Skip to content

Add SLH-DSA (FIPS 205) to wolfCrypt JNI and wolfJCE#235

Open
cconlon wants to merge 1 commit into
wolfSSL:masterfrom
cconlon:pqc-slhdsa
Open

Add SLH-DSA (FIPS 205) to wolfCrypt JNI and wolfJCE#235
cconlon wants to merge 1 commit into
wolfSSL:masterfrom
cconlon:pqc-slhdsa

Conversation

@cconlon

@cconlon cconlon commented Jul 1, 2026

Copy link
Copy Markdown
Member

This PR adds SLH-DSA (FIPS 205) support to wolfCrypt JNI and wolfJCE.

JNI Additions (new com.wolfssl.wolfcrypt.SlhDsa class)

  • Full keygen / sign / verify for all 12 parameter sets (SLH-DSA-SHA2-128s/128f/192s/192f/256s/256f, SLH-DSA-SHAKE-128s/128f/192s/192f/256s/256f)
  • Pure and pre-hash (HashSLH-DSA, FIPS 205 Section 10.2.2) operations
  • FIPS 205 context strings (0-255 bytes), deterministic signing, seed-based keygen (KAT support)
  • Raw and DER key import/export (RFC 9909 X.509 SPKI / PKCS#8), parameter set auto-detected from the AlgorithmIdentifier OID

JCE Additions

  • Signature: SLH-DSA generic + 12 per-set services, HASH-SLH-DSA + 12 per-set pre-hash services, NIST CSOR OID aliases (2.16.840.1.101.3.4.3.20-.31, .35-.46)
  • KeyPairGenerator / KeyFactory: generic + per-set services; umbrella keygen defaults to SLH-DSA-SHA2-128f
  • WolfCryptContextParameterSpec for context strings. SLH-DSA constants in WolfPQCParameterSpec (JDK 8-10), standard NamedParameterSpec accepted on JDK 11+
  • SLH-DSA private key and certificate storage in the WKS KeyStore

Requirements

  • Native wolfSSL 5.9.2 or later built with --enable-slhdsa. --enable-slhdsa=yes,sha2 builds all 12 parameter sets

Testing

  • JNI and JCE JUnit tests: NIST keygen KATs, sign/verify round trips, tamper/cross-key rejection, context handling, DER round trips, WKS KeyStore round trip

New Github pull request workflows have been added for this matrix of builds:

      matrix:
        os: [ 'ubuntu-latest', 'macos-latest' ]
        jdk_version: [ '11', '21', '24' ]
        wolfssl_configure:
          - '--enable-jni --enable-slhdsa'
          - '--enable-jni --enable-slhdsa=yes,sha2'
          - '--enable-jni --enable-slhdsa=yes,sha2,small'
          - '--enable-jni --enable-slhdsa=128f,sha2-128f,small-mem'
          - '--enable-jni --enable-slhdsa=yes,sha2,verify-only'
          - '--enable-jni --enable-all --enable-slhdsa=yes,sha2'

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #235

Scan targets checked: wolfcrypt-jni-bugs, wolfcrypt-jni-src

No new issues found in the changed files. ✅

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds SLH-DSA (FIPS 205) support across the wolfCrypt JNI bindings and wolfJCE provider, including JCA services (Signature/KeyPairGenerator/KeyFactory), WKS KeyStore handling, test coverage, and CI permutations for multiple wolfSSL configure options.

Changes:

  • Add wolfJCE SLH-DSA primitives (Signature SPI, key types, KeyFactory, KeyPairGenerator integration) and register services/OID aliases.
  • Extend ASN/OID plumbing and WKS KeyStore support to recognize/store SLH-DSA keys and perform Java-side cert/key matching when native checks can’t.
  • Add SLH-DSA JNI/JCE tests, examples, cert test material wiring, and CI matrix workflows for SLH-DSA build variants.

