Skip to content

ML-DSA Pure Cert Support#251

Open
stenslae wants to merge 2 commits into
wolfSSL:mainfrom
stenslae:ml-dsa-cert
Open

ML-DSA Pure Cert Support#251
stenslae wants to merge 2 commits into
wolfSSL:mainfrom
stenslae:ml-dsa-cert

Conversation

@stenslae

@stenslae stenslae commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Member
  • Self-signed certificate (CA) and CSR generation
  • CA-based certificate signing
  • Certificate verification (leaf certificates validated directly against a provided CA)
  • Includes updated documentation and test coverage for ML-DSA workflows

Notes:

  • X.509 extensions are currently not fully supported for ML-DSA
  • wolfssl-x509(1) -text cannot fully decode ML-DSA SubjectPublicKey
  • ML-DSA verification is simplified, ignored untrusted intermediates, no CRL or revocation checking.

@stenslae stenslae self-assigned this Jun 16, 2026
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Jun 16, 2026
View reviewed changes

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #251

Scan targets checked: wolfclu-bugs, wolfclu-src

Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/x509/clu_mldsa.c Outdated
Comment thread src/sign-verify/clu_x509_verify.c
stenslae
stenslae commented Jun 16, 2026
View reviewed changes
Comment thread src/sign-verify/clu_x509_verify.c
@stenslae stenslae force-pushed the ml-dsa-cert branch 2 times, most recently from 7b1ecb7 to 915636c Compare June 16, 2026 20:12
stenslae
stenslae commented Jun 16, 2026
View reviewed changes
Comment thread src/x509/clu_mldsa.c Outdated
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Jun 16, 2026
View reviewed changes

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #251

Scan targets checked: wolfclu-bugs, wolfclu-src

Findings: 3
3 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/x509/clu_mldsa.c
Comment thread src/x509/clu_mldsa.c
Comment thread src/x509/clu_mldsa.c Outdated
stenslae
stenslae commented Jun 16, 2026
View reviewed changes
Comment thread src/x509/clu_mldsa.c
stenslae
stenslae commented Jun 16, 2026
View reviewed changes
Comment thread src/x509/clu_mldsa.c Outdated
stenslae
stenslae commented Jun 16, 2026
View reviewed changes
Comment thread src/x509/clu_mldsa.c
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Jun 16, 2026
View reviewed changes

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #251

Scan targets checked: wolfclu-bugs, wolfclu-src

Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/x509/clu_mldsa.c Outdated
Comment thread src/sign-verify/clu_x509_verify.c
stenslae
stenslae commented Jun 16, 2026
View reviewed changes
Comment thread src/x509/clu_mldsa.c Outdated
stenslae
stenslae commented Jun 16, 2026
View reviewed changes
Comment thread src/sign-verify/clu_x509_verify.c
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Jun 16, 2026
View reviewed changes

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #251

Scan targets checked: wolfclu-bugs, wolfclu-src

Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/sign-verify/clu_x509_verify.c
Comment thread src/x509/clu_mldsa.c
int csrIsCA = wolfSSL_X509_get_isCA(x509);
int ku = wolfSSL_X509_get_keyUsage(x509);

if (csrIsCA && caCert != NULL) {

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot Jun 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] ML-DSA CA signing honors CSR-requested CA:TRUE / keyUsage · Certificate validation bypass

When an ML-DSA CA signs a CSR, cert->isCA and cert->keyUsage are taken directly from the requester's CSR via wolfSSL_X509_get_isCA/wolfSSL_X509_get_keyUsage. A CSR asserting basicConstraints CA:TRUE causes the CA to issue a CA-capable (sub-CA) certificate to the requester.

Fix: For CA-issued (non-self-signed) certs, set basicConstraints/keyUsage from CA policy/config rather than the CSR, defaulting to CA:FALSE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@stenslae stenslae

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stenslae @wolfSSL-Fenrir-bot