Add SLH-DSA (FIPS 205) to wolfCrypt JNI and wolfJCE#235
Open
cconlon wants to merge 1 commit into
Open
Conversation
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #235
Scan targets checked: wolfcrypt-jni-bugs, wolfcrypt-jni-src
No new issues found in the changed files. ✅
There was a problem hiding this comment.
Pull request overview
Adds SLH-DSA (FIPS 205) support across the wolfCrypt JNI bindings and wolfJCE provider, including JCA services (Signature/KeyPairGenerator/KeyFactory), WKS KeyStore handling, test coverage, and CI permutations for multiple wolfSSL configure options.
Changes:
- Add wolfJCE SLH-DSA primitives (Signature SPI, key types, KeyFactory, KeyPairGenerator integration) and register services/OID aliases.
- Extend ASN/OID plumbing and WKS KeyStore support to recognize/store SLH-DSA keys and perform Java-side cert/key matching when native checks can’t.
- Add SLH-DSA JNI/JCE tests, examples, cert test material wiring, and CI matrix workflows for SLH-DSA build variants.
Reviewed changes
Copilot reviewed 41 out of 43 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/test/java/com/wolfssl/wolfcrypt/test/WolfCryptTestSuite.java | Adds SLH-DSA JNI tests to suite |
| src/test/java/com/wolfssl/wolfcrypt/test/SlhDsaTest.java | New JNI SLH-DSA test coverage (keygen/sign/verify/DER/KAT) |
| src/test/java/com/wolfssl/provider/jce/test/WolfSSLKeyStoreTest.java | Adds WKS round-trip coverage for SLH-DSA keys/certs |
| src/test/java/com/wolfssl/provider/jce/test/WolfJCETestSuite.java | Adds SLH-DSA JCE tests to suite |
| src/test/java/com/wolfssl/provider/jce/test/WolfCryptSlhDsaSignatureTest.java | New JCE Signature service tests for SLH-DSA + HashSLH-DSA |
| src/test/java/com/wolfssl/provider/jce/test/WolfCryptSlhDsaKeyTest.java | New JCE SLH-DSA key object tests |
| src/test/java/com/wolfssl/provider/jce/test/WolfCryptSlhDsaKeyPairGeneratorTest.java | New JCE KeyPairGenerator tests for SLH-DSA |
| src/test/java/com/wolfssl/provider/jce/test/WolfCryptSlhDsaKeyFactoryTest.java | New JCE KeyFactory tests for SLH-DSA |
| src/main/java/com/wolfssl/wolfcrypt/WolfCryptError.java | Adds SLH-DSA CAST/KAT error constant |
| src/main/java/com/wolfssl/wolfcrypt/Asn.java | Adds SLH-DSA OID-sum constants + native accessors |
| src/main/java/com/wolfssl/provider/jce/WolfSSLKeyStore.java | Adds SLH-DSA PKCS#8 recognition + Java-side cert/key matching fallback |
| src/main/java/com/wolfssl/provider/jce/WolfPQCParameterSpec.java | Adds SLH-DSA parameter-set constants for JDK 8–10 |
| src/main/java/com/wolfssl/provider/jce/WolfPQCJdkCompat.java | Adds SLH-DSA NamedParameterSpec mapping helpers/caching |
| src/main/java/com/wolfssl/provider/jce/WolfCryptSlhDsaSignature.java | New SLH-DSA/HashSLH-DSA SignatureSpi implementation |
| src/main/java/com/wolfssl/provider/jce/WolfCryptSlhDsaPublicKey.java | New SLH-DSA PublicKey implementation |
| src/main/java/com/wolfssl/provider/jce/WolfCryptSlhDsaPrivateKey.java | New SLH-DSA PrivateKey implementation |
| src/main/java/com/wolfssl/provider/jce/WolfCryptSlhDsaKeyFactory.java | New SLH-DSA KeyFactorySpi implementation |
| src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java | Registers SLH-DSA services + OID aliases when enabled |
| src/main/java/com/wolfssl/provider/jce/WolfCryptMlDsaKeyFactory.java | Aligns ML-DSA KeyFactory getKeySpec() with translateKey normalization |
| src/main/java/com/wolfssl/provider/jce/WolfCryptKeyPairGenerator.java | Adds SLH-DSA KeyPairGenerator support + default/fallback selection |
| src/main/java/com/wolfssl/provider/jce/WolfCryptContextParameterSpec.java | New context-string AlgorithmParameterSpec for SLH-DSA |
| spotbugs-exclude.xml | Adds SpotBugs exclusions for new constructors |
| scripts/infer.sh | Adds new Java sources to Infer compilation list |
| README.md | Documents SLH-DSA build/enable requirements |
| README_JCE.md | Documents SLH-DSA algorithms/services and WKS storage support |
| makefile.macosx | Links new jni_slhdsa.o |
| makefile.linux | Links new jni_slhdsa.o |
| jni/jni_asn.c | Exposes SLH-DSA OID-sum constants to Java |
| jni/include/com_wolfssl_wolfcrypt_SlhDsa.h | New generated JNI header for SlhDsa |
| jni/include/com_wolfssl_wolfcrypt_Asn.h | Updates generated JNI header for new Asn natives |
| IDE/WIN/wolfcryptjni.vcxproj.filters | Adds jni_slhdsa.c to VS filters |
| IDE/WIN/wolfcryptjni.vcxproj | Adds jni_slhdsa.c to VS project |
| IDE/Android/app/src/main/cpp/CMakeLists.txt | Adds jni_slhdsa.c to Android build |
| examples/provider/SlhDsaExample.sh | Adds SLH-DSA provider example runner |
| examples/provider/SlhDsaExample.java | Adds SLH-DSA provider usage example |
| examples/certs/update-certs.sh | Adds SLH-DSA cert/key copying support |
| examples/certs/slhdsa/root-slhdsa-shake-128s-priv.pem | Adds SLH-DSA test private key material |
| examples/certs/slhdsa/root-slhdsa-sha2-128s-priv.pem | Adds SLH-DSA test private key material |
| .github/workflows/main.yml | Adds SLH-DSA CI matrix job permutations |
Files not reviewed (2)
- jni/include/com_wolfssl_wolfcrypt_Asn.h: Generated file
- jni/include/com_wolfssl_wolfcrypt_SlhDsa.h: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds SLH-DSA (FIPS 205) support to wolfCrypt JNI and wolfJCE.
JNI Additions (new
com.wolfssl.wolfcrypt.SlhDsaclass)JCE Additions
Signature:SLH-DSAgeneric + 12 per-set services,HASH-SLH-DSA+ 12 per-set pre-hash services, NIST CSOR OID aliases (2.16.840.1.101.3.4.3.20-.31, .35-.46)KeyPairGenerator/KeyFactory: generic + per-set services; umbrella keygen defaults to SLH-DSA-SHA2-128fWolfCryptContextParameterSpecfor context strings. SLH-DSA constants inWolfPQCParameterSpec(JDK 8-10), standardNamedParameterSpecaccepted on JDK 11+Requirements
--enable-slhdsa.--enable-slhdsa=yes,sha2builds all 12 parameter setsTesting
New Github pull request workflows have been added for this matrix of builds: