Expose the EC field degree as a gettable parameter for both provided
and legacy EC keys. In the latter case, drop a spurious assertion,
since even in debug builds an application may try to get an unknown
parameter, and this should return an error rather than abort.
In the EC `TEXT` encoding format, instead of reporting the bit count of
the group order, report the field degree (which matches the size number
in the curve's name when present) and also the symmetric-equivalent
security-bits (adjusted down the the standard numbers (80, 112, 128,
192, 256).
Along the way, add a missing getter method for the EC_GROUP security
bits.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Jan 15 16:10:26 2026
(Merged from https://github.com/openssl/openssl/pull/29539)
We support selection of ML-KEM and ML-DSA key formats on input and
output at the provider level, these are essentially global defaults,
in effect for the lifetime of the process.
Unfortunately, the JAVA interface in openssl-jostle needs to be able to
output a specific key in seed-only form. To that end, this PR
introduces a new "output-formats" PKEY encoding parameter, that can be used
with OSSL_ENCODER_CTX_set_params(3) when encoding a key to PKCS#8, after
using OSSL_ENCODER_CTX_new_for_key(3), rather than i2d_PrivateKey(3),
i2d_PKCS8PrivateKey(3) or PEM equivalents.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29206)
The decoders in some cases failed to capture or propagate
information about what is being decoded, causing more work
happen to try unrelated decoders as a fallback.
We now try harder to keep track of the expected object (private key or
public key, if known), and the algorithm determined from the OID of a
PKCS8 object or SPKI. This leads in many cases to fewer decoder
invocations. With so many more algorithms now, trying every decoder
is increasingly best avoided.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26892)
- When a PKCS#8 has both seed and key cross check the implicit
rejection value |z|
- When an import (EVP_PKEY_fromdata call) provides both a private
and public key, fail if the redundant public key does not match
the copy in the private key.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26656)
- The main ASN.1 private key syntax is the one from Russ Housley's post
on the LAMPS list, subsequently amended to tag the seed instead of the
key (each of the three parameter sets will have a fixed size for the
`expandedKey`):
ML-DSA-PrivateKey ::= CHOICE {
seed [0] IMPLICIT OCTET STRING SIZE (64),
expandedKey OCTET STRING SIZE (1632 | 2400 | 3168)
both SEQUENCE {
seed OCTET STRING SIZE (64),
expandedKey OCTET STRING SIZE (1632 | 2400 | 3168) } }
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26639)
- Moved the codec code out of `ml_kem.c` into its own file in
the provider tree. Will be easier to share some code with
ML-DSA, and possible to use PROV_CTX, to do config lookups
directly in the functions doing the work.
- Update and fixes of the EVP_PKEY-ML-KEM(8) documentation, which
had accumulated some stale/inaccurate material, and needed new
text for the "prefer_seed" parameter.
- Test the "prefer_seed=no" behaviour.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26569)
- On import, if a seed is provided, the keys are regenerated.
- The seed is exported as a separate "seed" parameter, when available.
The "ml-kem.retain_seed" parameter is also exported, when false.
- The seed is optionally dropped after key generation.
* When the "ml-kem.retain_seed" keygen parameter is set to zero.
* When the "ml-kem.retain_seed" keygen parameter is not set to 1,
and the "ml-kem.retain_seed" provider config property is set
explictly false.
- The exported private key parameter "priv" is always the FIPS 203 |dk|.
- Private key decoding from PKCS#8 produces a transient "seed-only" form
of the key, in which "retain_seed" is set to false when the
"ml-kem.retain_seed" provider config property is set explictly false.
The full key is generated during "load" and the seed is retained
or not as specified.
- Import honours the "ml-kem.retain_seed" parameter when specified, or
otherwise honours the provider's "ml-kem.retain_seed" property.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26512)
- Same UX as ML-KEM. The main ASN.1 private key syntax is the one from
Russ Housley's post on the LAMPS list, subsequently amended to tag the
seed instead of the key (each of the three parameter sets will have a
fixed size for the `expandedKey`):
ML-DSA-PrivateKey ::= CHOICE {
seed [0] IMPLICIT OCTET STRING SIZE (32),
expandedKey OCTET STRING SIZE (2560 | 4032 | 4896)
both SEQUENCE {
seed OCTET STRING SIZE (32),
expandedKey OCTET STRING SIZE (2560 | 4032 | 4896) } }
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26638)
