;
+        pub const MAX_FIDO_WRAPPED_KEY_LENGTH: usize =  MAX_SERIALIZED_KEY_LENGTH + 57;
+    } else if #[cfg(feature = "mldsa44")] {
+        pub const MAX_SIGNATURE_LENGTH: usize = pqcrypto_mldsa::ffi::PQCLEAN_MLDSA44_CLEAN_CRYPTO_BYTES;
+        pub const MAX_KEY_MATERIAL_LENGTH: usize = pqcrypto_mldsa::ffi::PQCLEAN_MLDSA44_CLEAN_CRYPTO_PUBLICKEYBYTES
+        + pqcrypto_mldsa::ffi::PQCLEAN_MLDSA44_CLEAN_CRYPTO_SECRETKEYBYTES
+        + 31;
+        //pub const MAX_MESSAGE_LENGTH: usize = MAX_KEY_MATERIAL_LENGTH;
+        pub const MAX_FIDO_WRAPPED_KEY_LENGTH: usize =  MAX_SERIALIZED_KEY_LENGTH + 57;
+    } else {
+        // Default from before addition of PQC
+        pub const MAX_SIGNATURE_LENGTH: usize = 512 * 2;
+        // FIXME: Value from https://stackoverflow.com/questions/5403808/private-key-length-bytes for Rsa2048 Private key
+        pub const MAX_KEY_MATERIAL_LENGTH: usize = 1160 * 2 + 72;
+        //pub const MAX_MESSAGE_LENGTH: usize = 1024;
+        pub const MAX_FIDO_WRAPPED_KEY_LENGTH: usize = 128;
+    }
+}
+
+// 30 bytes are added by CBOR serialization of a FullCredential
+pub const MAX_MESSAGE_LENGTH: usize = MAX_FIDO_WRAPPED_KEY_LENGTH + 30 + 2031 + 32 + 37; // TODO: update this to use different consts for each area where this is needed

core/src/types.rs

@@ -9,7 +9,7 @@ pub use littlefs2_core::{DirEntry, Metadata, PathBuf};
 #[cfg(feature = "crypto-client")]
 use crate::api::{reply, request};
 use crate::config::{
-    MAX_KEY_MATERIAL_LENGTH, MAX_MEDIUM_DATA_LENGTH, MAX_MESSAGE_LENGTH, MAX_SHORT_DATA_LENGTH,
+    MAX_MEDIUM_DATA_LENGTH, MAX_MESSAGE_LENGTH, MAX_SERIALIZED_KEY_LENGTH, MAX_SHORT_DATA_LENGTH,
     MAX_SIGNATURE_LENGTH, MAX_USER_ATTRIBUTE_LENGTH,
 };
 
@@ -49,7 +49,7 @@ pub mod reboot {
 pub type Message = Bytes<MAX_MESSAGE_LENGTH>;
 pub type MediumData = Bytes<MAX_MEDIUM_DATA_LENGTH>;
 pub type ShortData = Bytes<MAX_SHORT_DATA_LENGTH>;
-pub type SerializedKey = Bytes<MAX_KEY_MATERIAL_LENGTH>;
+pub type SerializedKey = Bytes<MAX_SERIALIZED_KEY_LENGTH>;
 pub type Signature = Bytes<MAX_SIGNATURE_LENGTH>;
 pub type UserAttribute = Bytes<MAX_USER_ATTRIBUTE_LENGTH>;
 
@@ -594,6 +594,14 @@ generate_mechanism! {
         Rsa3072Pkcs1v15,
         #[cfg(feature = "rsa4096")]
         Rsa4096Pkcs1v15,
+
+        // Post-Quantum Cryptography
+        #[cfg(feature = "mldsa44")]
+        Mldsa44,
+        #[cfg(feature = "mldsa65")]
+        Mldsa65,
+        #[cfg(feature = "mldsa87")]
+        Mldsa87,
     }
 }
 

src/config.rs

@@ -2,12 +2,9 @@
 // Should we use the "config crate that can have a replacement patched in" idea?
 
