RFR: 8298127: HSS/LMS Signature Verification [v10]
Weijun Wang
weijun at openjdk.org
Thu May 11 14:03:08 UTC 2023
On Thu, 11 May 2023 09:36:17 GMT, Ferenc Rakoczi <duke at openjdk.org> wrote:
>> Implement support for Leighton-Micali Signatures (LMS) as described in RFC 8554. LMS is an approved software signing algorithm for CNSA 2.0, with SHA-256/192 parameters recommended.
>
> Ferenc Rakoczi has updated the pull request incrementally with one additional commit since the last revision:
>
> Reintroduced Length for HSSPublicKey, added more @Override annotations
src/java.base/share/classes/sun/security/provider/HSS.java line 728:
> 726: @Override
> 727: public int length() {
> 728: return getKey().length();
Debatable. `getKey` now contains 2 (OCTET STRING header) + 4 (L) + 4 (LMS type) + 4 (LM-OTS type) + 16 (I) + 32 (T) bytes. Should the 2 header bytes be included in the length? Should all fields other than T be included? The length is mainly used to compare strength and I suggest we refrain from implementing this method unless a well-known definition is accepted for HSS/LMS. Table 2 of [NIST SP 800-57 Part 1](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf) and they are defined by modulus size.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13691#discussion_r1191214837
More information about the security-dev
mailing list