Roadmap towards PQC support (ML-DSA)

[restena-sw]

Yubico has recently demo'ed a Yubikey with ML-DSA support for FIDO usage. Time to start thinking what it takes to make the code fit for PQC support.

• Keys are extracted using the library web-auth/cose-lib. That library does not currently support ML-DSA keys (https://github.com/web-auth/cose-lib/blob/4.6.x/src/Key/Key.php)
• actual signature checks are done with openssl_verify and the public key loaded with openssl_pkey_get_public. Currently unknown whether recent PHP supports handling of ML-DSA keys.
• underlying openssl library in version 3.5.0+ DOES support ML-DSA keys.

I will run some tests with openssl and the openssl_* functions in PHP to determine how far we can get on that front.

[restena-sw]

openssl genpkey -algorithm ML-DSA-44 -out 44-private.pem
openssl genpkey -algorithm ML-DSA-65 -out 65-private.pem
openssl genpkey -algorithm ML-DSA-87 -out 87-private.pem
openssl pkey -in 44-private.pem -pubout -out 44-public.pem
openssl pkey -in 65-private.pem -pubout -out 65-public.pem
openssl pkey -in 87-private.pem -pubout -out 87-public.pem

worked fine, and testing in PHP is with a simple snippet like:

<?php
$keys = [
  44 => file_get_contents("44-public.pem"),
  65 => file_get_contents("65-public.pem"),
  87 => file_get_contents("87-public.pem"),
];

foreach ($keys as $bits => $key) {
        $keyResource = openssl_pkey_get_public($key);
        if ($keyResource === FALSE) {
                printf("Key $bits could not be parsed.\n");
                continue;
        }
        printf("Key details for key $bits : ".print_r(openssl_pkey_get_details($keyResource), true).".\n");
        printf("Signature validation for key $bits yields (expected is 0): ".print_r(openssl_verify("NonsenseData","invalidSig",$keyResource, OPENSSL_ALGO_SHA256), true).".\n");
}

With PHP 8.3.30, the openssl_pkey_get_details() shows a "type = -1" and openssl_verify() returns -1 instead of the expected 0.
With PHP 8.4.18, the openssl_pkey_get_details() shows a "type = -1" and openssl_verify() returns the expected 0.
With PHP 8.5.3, the openssl_pkey_get_details() shows a "type = -1" and openssl_verify() returns -1 instead of the expected 0.

It is somewhat hard to believe that this worked half-baked in 8.4 but then broke again in 8.5? In any case, not a reliable basis to work from.

[tvdijen]

PHP's openssl-implementation is lightyears behind and is known for breaking stuff between versions. For simplesamlphp/xml-security we want to make the move to phpseclib/phpseclib someday.