Re: [PATCH v14 4/5] pkcs7, x509: Add ML-DSA support
From: Christophe Leroy (CS GROUP)
Date: Mon Jan 26 2026 - 07:03:35 EST
Le 25/01/2026 à 15:42, Jarkko Sakkinen a écrit :
On Wed, Jan 21, 2026 at 10:36:06PM +0000, David Howells wrote:
Add support for ML-DSA keys and signatures to the CMS/PKCS#7 and X.509
implementations. ML-DSA-44, -65 and -87 are all supported. For X.509
certificates, the TBSCertificate is required to be signed directly; for CMS,
direct signing of the data is preferred, though use of SHA512 (and only that)
as an intermediate hash of the content is permitted with signedAttrs.
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
cc: Lukas Wunner <lukas@xxxxxxxxx>
cc: Ignat Korchagin <ignat@xxxxxxxxxxxxxx>
cc: Stephan Mueller <smueller@xxxxxxxxxx>
cc: Eric Biggers <ebiggers@xxxxxxxxxx>
cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
cc: keyrings@xxxxxxxxxxxxxxx
cc: linux-crypto@xxxxxxxxxxxxxxx
---
crypto/asymmetric_keys/pkcs7_parser.c | 24 +++++++++++++++++++-
crypto/asymmetric_keys/public_key.c | 10 +++++++++
crypto/asymmetric_keys/x509_cert_parser.c | 27 ++++++++++++++++++++++-
include/linux/oid_registry.h | 5 +++++
4 files changed, 64 insertions(+), 2 deletions(-)
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
index 3cdbab3b9f50..594a8f1d9dfb 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -95,11 +95,18 @@ static int pkcs7_check_authattrs(struct pkcs7_message *msg)
if (sinfo->authattrs) {
want = true;
msg->have_authattrs = true;
+ } else if (sinfo->sig->algo_takes_data) {
+ sinfo->sig->hash_algo = "none";
}
- for (sinfo = sinfo->next; sinfo; sinfo = sinfo->next)
+ for (sinfo = sinfo->next; sinfo; sinfo = sinfo->next) {
if (!!sinfo->authattrs != want)
goto inconsistent;
+
+ if (!sinfo->authattrs &&
+ sinfo->sig->algo_takes_data)
+ sinfo->sig->hash_algo = "none";
Why don't we have a constant for "none"?
$ git grep "\"none\"" security/
security/apparmor/audit.c: "none",
security/apparmor/lib.c: { "none", DEBUG_NONE },
security/security.c: [LOCKDOWN_NONE] = "none",
$ git grep "\"none\"" crypto
crypto/asymmetric_keys/public_key.c: hash_algo = "none";
crypto/asymmetric_keys/public_key.c: hash_algo = "none";
crypto/testmgr.h: * PKCS#1 RSA test vectors for hash algorithm "none"
IMHO, this a bad practice.
What is a bad practice ?
$ git grep "\"sha256\"" security
security/apparmor/apparmorfs.c: dent = aafs_create_file("sha256", S_IFREG | 0444, dir,
security/apparmor/apparmorfs.c: return rawdata_get_link_base(dentry, inode, done, "sha256");
security/apparmor/apparmorfs.c: dent = create_profile_file(dir, "sha256", profile,
security/integrity/ima/Kconfig: default "sha256" if IMA_DEFAULT_HASH_SHA256
security/ipe/audit.c:#define IPE_AUDIT_HASH_ALG "sha256" /* keep in sync with audit_policy() */
$ git grep "\"sha256\"" crypto
crypto/asymmetric_keys/mscode_parser.c: ctx->digest_algo = "sha256";
crypto/asymmetric_keys/pkcs7_parser.c: ctx->sinfo->sig->hash_algo = "sha256";
crypto/asymmetric_keys/public_key.c: strcmp(hash_algo, "sha256") != 0 &&
crypto/asymmetric_keys/x509_cert_parser.c: ctx->cert->sig->hash_algo = "sha256";
crypto/asymmetric_keys/x509_cert_parser.c: ctx->cert->sig->hash_algo = "sha256";
crypto/drbg.c: .cra_name = "sha256",
crypto/drbg.c: .backend_cra_name = "sha256",
crypto/essiv.c: /* Synchronous hash, e.g., "sha256" */
crypto/krb5/rfc8009_aes2.c: .hash_name = "sha256",
crypto/sha256.c: .base.cra_name = "sha256",
crypto/sha256.c:MODULE_ALIAS_CRYPTO("sha256");
crypto/tcrypt.c: ret = min(ret, tcrypt_test("sha256"));
crypto/tcrypt.c: test_hash_speed("sha256", sec, generic_hash_speed_template);
crypto/tcrypt.c: test_ahash_speed("sha256", sec, generic_hash_speed_template);
crypto/testmgr.c: .alg = "sha256",
How is the handling of "none" different from other hash algorithms ?
Christophe