Skip to content

Public key export#8

Open
Frauschi wants to merge 6 commits into
mainfrom
public_key_export
Open

Public key export#8
Frauschi wants to merge 6 commits into
mainfrom
public_key_export

Conversation

@Frauschi

Copy link
Copy Markdown
Owner

No description provided.

Frauschi added 6 commits July 15, 2026 11:35
Backport the LMS/XMSS keygen ergonomic to RSA: when a key is generated
and cached in the HSM (non-ephemeral), the server now also serializes the
generated public key into the keygen response body. The client gets both
the keyId and a usable public key in one round-trip instead of following
up with a separate wh_Client_RsaExportPublicKey call.

The response reuses the existing keyId + len + body layout, so there is no
wire-format change. Existing wh_Client_RsaMakeCacheKey callers ignore the
extra body bytes and are unaffected.

Add wh_Client_RsaMakeCacheKeyAndExportPublic, which caches the key and
returns its public key into the caller's RsaKey object, pointing that
object at the cached keyId for follow-on HSM operations.

Add tests in both the main and refactored crypto test suites that
cross-check the keygen-returned public key against wh_Client_RsaExportPublicKey
and prove it is usable via an encrypt/HSM-decrypt round-trip.
Extend the cached ECC keygen path to serialize the generated public key
into the keygen response body, so the client receives both the keyId and a
usable public key in one round-trip instead of a follow-up
wh_Client_EccExportPublicKey call. The response reuses the existing
keyId + len + body layout, so there is no wire-format change and existing
wh_Client_EccMakeCacheKey callers are unaffected.

Add wh_Client_EccMakeCacheKeyAndExportPublic, which caches the key and
returns its public key into the caller's ecc_key object, pointing that
object at the cached keyId for follow-on HSM operations.

Also drop the stale "TODO: RSA has the following" comment blocks in
_HandleEccKeyGen that this change resolves.

Add tests in both crypto test suites that cross-check the keygen-returned
public key against wh_Client_EccExportPublicKey and verify an HSM-produced
signature with it.
Extend the cached Curve25519 keygen path to serialize the generated public
key into the keygen response body, so the client receives both the keyId
and a usable public key in one round-trip instead of a follow-up
wh_Client_Curve25519ExportPublicKey call. The response reuses the existing
keyId + len + body layout, so there is no wire-format change.

_Curve25519MakeKey now deserializes the response body whenever it is
present rather than only for EPHEMERAL keygen, so the cached path can hand
the public key back through the same key object. Existing MakeCacheKey
(key == NULL) and MakeExportKey callers are unaffected.

Add wh_Client_Curve25519MakeCacheKeyAndExportPublic plus tests in both
crypto test suites that cross-check the keygen-returned public key against
wh_Client_Curve25519ExportPublicKey and prove it via an X25519 shared-secret
round-trip with the cached private key.
Extend the cached Ed25519 keygen path to serialize the generated public key
into the keygen response body, so the client receives both the keyId and a
usable public key in one round-trip instead of a follow-up
wh_Client_Ed25519ExportPublicKey call. The response reuses the existing
keyId + outSz + body layout, so there is no wire-format change.

_Ed25519MakeKey now deserializes the response body whenever it is present
rather than only for EPHEMERAL keygen, so the cached path can hand the
public key back through the same key object. Existing MakeCacheKey
(key == NULL) and MakeExportKey callers are unaffected.

Add wh_Client_Ed25519MakeCacheKeyAndExportPublic plus tests in both crypto
test suites that cross-check the keygen-returned public key against
wh_Client_Ed25519ExportPublicKey and verify an HSM-produced signature with it.
Extend both the non-DMA and DMA cached ML-DSA keygen paths to return the
generated public key to the client in one round-trip instead of a follow-up
wh_Client_MlDsaExportPublicKey call.

Non-DMA: the cache branch of _HandleMlDsaKeyGen serializes the public key
into the response body (reusing the existing keyId + len + body layout).
DMA: the cache branch of _HandleMlDsaKeyGenDma streams the public key back
through the client's existing key DMA buffer and reports its size in keySize.
Both are guarded by WOLFSSL_MLDSA_PUBLIC_KEY, matching the keystore public
export path. No wire-format changes.

_MlDsaMakeKey and _MlDsaMakeKeyDma now deserialize the response body/buffer
whenever it is present rather than only for EPHEMERAL keygen, so the cached
paths can hand the public key back through the same key object. Existing
MakeCacheKey (key == NULL) and MakeExportKey callers are unaffected.

Add wh_Client_MlDsaMakeCacheKeyAndExportPublic and wh_Client_MlDsaMakeCacheKeyDma,
plus non-DMA and DMA tests in both crypto test suites that cross-check the
keygen-returned public key against wh_Client_MlDsaExportPublicKey[Dma] and
verify an HSM-produced signature with it.
Extend both the non-DMA and DMA cached ML-KEM keygen paths to return the
generated public key to the client in one round-trip instead of a follow-up
wh_Client_MlKemExportPublicKey call.

Non-DMA: the cache branch of _HandleMlKemKeyGen encodes the public key into
the response body (reusing the existing keyId + len + body layout). DMA: the
cache branch of _HandleMlKemKeyGenDma streams the public key back through the
client's existing key DMA buffer and reports its size in keySize. Both use
wc_MlKemKey_PublicKeySize / wc_MlKemKey_EncodePublicKey, matching the keystore
public export path. No wire-format changes.

_MlKemMakeKey and _MlKemMakeKeyDma now deserialize the response body/buffer
whenever it is present rather than only for EPHEMERAL keygen, so the cached
paths can hand the public key back through the same key object. Existing
MakeCacheKey (key == NULL) and MakeExportKey callers are unaffected.

Add wh_Client_MlKemMakeCacheKeyAndExportPublic and wh_Client_MlKemMakeCacheKeyDma,
plus non-DMA and DMA tests that cross-check the keygen-returned public key
against wh_Client_MlKemExportPublicKey[Dma] and prove it via a KEM
encapsulate/decapsulate round-trip with the cached private key.
@Frauschi Frauschi force-pushed the public_key_export branch from 4476066 to c25623b Compare July 15, 2026 09:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant