Skip to content

Backport 27131 ([hsmtool] Add support for prehashing in CloudKMS) #29180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pamaury merged 3 commits into from
Jan 28, 2026
Merged

Backport 27131 ([hsmtool] Add support for prehashing in CloudKMS) #29180

pamaury merged 3 commits into from
Jan 28, 2026

Conversation

@pamaury
Copy link
Contributor

@pamaury pamaury commented Jan 26, 2026

Backport #27131

@cfrantz @pamaury
[hsmtool] Add required CloudKMS query parameter
ebde17b 
CloudKMS requires the `public_key_format` parameter when retrieving PQC
public key material.

Signed-off-by: Chris Frantz <[email protected]>
(cherry picked from commit 6aadfdf)
@cfrantz @pamaury
[hsmtool] Allow specifying the domain during keygen
6e1ec52 
Some HSMs/backends require specifying the SLH-DSA signing domain that a
key will use during keygen.  Adjust the SPX trait and implementations
to take the domain during keygen and import, and to return the
associated domain during "key info" operations.

Signed-off-by: Chris Frantz <[email protected]>
(cherry picked from commit 4feca91)
@pamaury pamaury requested a review from a team as a code owner January 26, 2026 18:59
@pamaury pamaury requested review from cfrantz and jwnrt and removed request for a team January 26, 2026 18:59
@cfrantz @pamaury
[hsmtool] Add support for prehashing in CloudKMS
b3c20b8 
CloudKMS is adding support for SLH-DSA signatures using the prehashed
domain.  Add support for keygen, sign and verify with prehashing.

1. Check the domain during keygen.  CloudKMS encodes both the algorithm
   and domain into their notion of algorithm, so you must provide the
   domain at keygen time.
2. Check that the `domain` given for sign and verify matches the domain
   for which the key was generated.

Signed-off-by: Chris Frantz <[email protected]>
(cherry picked from commit 57fd70b)
@pamaury pamaury added this pull request to the merge queue Jan 28, 2026
Merged via the queue into lowRISC:master with commit c59ef68 Jan 28, 2026
47 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cfrantz cfrantz cfrantz approved these changes

@jwnrt jwnrt Awaiting requested review from jwnrt jwnrt is a code owner automatically assigned from lowRISC/ot-rust-reviewers

Assignees

No one assigned

Labels

MergeBack:1.0.0 to master

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pamaury @cfrantz