Add unstable support for ML-DSA algorithms

.github/workflows/ci.yml

@@ -27,12 +27,15 @@ jobs:
               with:
                   components: clippy, rustfmt
             - run: cargo fmt -- --check
-            - run: cargo clippy --all-features --all-targets
+            # `fips` and `aws_lc_rs_unstable` cannot be used together, so avoid `--all-features`
+            - run: cargo clippy --features ring,pem,x509-parser --all-targets
             # rustls-cert-gen require either aws_lc_rs or ring feature
             - run: cargo clippy -p rcgen --no-default-features --all-targets
             - run: cargo clippy --no-default-features --features ring --all-targets
+            - run: cargo clippy --no-default-features --features aws_lc_rs,pem,x509-parser --all-targets
+            - run: cargo clippy --no-default-features --features aws_lc_rs_unstable,pem,x509-parser --all-targets
             - run: cargo clippy --no-default-features --features aws_lc_rs --all-targets
-            - run: cargo clippy --no-default-features --features aws_lc_rs,pem --all-targets
+            - run: cargo clippy --no-default-features --features fips,pem,x509-parser --all-targets
 
     rustdoc:
         name: Documentation
@@ -49,8 +52,16 @@ jobs:
               uses: dtolnay/rust-toolchain@master
               with:
                   toolchain: ${{ matrix.toolchain }}
-            - name: cargo doc (all features)
-              run: cargo doc --all-features --document-private-items
+            - name: cargo doc (ring)
+              run: cargo doc --features ring,pem,x509-parser --document-private-items
+              env:
+                  RUSTDOCFLAGS: ${{ matrix.toolchain == 'nightly' && '-Dwarnings --cfg=docsrs' || '-Dwarnings' }}
+            - name: cargo doc (aws_lc_rs_unstable)
+              run: cargo doc --features aws_lc_rs_unstable,pem,x509-parser --document-private-items
+              env:
+                  RUSTDOCFLAGS: ${{ matrix.toolchain == 'nightly' && '-Dwarnings --cfg=docsrs' || '-Dwarnings' }}
+            - name: cargo doc (fips)
+              run: cargo doc --no-default-features --features fips --document-private-items
               env:
                   RUSTDOCFLAGS: ${{ matrix.toolchain == 'nightly' && '-Dwarnings --cfg=docsrs' || '-Dwarnings' }}
 
@@ -70,7 +81,10 @@ jobs:
             - run: cargo install --locked cargo-check-external-types
             - name: run cargo-check-external-types for rcgen/
               working-directory: rcgen/
-              run: cargo check-external-types --all-features
+              run: cargo check-external-types --features ring,pem,x509-parser
+            - name: run cargo-check-external-types for rcgen/
+              working-directory: rcgen/
+              run: cargo check-external-types --features aws_lc_rs_unstable,pem,x509-parser
 
     semver:
         name: Check semver compatibility
@@ -94,7 +108,9 @@ jobs:
             - uses: dtolnay/rust-toolchain@master
               with:
                   toolchain: 1.71.0
-            - run: cargo check --locked --lib --all-features
+            - run: cargo check --locked --lib --features ring,pem,x509-parser
+            - run: cargo check --locked --lib --features aws_lc_rs_unstable
+            - run: cargo check --locked --lib --features fips
 
     build-windows:
         runs-on: windows-latest
@@ -214,7 +230,7 @@ jobs:
               with:
                   components: llvm-tools
             - name: Measure coverage
-              run: cargo llvm-cov --all-features --lcov --output-path ./lcov.info
+              run: cargo llvm-cov --features ring,pem,x509-parser --lcov --output-path ./lcov.info
             - name: Report to codecov.io
               uses: codecov/codecov-action@v5
               with:

Cargo.toml

@@ -1,14 +1,7 @@
 [workspace]
-members = ["rcgen", "rustls-cert-gen"]
+members = ["verify-tests", "rcgen", "rustls-cert-gen"]
 resolver = "2"
 
