Fix SLH-DSA DER encoding to match RFC 9909 / OpenSSL 3.5

claude · claude · commit 293c5401ec67 · 2026-04-13T20:28:27.000Z
RFC 9909 Section 6: The privateKey field in OneAsymmetricKey contains the raw key bytes (SK.seed || SK.prf || PK.seed || PK.root) directly in the OCTET STRING, without a nested OCTET STRING wrapper. This differs from Ed25519/Ed448 which wrap the key in an additional OCTET STRING inside the privateKey field. The previous implementation used DecodeAsymKey/SetAsymKeyDer which add the nested wrapping, making wolfssl-generated keys incompatible with OpenSSL 3.5+ and vice versa. PrivateKeyDecode: Parse PKCS#8 OneAsymmetricKey directly using GetSequence/GetMyVersion/GetAlgoId/GetOctetString, mapping the AlgorithmIdentifier OID to the correct SlhDsaParam. KeyToDer/PrivateKeyToDer: Build PKCS#8 directly using SetSequence/SetMyVersion/SetAlgoID/SetOctetString with a single (not nested) OCTET STRING for the raw key. PublicKeyDecode/PublicKeyToDer: Keep using DecodeAsymKeyPublic/ SetAsymKeyDerPublic since SubjectPublicKeyInfo uses BIT STRING (not OCTET STRING) and the public key format is the same. Also fix MIN_SLHDSAKEY_SZ: The key size check in ProcessBufferTryDecodeSlhDsa compares the public key length against minSlhDsaKeySz. The smallest public key is 32 bytes (SHAKE-128), so MIN_SLHDSAKEY_SZ must be 32 (not 64). Tested: OpenSSL 3.5.6-generated SLH-DSA-SHAKE-128f private keys now load successfully via wolfSSL_CTX_use_PrivateKey_file. https://claude.ai/code/session_019gqvW3ZMKGGyi6zCRNPDYV
diff --git a/wolfcrypt/src/wc_slhdsa.c b/wolfcrypt/src/wc_slhdsa.c
@@ -7352,132 +7352,164 @@ static int slhdsa_param_to_keytype(enum SlhDsaParam param)
     }
 }
 
-/* Decode a DER-encoded SLH-DSA private key.
+/* Map OID key type back to SlhDsaParam. */
+static int slhdsa_keytype_to_param(int keytype)
+{
+    switch (keytype) {
+#ifndef WOLFSSL_SLHDSA_NO_128
+    #ifndef WOLFSSL_SLHDSA_NO_SMALL
+        case SLH_DSA_SHAKE_128Sk: return SLHDSA_SHAKE128S;
+    #endif
+    #ifndef WOLFSSL_SLHDSA_NO_FAST
+        case SLH_DSA_SHAKE_128Fk: return SLHDSA_SHAKE128F;
+    #endif
+#endif
+#ifndef WOLFSSL_SLHDSA_NO_192
+    #ifndef WOLFSSL_SLHDSA_NO_SMALL
+        case SLH_DSA_SHAKE_192Sk: return SLHDSA_SHAKE192S;
+    #endif
+    #ifndef WOLFSSL_SLHDSA_NO_FAST
+        case SLH_DSA_SHAKE_192Fk: return SLHDSA_SHAKE192F;
+    #endif
+#endif
+#ifndef WOLFSSL_SLHDSA_NO_256
+    #ifndef WOLFSSL_SLHDSA_NO_SMALL
+        case SLH_DSA_SHAKE_256Sk: return SLHDSA_SHAKE256S;
+    #endif
+    #ifndef WOLFSSL_SLHDSA_NO_FAST
+        case SLH_DSA_SHAKE_256Fk: return SLHDSA_SHAKE256F;
+    #endif
+#endif
+        default:
+            return BAD_FUNC_ARG;
+    }
+}
+
+/* Find SlhDsaParameters entry for a given param enum. */
+static const SlhDsaParameters* slhdsa_find_params(enum SlhDsaParam param)
+{
+    int i;
+    for (i = 0; i < SLHDSA_PARAM_LEN; i++) {
+        if (SlhDsaParams[i].param == param) {
+            return &SlhDsaParams[i];
+        }
+    }
+    return NULL;
+}
+
+/* Decode a DER-encoded SLH-DSA private key (PKCS#8 / OneAsymmetricKey).
+ *
+ * RFC 9909 Section 6: The privateKey OCTET STRING contains the raw
+ * concatenation SK.seed || SK.prf || PK.seed || PK.root (4*n bytes)
+ * directly, without a nested OCTET STRING wrapper. This differs from
+ * Ed25519/Ed448 which wrap the key in an additional OCTET STRING.
  *
- * The parameter set is detected from the OID in the DER encoding. On
- * success, key->params is updated to match the detected parameter set.
- * The key must be initialized (via wc_SlhDsaKey_Init) before calling this
- * function; the initial parameter is used only as a placeholder.
+ * The parameter set is detected from the AlgorithmIdentifier OID.
+ * On success, key->params is updated to match the detected parameter set.
  *
  * @param [in]      input     DER-encoded key data.
  * @param [in, out] inOutIdx  Index into input, updated on return.
  * @param [in, out] key       SLH-DSA key. Parameter set is auto-detected.
  * @param [in]      inSz      Size of input in bytes.
  * @return  0 on success.
  * @return  BAD_FUNC_ARG when input, inOutIdx, or key is NULL.
- * @return  ASN_PARSE_E when OID does not match any supported SLH-DSA param.
+ * @return  ASN_PARSE_E when the DER cannot be parsed as an SLH-DSA key.
  */
 int wc_SlhDsaKey_PrivateKeyDecode(const byte* input, word32* inOutIdx,
     SlhDsaKey* key, word32 inSz)
 {
-    int ret = ASN_PARSE_E;
-    byte privKey[WC_SLHDSA_MAX_PRIV_LEN];
-    byte pubKey[WC_SLHDSA_MAX_PUB_LEN];
-    word32 privKeyLen = 0;
-    word32 pubKeyLen = 0;
-    word32 savedIdx;
-    int i;
-    const SlhDsaParameters* matched = NULL;
+    int ret = 0;
+    int length;
+    int version;
+    word32 oid = 0;
+    int privSz;
+    int paramId;
+    const SlhDsaParameters* params;
 
     if ((input == NULL) || (inOutIdx == NULL) || (key == NULL) || (inSz == 0)) {
         return BAD_FUNC_ARG;
     }
 
-    savedIdx = *inOutIdx;
+    /* Parse PKCS#8 OneAsymmetricKey wrapper:
+     * SEQUENCE { version, AlgorithmIdentifier { OID }, OCTET STRING { key } }
+     */
+    if (GetSequence(input, inOutIdx, &length, inSz) < 0) {
+        return ASN_PARSE_E;
+    }
 
-    /* Try each compiled-in parameter set until one matches the OID in the
-     * DER encoding. DecodeAsymKey validates the OID against the requested
-     * keytype, so a mismatch returns an error without consuming input. */
-    for (i = 0; i < SLHDSA_PARAM_LEN; i++) {
-        int keytype = slhdsa_param_to_keytype(SlhDsaParams[i].param);
-        word32 idx = savedIdx;
-        word32 pkLen = (word32)sizeof(privKey);
-        word32 pbLen = (word32)sizeof(pubKey);
+    if (GetMyVersion(input, inOutIdx, &version, inSz) < 0) {
+        return ASN_PARSE_E;
+    }
+    if (version != 0) {
+        return ASN_PARSE_E;
+    }
 
-        if (keytype < 0) {
-            continue;
-        }
+    if (GetAlgoId(input, inOutIdx, &oid, oidKeyType, inSz) < 0) {
+        return ASN_PARSE_E;
+    }
 
-        ret = DecodeAsymKey(input, &idx, inSz, privKey, &pkLen,
-                            pubKey, &pbLen, keytype);
-        if (ret == 0) {
-            /* OID matched - record detected parameter set. */
-            matched = &SlhDsaParams[i];
-            *inOutIdx = idx;
-            privKeyLen = pkLen;
-            pubKeyLen = pbLen;
-            break;
-        }
+    /* Map the OID to an SLH-DSA parameter set. */
+    paramId = slhdsa_keytype_to_param((int)oid);
+    if (paramId < 0) {
+        return ASN_PARSE_E;
+    }
+    params = slhdsa_find_params((enum SlhDsaParam)paramId);
+    if (params == NULL) {
+        return ASN_PARSE_E;
     }
 
-    if (ret == 0 && matched != NULL) {
-        /* Point the key at the detected parameter set so subsequent import
-         * and size queries use the right values. */
-        key->params = matched;
+    /* RFC 9909: privateKey is a bare OCTET STRING containing the raw key
+     * (4*n bytes). No nested OCTET STRING wrapping. */
+    if (GetOctetString(input, inOutIdx, &privSz, inSz) < 0) {
+        return ASN_PARSE_E;
+    }
 
-        if (pubKeyLen == 0) {
-            ret = wc_SlhDsaKey_ImportPrivate(key, privKey, privKeyLen);
-        }
-        else {
-            /* Private key includes public key in SLH-DSA: reconstruct full
-             * key = sk_seed || sk_prf || pk_seed || pk_root */
-            int n = key->params->n;
-            if ((int)privKeyLen == n * 4) {
-                /* Full private key already includes public portion. */
-                ret = wc_SlhDsaKey_ImportPrivate(key, privKey, privKeyLen);
-            }
-            else if ((int)privKeyLen == n * 2 && (int)pubKeyLen == n * 2) {
-                /* sk_seed || sk_prf separate from pk_seed || pk_root. */
-                byte combined[WC_SLHDSA_MAX_PRIV_LEN];
-                XMEMCPY(combined, privKey, privKeyLen);
-                XMEMCPY(combined + privKeyLen, pubKey, pubKeyLen);
-                ret = wc_SlhDsaKey_ImportPrivate(key, combined,
-                    privKeyLen + pubKeyLen);
-                ForceZero(combined, sizeof(combined));
-            }
-            else {
-                ret = BAD_FUNC_ARG;
-            }
-        }
+    if (privSz != params->n * 4) {
+        return ASN_PARSE_E;
+    }
+
+    /* Update the key's parameter set to the detected one. */
+    key->params = params;
+
+    /* Import the raw private key: SK.seed || SK.prf || PK.seed || PK.root */
+    ret = wc_SlhDsaKey_ImportPrivate(key, input + *inOutIdx, (word32)privSz);
+    if (ret == 0) {
+        *inOutIdx += (word32)privSz;
     }
 
-    ForceZero(privKey, sizeof(privKey));
     return ret;
 }
 
-/* Decode a DER-encoded SLH-DSA public key.
+/* Decode a DER-encoded SLH-DSA public key (SubjectPublicKeyInfo).
  *
- * The parameter set is detected from the OID in the DER encoding. On
- * success, key->params is updated to match the detected parameter set.
+ * The parameter set is detected from the AlgorithmIdentifier OID.
+ * On success, key->params is updated to match the detected parameter set.
  *
  * @param [in]      input     DER-encoded key data.
  * @param [in, out] inOutIdx  Index into input, updated on return.
  * @param [in, out] key       SLH-DSA key. Parameter set is auto-detected.
  * @param [in]      inSz      Size of input in bytes.
  * @return  0 on success.
  * @return  BAD_FUNC_ARG when input, inOutIdx, or key is NULL.
- * @return  ASN_PARSE_E when OID does not match any supported SLH-DSA param.
+ * @return  ASN_PARSE_E when the DER cannot be parsed as an SLH-DSA key.
  */
 int wc_SlhDsaKey_PublicKeyDecode(const byte* input, word32* inOutIdx,
     SlhDsaKey* key, word32 inSz)
 {
     int ret = ASN_PARSE_E;
     byte pubKey[WC_SLHDSA_MAX_PUB_LEN];
     word32 pubKeyLen = 0;
-    word32 savedIdx;
     int i;
     const SlhDsaParameters* matched = NULL;
 
     if ((input == NULL) || (inOutIdx == NULL) || (key == NULL) || (inSz == 0)) {
         return BAD_FUNC_ARG;
     }
 
-    savedIdx = *inOutIdx;
-
-    /* Try each compiled-in parameter set until one matches the OID. */
+    /* Try each compiled-in parameter set against the OID in the SPKI. */
     for (i = 0; i < SLHDSA_PARAM_LEN; i++) {
         int keytype = slhdsa_param_to_keytype(SlhDsaParams[i].param);
-        word32 idx = savedIdx;
+        word32 idx = *inOutIdx;
         word32 pkLen = (word32)sizeof(pubKey);
 
         if (keytype < 0) {
@@ -7538,18 +7570,27 @@ int wc_SlhDsaKey_PublicKeyToDer(SlhDsaKey* key, byte* output, word32 inLen,
     return ret;
 }
 
-/* Encode an SLH-DSA key (private + public) to DER.
+/* Encode an SLH-DSA private key to DER (PKCS#8 / OneAsymmetricKey).
+ *
+ * RFC 9909: The privateKey OCTET STRING contains the raw 4*n bytes
+ * (SK.seed || SK.prf || PK.seed || PK.root) directly, without a nested
+ * OCTET STRING wrapper. This differs from Ed25519/Ed448 which use a
+ * double OCTET STRING wrapping.
+ *
+ * Pass NULL for output to get the required buffer size.
  *
  * @param [in]  key       SLH-DSA key object.
- * @param [out] output    Buffer to put encoded data in.
+ * @param [out] output    Buffer to put encoded data in (or NULL for size).
  * @param [in]  inLen     Size of buffer in bytes.
  * @return  Size of encoded data in bytes on success.
  * @return  BAD_FUNC_ARG when key is NULL.
+ * @return  BUFFER_E when output buffer is too small.
  */
 int wc_SlhDsaKey_KeyToDer(SlhDsaKey* key, byte* output, word32 inLen)
 {
     int keytype;
     int n;
+    word32 privSz, algoSz, verSz, seqSz, sz;
 
     if ((key == NULL) || (key->params == NULL)) {
         return BAD_FUNC_ARG;
@@ -7561,24 +7602,48 @@ int wc_SlhDsaKey_KeyToDer(SlhDsaKey* key, byte* output, word32 inLen)
     }
 
     n = key->params->n;
-    /* Private key portion: sk_seed || sk_prf (first 2*n bytes)
-     * Public key portion:  pk_seed || pk_root (last 2*n bytes) */
-    return SetAsymKeyDer(key->sk, (word32)(n * 2), key->sk + n * 2,
-                         (word32)(n * 2), output, inLen, keytype);
+    /* RFC 9909: bare OCTET STRING containing 4*n raw key bytes */
+    privSz = SetOctetString((word32)(n * 4), NULL) + (word32)(n * 4);
+    algoSz = SetAlgoID(keytype, NULL, oidKeyType, 0);
+    verSz  = 3;
+    seqSz  = SetSequence(verSz + algoSz + privSz, NULL);
+    sz     = seqSz + verSz + algoSz + privSz;
+
+    if (output == NULL) {
+        return (int)sz;
+    }
+    if (sz > inLen) {
+        return BUFFER_E;
+    }
+
+    {
+        word32 idx = 0;
+        idx += SetSequence(verSz + algoSz + privSz, output + idx);
+        SetMyVersion(0, output + idx, FALSE);
+        idx += verSz;
+        idx += SetAlgoID(keytype, output + idx, oidKeyType, 0);
+        idx += SetOctetString((word32)(n * 4), output + idx);
+        XMEMCPY(output + idx, key->sk, (word32)(n * 4));
+        idx += (word32)(n * 4);
+        return (int)idx;
+    }
 }
 
-/* Encode an SLH-DSA private key only to DER.
+/* Encode an SLH-DSA private key only (sk_seed || sk_prf) to DER.
+ * Same PKCS#8 format but with only the secret portion (2*n bytes).
  *
  * @param [in]  key       SLH-DSA key object.
- * @param [out] output    Buffer to put encoded data in.
+ * @param [out] output    Buffer to put encoded data in (or NULL for size).
  * @param [in]  inLen     Size of buffer in bytes.
  * @return  Size of encoded data in bytes on success.
  * @return  BAD_FUNC_ARG when key is NULL.
+ * @return  BUFFER_E when output buffer is too small.
  */
 int wc_SlhDsaKey_PrivateKeyToDer(SlhDsaKey* key, byte* output, word32 inLen)
 {
     int keytype;
     int n;
+    word32 privSz, algoSz, verSz, seqSz, sz;
 
     if ((key == NULL) || (key->params == NULL)) {
         return BAD_FUNC_ARG;
@@ -7590,8 +7655,30 @@ int wc_SlhDsaKey_PrivateKeyToDer(SlhDsaKey* key, byte* output, word32 inLen)
     }
 
     n = key->params->n;
-    return SetAsymKeyDer(key->sk, (word32)(n * 2), NULL, 0, output, inLen,
-                         keytype);
+    privSz = SetOctetString((word32)(n * 2), NULL) + (word32)(n * 2);
+    algoSz = SetAlgoID(keytype, NULL, oidKeyType, 0);
+    verSz  = 3;
+    seqSz  = SetSequence(verSz + algoSz + privSz, NULL);
+    sz     = seqSz + verSz + algoSz + privSz;
+
+    if (output == NULL) {
+        return (int)sz;
+    }
+    if (sz > inLen) {
+        return BUFFER_E;
+    }
+
+    {
+        word32 idx = 0;
+        idx += SetSequence(verSz + algoSz + privSz, output + idx);
+        SetMyVersion(0, output + idx, FALSE);
+        idx += verSz;
+        idx += SetAlgoID(keytype, output + idx, oidKeyType, 0);
+        idx += SetOctetString((word32)(n * 2), output + idx);
+        XMEMCPY(output + idx, key->sk, (word32)(n * 2));
+        idx += (word32)(n * 2);
+        return (int)idx;
+    }
 }
 #endif /* WC_ENABLE_ASYM_KEY_EXPORT */
 
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
@@ -1931,7 +1931,7 @@ WOLFSSL_LOCAL int NamedGroupIsPqcHybrid(int group);
 #endif
 #ifdef WOLFSSL_HAVE_SLHDSA
 #ifndef MIN_SLHDSAKEY_SZ
-    #define MIN_SLHDSAKEY_SZ    64  /* smallest SLH-DSA priv key (SHAKE-128) */
+    #define MIN_SLHDSAKEY_SZ    32  /* smallest SLH-DSA pub key (SHAKE-128) */
 #endif
 #endif
 
