RFR: 8298127: HSS/LMS Signature Verification [v2]

Weijun Wang weijun at openjdk.org
Fri Apr 28 15:26:23 UTC 2023 

On Fri, 28 Apr 2023 11:36:53 GMT, Ferenc Rakoczi <duke at openjdk.org> wrote:

>> Implement support for Leighton-Micali Signatures (LMS) as described in RFC 8554. LMS is an approved software signing algorithm for CNSA 2.0, with SHA-256/192 parameters recommended.
>
> Ferenc Rakoczi has updated the pull request incrementally with one additional commit since the last revision:
> 
>   review comments addressed

src/java.base/share/classes/sun/security/provider/HSS.java line 86:

> 84:                 lmsPubKey = sig.pubList[i];
> 85:             }
> 86:             return result & lmsVerify(lmsPubKey, sig.siglist[sig.Nspk], messageStream.toByteArray());

You should probably reset `messageStream` so that it can be called in another `update/verify` sequence. This is also worth a test.

src/java.base/share/classes/sun/security/provider/HSS.java line 173:

> 171:             int m = lmParams.m;
> 172:             if ((inLen < (24 + m)) || (checkExactLength && (inLen != (24 + m))) ||
> 173:                     !LMOTSParams.of(otsType).hashAlgName.equals(lmParams.hashAlgStr)) {

This algorithm name comparison is not sufficient. You are using "SHA-256" for both M32 and M24 types. Either add a comparison on `LMParams.m` and `LMOTSParams.n`, or use "SHA-256/192" as the hash algorithm name.

src/java.base/share/classes/sun/security/provider/HSS.java line 213:

> 211: 
> 212:     static class LMSUtils {
> 213:         public final static int LMS_RESERVED = 0;

Is the `LMS_RESERVED` and `LMOTS_RESERVED` constants used anywhere?

src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java line 274:

> 272:         store("DSA", KnownOIDs.DSA, KnownOIDs.OIW_DSA.value());
> 273: 
> 274:         store("HSS/LMS", KnownOIDs.HSSLMS, KnownOIDs.HSSLMS.value());

This is only necessary if an non-OID alias is needed. For example, if we want to use "LMS" as an alias of "HSS/LMS".

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/13691#discussion_r1180439364
PR Review Comment: https://git.openjdk.org/jdk/pull/13691#discussion_r1180478493
PR Review Comment: https://git.openjdk.org/jdk/pull/13691#discussion_r1180442130
PR Review Comment: https://git.openjdk.org/jdk/pull/13691#discussion_r1180416477

More information about the security-dev mailing list