[hsmtool] Refactor MLDSA key logic to util/key/mldsa

Moves the MLDSA key encoding and decoding logic from the import/export
commands into a dedicated utility module at `sw/host/hsmtool/src/util/key/mldsa.rs`.

Signed-off-by: Willy Zhang <[email protected]>

Author: Willy Zhang

sw/host/hsmtool/BUILD

@@ -156,6 +156,7 @@ rust_library(
         "src/util/escape.rs",
         "src/util/helper.rs",
         "src/util/key/ecdsa.rs",
+        "src/util/key/mldsa.rs",
         "src/util/key/mod.rs",
         "src/util/key/rsa.rs",
         "src/util/mod.rs",

sw/host/hsmtool/src/commands/mldsa/export.rs

@@ -13,18 +13,12 @@ use std::path::PathBuf;
 use crate::commands::{BasicResult, Dispatch};
 use crate::error::HsmError;
 use crate::module::Module;
-use crate::util::attribute::{AttributeMap, AttributeType, KeyType, ObjectClass};
+use crate::util::attribute::{AttributeMap, KeyType, ObjectClass};
 use crate::util::helper;
+use crate::util::key::mldsa;
 use crate::util::key::KeyEncoding;
 use crate::util::wrap::{Wrap, WrapPrivateKey};
 
-use der::{Encode, EncodePem};
-use ml_dsa::{
-    EncodedSigningKey, EncodedVerifyingKey, MlDsa44, MlDsa65, MlDsa87, SigningKey, VerifyingKey,
-};
-use pkcs8::{LineEnding, PrivateKeyInfo};
-use spki::{AssociatedAlgorithmIdentifier, EncodePublicKey};
-
 #[derive(clap::Args, Debug, Serialize, Deserialize)]
 pub struct Export {
     #[arg(long)]
@@ -48,89 +42,13 @@ pub struct Export {
 impl Export {
     fn export(&self, session: &Session, object: ObjectHandle) -> Result<()> {
         let map = AttributeMap::from_object(session, object)?;
-        let val = map
-            .get(&AttributeType::Value)
-            .ok_or(anyhow!("Key does not contain a value"))?;
-        let key_value: Vec<u8> = val.try_into()?;
-
-        let encoded_bytes = if self.private {
-            if let Ok(arr) = EncodedSigningKey::<MlDsa44>::try_from(key_value.as_slice()) {
-                let _ = SigningKey::<MlDsa44>::decode(&arr); // Validate
-                let pk_info = PrivateKeyInfo::new(MlDsa44::ALGORITHM_IDENTIFIER, &key_value);
-                match self.format {
-                    KeyEncoding::Der | KeyEncoding::Pkcs8Der => pk_info.to_der()?,
-                    KeyEncoding::Pem | KeyEncoding::Pkcs8Pem => {
-                        pk_info.to_pem(LineEnding::LF)?.as_bytes().to_vec()
-                    }
-                    _ => return Err(anyhow!("Unsupported format for MLDSA export")),
-                }
-            } else if let Ok(arr) = EncodedSigningKey::<MlDsa65>::try_from(key_value.as_slice()) {
-                let _ = SigningKey::<MlDsa65>::decode(&arr); // Validate
-                let pk_info = PrivateKeyInfo::new(MlDsa65::ALGORITHM_IDENTIFIER, &key_value);
-                match self.format {
-                    KeyEncoding::Der | KeyEncoding::Pkcs8Der => pk_info.to_der()?,
-                    KeyEncoding::Pem | KeyEncoding::Pkcs8Pem => {
-                        pk_info.to_pem(LineEnding::LF)?.as_bytes().to_vec()
-                    }
-                    _ => return Err(anyhow!("Unsupported format for MLDSA export")),
-                }
-            } else if let Ok(arr) = EncodedSigningKey::<MlDsa87>::try_from(key_value.as_slice()) {
-                let _ = SigningKey::<MlDsa87>::decode(&arr); // Validate
-                let pk_info = PrivateKeyInfo::new(MlDsa87::ALGORITHM_IDENTIFIER, &key_value);
-                match self.format {
-                    KeyEncoding::Der | KeyEncoding::Pkcs8Der => pk_info.to_der()?,
-                    KeyEncoding::Pem | KeyEncoding::Pkcs8Pem => {
-                        pk_info.to_pem(LineEnding::LF)?.as_bytes().to_vec()
-                    }
-                    _ => return Err(anyhow!("Unsupported format for MLDSA export")),
-                }
-            } else {
-                return Err(anyhow!(
-                    "Could not decode MLDSA private key (length: {})",
-                    key_value.len()
-                ));
-            }
-        } else if let Ok(arr) = EncodedVerifyingKey::<MlDsa44>::try_from(key_value.as_slice()) {
-            let key = VerifyingKey::<MlDsa44>::decode(&arr);
-            match self.format {
-                KeyEncoding::Der | KeyEncoding::Pkcs8Der => {
-                    key.to_public_key_der()?.as_bytes().to_vec()
-                }
-                KeyEncoding::Pem | KeyEncoding::Pkcs8Pem => {
-                    key.to_public_key_pem(LineEnding::LF)?.as_bytes().to_vec()
-                }
-                _ => return Err(anyhow!("Unsupported format for MLDSA export")),
-            }
-        } else if let Ok(arr) = EncodedVerifyingKey::<MlDsa65>::try_from(key_value.as_slice()) {
-            let key = VerifyingKey::<MlDsa65>::decode(&arr);
-            match self.format {
-                KeyEncoding::Der | KeyEncoding::Pkcs8Der => {
-                    key.to_public_key_der()?.as_bytes().to_vec()
-                }
-                KeyEncoding::Pem | KeyEncoding::Pkcs8Pem => {
-                    key.to_public_key_pem(LineEnding::LF)?.as_bytes().to_vec()
-                }
-                _ => return Err(anyhow!("Unsupported format for MLDSA export")),
-            }
-        } else if let Ok(arr) = EncodedVerifyingKey::<MlDsa87>::try_from(key_value.as_slice()) {
-            let key = VerifyingKey::<MlDsa87>::decode(&arr);
-            match self.format {
-                KeyEncoding::Der | KeyEncoding::Pkcs8Der => {
-                    key.to_public_key_der()?.as_bytes().to_vec()
-                }
-                KeyEncoding::Pem | KeyEncoding::Pkcs8Pem => {
-                    key.to_public_key_pem(LineEnding::LF)?.as_bytes().to_vec()
-                }
-                _ => return Err(anyhow!("Unsupported format for MLDSA export")),
-            }
+        if self.private {
+            let key = mldsa::MldsaSigningKey::try_from(&map)?;
+            mldsa::save_private_key(&self.filename, &key, self.format)?;
         } else {
-            return Err(anyhow!(
-                "Could not decode MLDSA public key (length: {})",
-                key_value.len()
-            ));
-        };
-
-        fs::write(&self.filename, &encoded_bytes)?;
+            let key = mldsa::MldsaVerifyingKey::try_from(&map)?;
+            mldsa::save_public_key(&self.filename, &key, self.format)?;
+        }
         Ok(())
     }
 

sw/host/hsmtool/src/commands/mldsa/export_csr.rs

@@ -3,7 +3,6 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use anyhow::{Result, anyhow};
-use const_oid::ObjectIdentifier;
 use cryptoki::mechanism::Mechanism;
 use cryptoki::mechanism::vendor_defined::VendorDefinedMechanism;
 use cryptoki::object::Attribute;
@@ -21,11 +20,9 @@ use x509_cert::spki::{AlgorithmIdentifierOwned, SubjectPublicKeyInfoOwned};
 use crate::commands::{BasicResult, Dispatch};
 use crate::error::HsmError;
 use crate::module::Module;
-use crate::util::attribute::{AttributeMap, AttributeType, KeyType, MechanismType, ObjectClass};
+use crate::util::attribute::{AttributeMap, KeyType, MechanismType, ObjectClass};
 use crate::util::helper;
-
-// ML-DSA-87 OID: 2.16.840.1.101.3.4.3.19
-const OID_MLDSA_87: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.16.840.1.101.3.4.3.19");
+use crate::util::key::mldsa;
 
 #[derive(clap::Args, Debug, Serialize, Deserialize)]
 pub struct ExportCsr {
@@ -67,18 +64,16 @@ impl ExportCsr {
 
         // Get public key value
         let map = AttributeMap::from_object(session, public_key)?;
-        let val = map
-            .get(&AttributeType::Value)
-            .ok_or(anyhow!("Public key does not contain a value"))?;
-        let pub_key_bytes: Vec<u8> = val.try_into()?;
+        let key = mldsa::MldsaVerifyingKey::try_from(&map)?;
+        let pub_key_bytes = key.encode();
 