 pub use trussed_core::config::{
-    MAX_KEY_MATERIAL_LENGTH, MAX_MEDIUM_DATA_LENGTH, MAX_MESSAGE_LENGTH, MAX_SHORT_DATA_LENGTH,
-    MAX_SIGNATURE_LENGTH, MAX_USER_ATTRIBUTE_LENGTH, SERDE_EXTENSION_REPLY_LENGTH,
-    SERDE_EXTENSION_REQUEST_LENGTH,
+    MAX_KEY_MATERIAL_LENGTH, MAX_MEDIUM_DATA_LENGTH, MAX_MESSAGE_LENGTH, MAX_SERIALIZED_KEY_LENGTH,
+    MAX_SHORT_DATA_LENGTH, MAX_SIGNATURE_LENGTH, MAX_USER_ATTRIBUTE_LENGTH,
+    SERDE_EXTENSION_REPLY_LENGTH, SERDE_EXTENSION_REQUEST_LENGTH,
 };
 
-// must be MAX_KEY_MATERIAL_LENGTH + 4
-pub const MAX_SERIALIZED_KEY_LENGTH: usize = MAX_KEY_MATERIAL_LENGTH + 4;
-
 pub const USER_ATTRIBUTE_NUMBER: u8 = 37;

src/key.rs

@@ -6,12 +6,12 @@ use serde::{de::Visitor, ser::SerializeMap, Deserialize, Serialize};
 use zeroize::Zeroize;
 
 pub use crate::Bytes;
-use crate::{
-    config::{MAX_KEY_MATERIAL_LENGTH, MAX_SERIALIZED_KEY_LENGTH},
-    Error,
-};
+use crate::Error;
+use trussed_core::config::MAX_SERIALIZED_KEY_LENGTH;
 
-pub type Material = Vec<u8, { MAX_KEY_MATERIAL_LENGTH }>;
+// Keys are often stored in serialized format (e.g. PKCS#8 used by the RSA backend),
+// so material max length must be serialized max length.
+pub type Material = Vec<u8, { MAX_SERIALIZED_KEY_LENGTH }>;
 pub type SerializedKeyBytes = Vec<u8, { MAX_SERIALIZED_KEY_LENGTH }>;
 
 // We don't implement serde to make sure nobody inadvertently still uses it
@@ -77,6 +77,13 @@ pub enum Kind {
     BrainpoolP512R1,
     X255,
     Secp256k1,
+    // Post-quantum cryptography algorithms
+    #[cfg(feature = "mldsa44")]
+    Mldsa44,
+    #[cfg(feature = "mldsa65")]
+    Mldsa65,
+    #[cfg(feature = "mldsa87")]
+    Mldsa87,
 }
 
 bitflags::bitflags! {
@@ -223,6 +230,12 @@ impl Kind {
             Kind::BrainpoolP384R1 => 13,
             Kind::BrainpoolP512R1 => 14,
             Kind::Secp256k1 => 15,
+            #[cfg(feature = "mldsa44")]
+            Kind::Mldsa44 => 16,
+            #[cfg(feature = "mldsa65")]
+            Kind::Mldsa65 => 17,
+            #[cfg(feature = "mldsa87")]
+            Kind::Mldsa87 => 18,
         }
     }
 
@@ -243,6 +256,12 @@ impl Kind {
             13 => Kind::BrainpoolP384R1,
             14 => Kind::BrainpoolP512R1,
             15 => Kind::Secp256k1,
+            #[cfg(feature = "mldsa44")]
+            16 => Kind::Mldsa44,
+            #[cfg(feature = "mldsa65")]
+            17 => Kind::Mldsa65,
+            #[cfg(feature = "mldsa87")]
+            18 => Kind::Mldsa87,
             _ => return Err(Error::InvalidSerializedKey),
         })
     }

src/store/keystore.rs

@@ -2,13 +2,13 @@ use littlefs2_core::{path, PathBuf};
 use rand_chacha::ChaCha8Rng;
 
 use crate::{
-    config::MAX_KEY_MATERIAL_LENGTH,
     error::{Error, Result},
     key,
     store::{self, Store},
     types::{KeyId, Location},
     Bytes,
 };
+use trussed_core::config::MAX_SERIALIZED_KEY_LENGTH;
 
 pub type ClientId = PathBuf;
 
@@ -181,7 +181,7 @@ impl<S: Store> Keystore for ClientKeystore<S> {
 
         let location = self.location(secrecy, id).ok_or(Error::NoSuchKey)?;
 
-        let bytes: Bytes<{ MAX_KEY_MATERIAL_LENGTH }> = store::read(&self.store, location, &path)?;
+        let bytes: Bytes<{ MAX_SERIALIZED_KEY_LENGTH }> = store::read(&self.store, location, &path)?;
 
         let key = key::Key::try_deserialize(&bytes)?;