-[workspace.dependencies]
-aws-lc-rs = { version = "1.6.0", default-features = false }
-pem = "3.0.2"
-pki-types = { package = "rustls-pki-types", version = "1.4.1" }
-ring = "0.17"
-x509-parser = "0.18"
-
 [workspace.package]
 license = "MIT OR Apache-2.0"
 edition = "2021"
@@ -17,3 +10,19 @@ readme = "README.md"
 description = "Rust X.509 certificate generator"
 repository = "https://github.com/rustls/rcgen"
 keywords = ["mkcert", "ca", "certificate"]
+
+[workspace.dependencies]
+anyhow = "1.0.75"
+assert_fs = "1.0.13"
+aws-lc-rs = { version = "1.13.3", default-features = false }
+botan = { version = "0.12", features = ["vendored"] }
+bpaf = { version = "0.9.5", features = ["derive"] }
+openssl = "0.10"
+pem = "3.0.2"
+pki-types = { package = "rustls-pki-types", version = "1.4.1" }
+ring = "0.17"
+rustls-webpki = { version = "0.103", features = ["ring", "std"] }
+time = { version = "0.3.6", default-features = false }
+x509-parser = "0.18"
+yasna = { version = "0.5.2", features = ["time", "std"] }
+zeroize = { version = "1.2" }

rcgen/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rcgen"
-version = "0.14.3"
+version = "0.14.4"
 documentation = "https://docs.rs/rcgen"
 description.workspace = true
 repository.workspace = true
@@ -10,6 +10,27 @@ edition.workspace = true
 rust-version.workspace = true
 keywords.workspace = true
 
+[features]
+default = ["crypto", "pem", "ring"]
+aws_lc_rs = ["crypto", "dep:aws-lc-rs", "aws-lc-rs/aws-lc-sys"]
+aws_lc_rs_unstable = ["aws_lc_rs", "aws-lc-rs/unstable"]
+fips = ["crypto", "dep:aws-lc-rs", "aws-lc-rs/fips"]
+crypto = []
+ring = ["crypto", "dep:ring"]
+
+[dependencies]
+aws-lc-rs = { workspace = true, optional = true }
+pem = { workspace = true, optional = true }
+pki-types = { workspace = true }
+ring = { workspace = true, optional = true }
+time = { workspace = true }
+x509-parser = { workspace = true, features = ["verify"], optional = true }
+yasna = { workspace = true }
+zeroize = { workspace = true, optional = true }
+
+[target."cfg(unix)".dev-dependencies]
+openssl = { workspace = true }
+
 [[example]]
 name = "rsa-irc-openssl"
 required-features = ["pem"]
@@ -22,23 +43,6 @@ required-features = ["pem", "x509-parser"]
 name = "simple"
 required-features = ["crypto", "pem"]
 
-[dependencies]
-aws-lc-rs = { workspace = true, optional = true }
-yasna = { version = "0.5.2", features = ["time", "std"] }
-ring = { workspace = true, optional = true }
-pem = { workspace = true, optional = true }
-pki-types = { workspace = true }
-time = { version = "0.3.6", default-features = false }
-x509-parser = { workspace = true, features = ["verify"], optional = true }
-zeroize = { version = "1.2", optional = true }
-
-[features]
-default = ["crypto", "pem", "ring"]
-crypto = []
-aws_lc_rs = ["crypto", "dep:aws-lc-rs", "aws-lc-rs/aws-lc-sys"]
-ring = ["crypto", "dep:ring"]
-fips = ["crypto", "dep:aws-lc-rs", "aws-lc-rs/fips"]
-
 [package.metadata.docs.rs]
 features = ["x509-parser"]
 
@@ -48,13 +52,3 @@ allowed_external_types = [
     "zeroize::Zeroize",
     "rustls_pki_types::*",
 ]
-
-[dev-dependencies]
-pki-types = { package = "rustls-pki-types", version = "1" }
-x509-parser = { workspace = true, features = ["verify"] }
-rustls-webpki = { version = "0.103", features = ["ring", "std"] }
-botan = { version = "0.12", features = ["vendored"] }
-ring = { workspace = true }
-
-[target."cfg(unix)".dev-dependencies]
-openssl = "0.10"

rcgen/src/key_pair.rs

@@ -27,6 +27,8 @@ use crate::sign_algo::{algo::*, SignAlgo};
 #[cfg(feature = "pem")]
 use crate::ENCODE_CONFIG;
 use crate::{sign_algo::SignatureAlgorithm, Error};
+#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
+use aws_lc_rs::unstable::signature::PqdsaKeyPair;
 
 /// A key pair variant
 #[allow(clippy::large_enum_variant)]
@@ -36,6 +38,9 @@ pub(crate) enum KeyPairKind {
 	Ec(EcdsaKeyPair),
 	/// A Ed25519 key pair
 	Ed(Ed25519KeyPair),
+	/// A Pqdsa key pair
+	#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
+	Pq(PqdsaKeyPair),
 	/// A RSA key pair
 	Rsa(RsaKeyPair, &'static dyn RsaEncoding),
 }
@@ -46,18 +51,14 @@ impl fmt::Debug for KeyPairKind {
 		match self {
 			Self::Ec(key_pair) => write!(f, "{key_pair:?}"),
 			Self::Ed(key_pair) => write!(f, "{key_pair:?}"),
+			#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
+			Self::Pq(key_pair) => write!(f, "{key_pair:?}"),
 			Self::Rsa(key_pair, _) => write!(f, "{key_pair:?}"),
 		}
 	}
 }
 