Reviewed changes

Copilot reviewed 41 out of 43 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
src/test/java/com/wolfssl/wolfcrypt/test/WolfCryptTestSuite.java Adds SLH-DSA JNI tests to suite
src/test/java/com/wolfssl/wolfcrypt/test/SlhDsaTest.java New JNI SLH-DSA test coverage (keygen/sign/verify/DER/KAT)
src/test/java/com/wolfssl/provider/jce/test/WolfSSLKeyStoreTest.java Adds WKS round-trip coverage for SLH-DSA keys/certs
src/test/java/com/wolfssl/provider/jce/test/WolfJCETestSuite.java Adds SLH-DSA JCE tests to suite
src/test/java/com/wolfssl/provider/jce/test/WolfCryptSlhDsaSignatureTest.java New JCE Signature service tests for SLH-DSA + HashSLH-DSA
src/test/java/com/wolfssl/provider/jce/test/WolfCryptSlhDsaKeyTest.java New JCE SLH-DSA key object tests
src/test/java/com/wolfssl/provider/jce/test/WolfCryptSlhDsaKeyPairGeneratorTest.java New JCE KeyPairGenerator tests for SLH-DSA
src/test/java/com/wolfssl/provider/jce/test/WolfCryptSlhDsaKeyFactoryTest.java New JCE KeyFactory tests for SLH-DSA
src/main/java/com/wolfssl/wolfcrypt/WolfCryptError.java Adds SLH-DSA CAST/KAT error constant
src/main/java/com/wolfssl/wolfcrypt/Asn.java Adds SLH-DSA OID-sum constants + native accessors
src/main/java/com/wolfssl/provider/jce/WolfSSLKeyStore.java Adds SLH-DSA PKCS#8 recognition + Java-side cert/key matching fallback
src/main/java/com/wolfssl/provider/jce/WolfPQCParameterSpec.java Adds SLH-DSA parameter-set constants for JDK 8–10
src/main/java/com/wolfssl/provider/jce/WolfPQCJdkCompat.java Adds SLH-DSA NamedParameterSpec mapping helpers/caching
src/main/java/com/wolfssl/provider/jce/WolfCryptSlhDsaSignature.java New SLH-DSA/HashSLH-DSA SignatureSpi implementation
src/main/java/com/wolfssl/provider/jce/WolfCryptSlhDsaPublicKey.java New SLH-DSA PublicKey implementation
src/main/java/com/wolfssl/provider/jce/WolfCryptSlhDsaPrivateKey.java New SLH-DSA PrivateKey implementation
src/main/java/com/wolfssl/provider/jce/WolfCryptSlhDsaKeyFactory.java New SLH-DSA KeyFactorySpi implementation
src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java Registers SLH-DSA services + OID aliases when enabled
src/main/java/com/wolfssl/provider/jce/WolfCryptMlDsaKeyFactory.java Aligns ML-DSA KeyFactory getKeySpec() with translateKey normalization
src/main/java/com/wolfssl/provider/jce/WolfCryptKeyPairGenerator.java Adds SLH-DSA KeyPairGenerator support + default/fallback selection
src/main/java/com/wolfssl/provider/jce/WolfCryptContextParameterSpec.java New context-string AlgorithmParameterSpec for SLH-DSA
spotbugs-exclude.xml Adds SpotBugs exclusions for new constructors
scripts/infer.sh Adds new Java sources to Infer compilation list
README.md Documents SLH-DSA build/enable requirements
README_JCE.md Documents SLH-DSA algorithms/services and WKS storage support
makefile.macosx Links new jni_slhdsa.o
makefile.linux Links new jni_slhdsa.o
jni/jni_asn.c Exposes SLH-DSA OID-sum constants to Java
jni/include/com_wolfssl_wolfcrypt_SlhDsa.h New generated JNI header for SlhDsa
jni/include/com_wolfssl_wolfcrypt_Asn.h Updates generated JNI header for new Asn natives
IDE/WIN/wolfcryptjni.vcxproj.filters Adds jni_slhdsa.c to VS filters
IDE/WIN/wolfcryptjni.vcxproj Adds jni_slhdsa.c to VS project
IDE/Android/app/src/main/cpp/CMakeLists.txt Adds jni_slhdsa.c to Android build
examples/provider/SlhDsaExample.sh Adds SLH-DSA provider example runner
examples/provider/SlhDsaExample.java Adds SLH-DSA provider usage example
examples/certs/update-certs.sh Adds SLH-DSA cert/key copying support
examples/certs/slhdsa/root-slhdsa-shake-128s-priv.pem Adds SLH-DSA test private key material
examples/certs/slhdsa/root-slhdsa-sha2-128s-priv.pem Adds SLH-DSA test private key material
.github/workflows/main.yml Adds SLH-DSA CI matrix job permutations
Files not reviewed (2)
  • jni/include/com_wolfssl_wolfcrypt_Asn.h: Generated file
  • jni/include/com_wolfssl_wolfcrypt_SlhDsa.h: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/test/java/com/wolfssl/wolfcrypt/test/SlhDsaTest.java
Comment thread src/test/java/com/wolfssl/provider/jce/test/WolfCryptSlhDsaSignatureTest.java Outdated
Comment thread src/test/java/com/wolfssl/provider/jce/test/WolfCryptSlhDsaKeyTest.java Outdated
Comment thread src/test/java/com/wolfssl/provider/jce/test/WolfCryptSlhDsaKeyFactoryTest.java Outdated
Comment thread src/main/java/com/wolfssl/provider/jce/WolfSSLKeyStore.java

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 53 out of 55 changed files in this pull request and generated 2 comments.

Files not reviewed (2)
  • jni/include/com_wolfssl_wolfcrypt_Asn.h: Generated file
  • jni/include/com_wolfssl_wolfcrypt_SlhDsa.h: Generated file

Comment thread examples/provider/SlhDsaExample.sh Outdated
Comment thread src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants