Add LMS key_update callback

guanzhi · guanzhi · commit 94881281543b · 2026-01-18T12:12:45.000+08:00
diff --git a/include/gmssl/lms.h b/include/gmssl/lms.h
diff --git a/src/lms.c b/src/lms.c
diff --git a/src/x509_key.c b/src/x509_key.c
@@ -162,7 +162,7 @@ int x509_public_key_print(FILE *fp, int fmt, int ind, const char *label, const X
 		}
 		break;
 	case OID_lms_hashsig:
-		if (lms_public_key_print(fp, fmt, ind, label, &key->u.lms_key.public_key) != 1) {
+		if (lms_public_key_print(fp, fmt, ind, label, &key->u.lms_key) != 1) {
 			error_print();
 			return -1;
 		}
diff --git a/tests/lmstest.c b/tests/lmstest.c
@@ -294,7 +294,7 @@ static int test_lms_key_generate(void)
 		error_print();
 		return -1;
 	}
-	//lms_key_print(stdout, 0, 0, "lms_key", &lms_key);
+	lms_private_key_print(stdout, 0, 0, "lms_private_key", &lms_key);
 
 	printf("%s() ok\n", __FUNCTION__);
 	return 1;
@@ -341,13 +341,13 @@ static int test_lms_key_to_bytes(void)
 		error_print();
 		return -1;
 	}
-	lms_key_print(stdout, 0, 4, "lms_public_key", &key);
+	lms_public_key_print(stdout, 0, 4, "lms_public_key", &key);
 
 	if (lms_private_key_from_bytes(&key, &cp, &len) != 1) {
 		error_print();
 		return -1;
 	}
-	lms_key_print(stdout, 0, 4, "lms_private_key", &key);
+	lms_private_key_print(stdout, 0, 4, "lms_private_key", &key);
 	if (len != 0) {
 		error_print();
 		return -1;
@@ -539,7 +539,7 @@ static int test_hss_key_generate(void)
 	}
 
 	hss_public_key_print(stdout, 0, 4, "hss_public_key", &key);
-	hss_key_print(stdout, 0, 4, "hss_key", &key);
+	hss_private_key_print(stdout, 0, 4, "hss_key", &key);
 
 	printf("%s() ok\n", __FUNCTION__);
 	return 1;
@@ -799,7 +799,7 @@ static int test_hss_key_to_bytes(void)
 		error_print();
 		return -1;
 	}
-	hss_key_print(stdout, 0, 4, "lms_private_key", &key);
+	hss_private_key_print(stdout, 0, 4, "lms_private_key", &key);
 	if (len != 0) {
 		error_print();
 		return -1;
@@ -868,7 +868,7 @@ static int test_hss_sign_level2(void)
 		error_print();
 		return -1;
 	}
-	hss_key_print(stderr, 0, 4, "hss_key", &key);
+	hss_private_key_print(stderr, 0, 4, "hss_key", &key);
 
 
 	if (hss_sign_init(&ctx, &key) != 1) {
@@ -916,7 +916,7 @@ static int test_hss_sign(void)
 		error_print();
 		return -1;
 	}
-	hss_key_print(stderr, 0, 4, "hss_key", &key);
+	hss_private_key_print(stderr, 0, 4, "hss_key", &key);
 
 
 	if (hss_sign_init(&ctx, &key) != 1) {
@@ -951,6 +951,7 @@ static int test_hss_sign(void)
 	return 1;
 }
 
+/*
 static int test_hss_public_key_algor(void)
 {
 	int lms_types[] = {
@@ -1025,7 +1026,7 @@ static int test_hss_public_key_algor(void)
 	return 1;
 
 }
-
+*/
 
 int main(void)
 {
@@ -1048,7 +1049,7 @@ int main(void)
 	if (test_hss_sign_level1() != 1) goto err;
 	if (test_hss_sign_level2() != 1) goto err;
 	if (test_hss_sign() != 1) goto err;
-	if (test_hss_public_key_algor() != 1) goto err;
+//	if (test_hss_public_key_algor() != 1) goto err;
 
 	printf("%s all tests passed\n", __FILE__);
 	return 0;
diff --git a/tools/gmssl.c b/tools/gmssl.c
@@ -64,7 +64,7 @@ extern int tls12_client_main(int argc, char **argv);
 extern int tls12_server_main(int argc, char **argv);
 extern int tls13_client_main(int argc, char **argv);
 extern int tls13_server_main(int argc, char **argv);
-#ifdef ENABLE_LMS_HSS
+#ifdef ENABLE_LMS
 extern int lmskeygen_main(int argc, char **argv);
 extern int lmssign_main(int argc, char **argv);
 extern int lmsverify_main(int argc, char **argv);
@@ -154,7 +154,7 @@ static const char *options =
 	"  cmsdecrypt        Decrypt CMS EnvelopedData\n"
 	"  cmssign           Generate CMS SignedData\n"
 	"  cmsverify         Verify CMS SignedData\n"
-#ifdef ENABLE_LMS_HSS
+#ifdef ENABLE_LMS
 	"  lmskeygen         Generate LMS-SM3 (Leighton-Micali Signature) keypair\n"
 	"  lmssign           Generate LMS-SM3 signature\n"
 	"  lmsverify         Verify LMS-SM3 signature\n"
@@ -334,7 +334,7 @@ int main(int argc, char **argv)
 			return tls13_client_main(argc, argv);
 		} else if (!strcmp(*argv, "tls13_server")) {
 			return tls13_server_main(argc, argv);
-#ifdef ENABLE_LMS_HSS
+#ifdef ENABLE_LMS
 		} else if (!strcmp(*argv, "lmskeygen")) {
 			return lmskeygen_main(argc, argv);
 		} else if (!strcmp(*argv, "lmssign")) {
diff --git a/tools/hsssign.c b/tools/hsssign.c
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2014-2025 The GmSSL Project. All Rights Reserved.
+ *  Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
  *
  *  Licensed under the Apache License, Version 2.0 (the License); you may
  *  not use this file except in compliance with the License.
@@ -26,6 +26,36 @@ static const char *options =
 "    -verbose                    Print public key and signature\n"
 "\n";
 
+static int key_update_cb(HSS_KEY *key)
+{
+	FILE *fp;
+	uint8_t buf[HSS_PRIVATE_KEY_MAX_SIZE];
+	uint8_t *p = buf;
+	size_t len = 0;
+
+	if (!key->update_param) {
+		error_print();
+		return -1;
+	}
+	fp = (FILE *)key->update_param;
+
+	if (hss_private_key_to_bytes(key, &p, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	rewind(fp);
+	if (fwrite(buf, 1, len, fp) != len
+		|| fflush(fp) != 0) {
+		gmssl_secure_clear(buf, sizeof(buf));
+		error_print();
+		return -1;
+	}
+	// TODO: need fsync to make sure data is written to disk
+	// but fsync need <unistd.h>, not std C
+	gmssl_secure_clear(buf, sizeof(buf));
+	return 1;
+}
+
 int hsssign_main(int argc, char **argv)
 {
 	int ret = 1;
@@ -112,28 +142,21 @@ int hsssign_main(int argc, char **argv)
 	}
 	if (keylen) {
 		error_print();
-		return -1;
+		goto end;
 	}
 
 	if (verbose) {
 		hss_public_key_print(stderr, 0, 0, "hss_public_key", &key);
 	}
 
-	if (hss_sign_init(&ctx, &key) != 1) {
+	if (hss_key_set_update_callback(&key, key_update_cb, keyfp) != 1) {
 		error_print();
 		goto end;
 	}
 
-	// write updated key back to file
-	// TODO: write back `q` only
-	if (hss_private_key_to_bytes(&key, &p, &keylen) != 1) {
-		error_print();
-		return -1;
-	}
-	rewind(keyfp);
-	if (fwrite(keybuf, 1, keylen, keyfp) != keylen) {
+	if (hss_sign_init(&ctx, &key) != 1) {
 		error_print();
-		return -1;
+		goto end;
 	}
 
 	while (1) {
diff --git a/tools/lmskeygen.c b/tools/lmskeygen.c
@@ -115,7 +115,7 @@ int lmskeygen_main(int argc, char **argv)
 		return -1;
 	}
 	if (verbose) {
-		lms_public_key_print(stderr, 0, 0, "lms_public_key", &key.public_key);
+		lms_public_key_print(stderr, 0, 0, "lms_public_key", &key);
 	}
 
 	if (lms_private_key_to_bytes(&key, &pout, &outlen) != 1) {
diff --git a/tools/lmssign.c b/tools/lmssign.c
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2014-2025 The GmSSL Project. All Rights Reserved.
+ *  Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
  *
  *  Licensed under the Apache License, Version 2.0 (the License); you may
  *  not use this file except in compliance with the License.
@@ -26,6 +26,36 @@ static const char *options =
 "    -verbose                    Print public key and signature\n"
 "\n";
 
+static int key_update_cb(LMS_KEY *key)
+{
+	FILE *fp;
+	uint8_t buf[LMS_PRIVATE_KEY_SIZE];
+	uint8_t *p = buf;
+	size_t len = 0;
+
+	if (!key->update_param) {
+		error_print();
+		return -1;
+	}
+	fp = (FILE *)key->update_param;
+
+	if (lms_private_key_to_bytes(key, &p, &len) != 1) {
+		error_print();
+		return -1;
+	}
+	rewind(fp);
+	if (fwrite(buf, 1, len, fp) != len
+		|| fflush(fp) != 0) {
+		gmssl_secure_clear(buf, sizeof(buf));
+		error_print();
+		return -1;
+	}
+	// TODO: need fsync to make sure data is written to disk
+	// but fsync need <unistd.h>, not std C
+	gmssl_secure_clear(buf, sizeof(buf));
+	return 1;
+}
+
 int lmssign_main(int argc, char **argv)
 {
 	int ret = 1;
@@ -116,24 +146,17 @@ int lmssign_main(int argc, char **argv)
 	}
 
 	if (verbose) {
-		lms_public_key_print(stderr, 0, 0, "lms_public_key", &key.public_key);
+		lms_public_key_print(stderr, 0, 0, "lms_public_key", &key);
 	}
 
-	if (lms_sign_init(&ctx, &key) != 1) {
+	if (lms_key_set_update_callback(&key, key_update_cb, keyfp) != 1) {
 		error_print();
 		goto end;
 	}
 
-	// write updated key back to file
-	// TODO: write back `q` only
-	if (lms_private_key_to_bytes(&key, &p, &keylen) != 1) {
-		error_print();
-		return -1;
-	}
-	rewind(keyfp);
-	if (fwrite(keybuf, 1, keylen, keyfp) != keylen) {
+	if (lms_sign_init(&ctx, &key) != 1) {
 		error_print();
-		return -1;
+		goto end;
 	}
 
 	while (1) {
diff --git a/tools/lmsverify.c b/tools/lmsverify.c
@@ -113,7 +113,7 @@ int lmsverify_main(int argc, char **argv)
 		goto end;
 	}
 	if (verbose) {
-		lms_public_key_print(stderr, 0, 0, "lms_public_key", &key.public_key);
+		lms_public_key_print(stderr, 0, 0, "lms_public_key", &key);
 	}
 
 	// read signature even if signature not compatible with the public key

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ int x509_public_key_print(FILE fp, int fmt, int ind, const char label, const X`
`162`	`162`	`}`
`163`	`163`	`break;`
`164`	`164`	`case OID_lms_hashsig:`
`165`		`- if (lms_public_key_print(fp, fmt, ind, label, &key->u.lms_key.public_key) != 1) {`
	`165`	`+ if (lms_public_key_print(fp, fmt, ind, label, &key->u.lms_key) != 1) {`
`166`	`166`	`error_print();`
`167`	`167`	`return -1;`
`168`	`168`	`}`
Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,7 @@ int lmskeygen_main(int argc, char **argv)`
`115`	`115`	`return -1;`
`116`	`116`	`}`
`117`	`117`	`if (verbose) {`
`118`		`- lms_public_key_print(stderr, 0, 0, "lms_public_key", &key.public_key);`
	`118`	`+ lms_public_key_print(stderr, 0, 0, "lms_public_key", &key);`
`119`	`119`	`}`
`120`	`120`
`121`	`121`	`if (lms_private_key_to_bytes(&key, &pout, &outlen) != 1) {`
Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,7 @@ int lmsverify_main(int argc, char **argv)`
`113`	`113`	`goto end;`
`114`	`114`	`}`
`115`	`115`	`if (verbose) {`
`116`		`- lms_public_key_print(stderr, 0, 0, "lms_public_key", &key.public_key);`
	`116`	`+ lms_public_key_print(stderr, 0, 0, "lms_public_key", &key);`
`117`	`117`	`}`
`118`	`118`
`119`	`119`	`// read signature even if signature not compatible with the public key`