Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
It's time. (also we need to do this to add ML-DSA to the FIPS module)
Description of changes:
enable_dilithium
flagEVP_PKEY_pqdsa_new_raw_private_key
toEVP_PKEY_pqdsa_new_raw_secret_key
to better match the equivalent API for KEMs (EVP_PKEY_kem_new_raw_secret_key
).Call-outs:
Removing the flag has little consequence -- other than it makes the APIs we expose in
include/openssl/evp.h
that much more "final". We should consider how much we like them before we commit to them. We made a point to refer to asymmetric keypairs as public and private keys, rather than public and secret keys. However, we haven't always been consistant with this, so there is a mix of both in the library. Users will find the consistency betweenEVP_PKEY_pqdsa_new_raw_secret_key
andEVP_PKEY_kem_new_raw_secret_key
more satisfying.Once we are happy with the name, including the decision around
PQDSA
, then we can remove the experimental flags. Personally, I'd advocate for NISTDSA as all NIST signature schemes are matching these API conventions (sign, pre-hash-sign, context-sign -- see ed25519, ML-DSA, SLH-DSA, FN-DSA as examples). Most of this naming is internal, with the exception of the three external functions:EVP_PKEY_CTX_pqdsa_set_params
,EVP_PKEY_pqdsa_new_raw_secret_key
,EVP_PKEY_pqdsa_new_raw_public_key
.Testing:
To celebrate the removal of this flag, enjoy this haiku:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.