 /// A key pair used to sign certificates and CSRs
-///
-/// Note that ring, the underlying library to handle RSA keys
-/// requires them to be in a special format, meaning that
-/// `openssl genrsa` doesn't work. See ring's [documentation](ring::signature::RsaKeyPair::from_pkcs8)
-/// for how to generate RSA keys in the wanted format
-/// and conversion between the formats.
 #[cfg(feature = "crypto")]
 pub struct KeyPair {
 	pub(crate) kind: KeyPairKind,
@@ -117,6 +118,17 @@ impl KeyPair {
 					serialized_der: key_pair_serialized,
 				})
 			},
+			#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
+			SignAlgo::PqDsa(sign_alg) => {
+				let key_pair = PqdsaKeyPair::generate(sign_alg)._err()?;
+				let key_pair_serialized = key_pair.to_pkcs8()._err()?.as_ref().to_vec();
+
+				Ok(KeyPair {
+					kind: KeyPairKind::Pq(key_pair),
+					alg,
+					serialized_der: key_pair_serialized,
+				})
+			},
 			#[cfg(feature = "aws_lc_rs")]
 			SignAlgo::Rsa(sign_alg) => Self::generate_rsa_inner(alg, sign_alg, KeySize::Rsa2048),
 			// Ring doesn't have RSA key generation yet:
@@ -378,9 +390,12 @@ impl KeyPair {
 
 	/// Get the raw public key of this key pair
 	///
-	/// The key is in raw format, as how [`ring::signature::KeyPair::public_key`]
-	/// would output, and how [`ring::signature::UnparsedPublicKey::verify`]
+	/// The key is in raw format, as how [`KeyPair::public_key()`][public_key]
+	/// would output, and how [`UnparsedPublicKey::verify()`][verify]
 	/// would accept.
+	///
+	/// [public_key]: crate::ring_like::signature::KeyPair::public_key()
+	/// [verify]: crate::ring_like::signature::UnparsedPublicKey::verify()
 	pub fn public_key_raw(&self) -> &[u8] {
 		self.der_bytes()
 	}
@@ -436,6 +451,12 @@ impl SigningKey for KeyPair {
 				signature.as_ref().to_owned()
 			},
 			KeyPairKind::Ed(kp) => kp.sign(msg).as_ref().to_owned(),
+			#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
+			KeyPairKind::Pq(kp) => {
+				let mut signature = vec![0; kp.algorithm().signature_len()];
+				kp.sign(msg, &mut signature)._err()?;
+				signature
+			},
 			KeyPairKind::Rsa(kp, padding_alg) => {
 				let system_random = SystemRandom::new();
 				let mut signature = vec![0; rsa_key_pair_public_modulus_len(kp)];
@@ -453,6 +474,8 @@ impl PublicKeyData for KeyPair {
 		match &self.kind {
 			KeyPairKind::Ec(kp) => kp.public_key().as_ref(),
 			KeyPairKind::Ed(kp) => kp.public_key().as_ref(),
+			#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
+			KeyPairKind::Pq(kp) => kp.public_key().as_ref(),
 			KeyPairKind::Rsa(kp, _) => kp.public_key().as_ref(),
 		}
 	}

rcgen/src/oid.rs

@@ -25,6 +25,13 @@ pub(crate) const EC_SECP_384_R1: &[u64] = &[1, 3, 132, 0, 34];
 #[cfg(feature = "aws_lc_rs")]
 pub(crate) const EC_SECP_521_R1: &[u64] = &[1, 3, 132, 0, 35];
 
+#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
+pub(crate) const ML_DSA_44: &[u64] = &[2, 16, 840, 1, 101, 3, 4, 3, 17];
+#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
+pub(crate) const ML_DSA_65: &[u64] = &[2, 16, 840, 1, 101, 3, 4, 3, 18];
+#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
+pub(crate) const ML_DSA_87: &[u64] = &[2, 16, 840, 1, 101, 3, 4, 3, 19];
+
 /// rsaEncryption in [RFC 4055](https://www.rfc-editor.org/rfc/rfc4055#section-6)
 pub(crate) const RSA_ENCRYPTION: &[u64] = &[1, 2, 840, 113549, 1, 1, 1];