         // Construct Subject Name
         let subject =
             Name::from_str(&self.subject).map_err(|e| anyhow!("Invalid subject: {}", e))?;
 
         // Create CertReqInfo
         let algorithm = AlgorithmIdentifierOwned {
-            oid: OID_MLDSA_87,
+            oid: key.oid(),
             parameters: None,
         };
         let subject_public_key_info = SubjectPublicKeyInfoOwned {

sw/host/hsmtool/src/commands/mldsa/import.rs

@@ -16,12 +16,9 @@ use crate::error::HsmError;
 use crate::module::Module;
 use crate::util::attribute::{AttrData, AttributeMap, AttributeType};
 use crate::util::helper;
+use crate::util::key::mldsa;
 use crate::util::wrap::{Wrap, WrapPrivateKey};
 
-use ml_dsa::{MlDsa44, MlDsa65, MlDsa87, SigningKey, VerifyingKey};
-use pkcs8::DecodePrivateKey;
-use spki::DecodePublicKey;
-
 #[derive(clap::Args, Debug, Serialize, Deserialize)]
 pub struct Import {
     #[arg(long)]
@@ -64,56 +61,30 @@ impl Import {
     }"#;
 
     fn import(&self, session: &Session, id: AttrData, label: AttrData) -> Result<ObjectHandle> {
-        let data = fs::read(&self.filename)?;
-        let der_bytes = if let Ok((_label, bytes)) = pem_rfc7468::decode_vec(&data) {
-            bytes
-        } else {
-            // Assume DER/Raw
-            data
-        };
-
-        let (key_value, mldsa_type) = if self.private {
-            if let Ok(key) = SigningKey::<MlDsa44>::from_pkcs8_der(&der_bytes) {
-                (key.encode().to_vec(), 1u64)
-            } else if let Ok(key) = SigningKey::<MlDsa65>::from_pkcs8_der(&der_bytes) {
-                (key.encode().to_vec(), 2u64)
-            } else if let Ok(key) = SigningKey::<MlDsa87>::from_pkcs8_der(&der_bytes) {
-                (key.encode().to_vec(), 3u64)
-            } else {
-                return Err(anyhow!("Could not decode MLDSA private key from PKCS#8 DER"));
-            }
-        } else if let Ok(key) = VerifyingKey::<MlDsa44>::from_public_key_der(&der_bytes) {
-            (key.encode().to_vec(), 1u64)
-        } else if let Ok(key) = VerifyingKey::<MlDsa65>::from_public_key_der(&der_bytes) {
-            (key.encode().to_vec(), 2u64)
-        } else if let Ok(key) = VerifyingKey::<MlDsa87>::from_public_key_der(&der_bytes) {
-            (key.encode().to_vec(), 3u64)
-        } else {
-            return Err(anyhow!("Could not decode MLDSA public key from SPKI DER"));
-        };
-
         let mut template = if self.private {
-            AttributeMap::from_str(Self::PRIVATE_TEMPLATE).expect("error in PRIVATE_TEMPLATE")
+            let key = mldsa::load_private_key(&self.filename)?;
+            let mut template = AttributeMap::try_from(&key)?;
+            template.merge(
+                AttributeMap::from_str(Self::PRIVATE_TEMPLATE).expect("error in PRIVATE_TEMPLATE"),
+            );
+            if let Some(tpl) = &self.private_template {
+                template.merge(tpl.clone());
+            }
+            template
         } else {
-            AttributeMap::from_str(Self::PUBLIC_TEMPLATE).expect("error in PUBLIC_TEMPLATE")
+            let key = mldsa::load_public_key(&self.filename)?;
+            let mut template = AttributeMap::try_from(&key)?;
+            template.merge(
+                AttributeMap::from_str(Self::PUBLIC_TEMPLATE).expect("error in PUBLIC_TEMPLATE"),
+            );
+            if let Some(tpl) = &self.public_template {
+                template.merge(tpl.clone());
+            }
+            template
         };
 
         template.insert(AttributeType::Id, id);
         template.insert(AttributeType::Label, label);
-        template.insert(AttributeType::Value, AttrData::from(key_value));
-
-        if self.private {
-            if let Some(tpl) = &self.private_template {
-                template.merge(tpl.clone());
-            }
-        } else if let Some(tpl) = &self.public_template {
-            template.merge(tpl.clone());
-        }
-
-        template.insert(
-            AttributeType::ParameterSet,
-            AttrData::from(mldsa_type),
-        );
 
         log::info!("template = {}", serde_json::to_string_pretty(&template)?);