Patch Detail
Show a patch.
GET /api/patches/26578/?format=api
{ "id": 26578, "url": "https://patchwork.libcamera.org/api/patches/26578/?format=api", "web_url": "https://patchwork.libcamera.org/patch/26578/", "project": { "id": 1, "url": "https://patchwork.libcamera.org/api/projects/1/?format=api", "name": "libcamera", "link_name": "libcamera", "list_id": "libcamera_core", "list_email": "libcamera-devel@lists.libcamera.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260422044736.24717-2-hpa@redhat.com>", "date": "2026-04-22T04:47:33", "name": "[v2,1/4] libcamera: pub_key: Add ML-DSA-65 signature algorithm for PQC compliance", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": false, "hash": "9801284c54f11d158093a69134dc63662176c51a", "submitter": { "id": 105, "url": "https://patchwork.libcamera.org/api/people/105/?format=api", "name": "Kate Hsuan", "email": "hpa@redhat.com" }, "delegate": null, "mbox": "https://patchwork.libcamera.org/patch/26578/mbox/", "series": [ { "id": 5889, "url": "https://patchwork.libcamera.org/api/series/5889/?format=api", "web_url": "https://patchwork.libcamera.org/project/libcamera/list/?series=5889", "date": "2026-04-22T04:47:32", "name": "Implement ML-DSA-65 for Post-Quantum Cryptographic compliance", "version": 2, "mbox": "https://patchwork.libcamera.org/series/5889/mbox/" } ], "comments": "https://patchwork.libcamera.org/api/patches/26578/comments/", "check": "pending", "checks": "https://patchwork.libcamera.org/api/patches/26578/checks/", "tags": {}, "headers": { "Return-Path": "<kieran.bingham@ideasonboard.com>", "X-Original-To": "parsemail@patchwork.libcamera.org", "Delivered-To": [ "parsemail@patchwork.libcamera.org", "kbingham@ideasonboard.com" ], "Received": [ "from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id CC346BE173\n\tfor <parsemail@patchwork.libcamera.org>;\n\tMon, 27 Apr 2026 09:50:56 +0000 (UTC)", "from monstersaurus.ideasonboard.com\n\t(cpc89244-aztw30-2-0-cust6594.18-1.cable.virginm.net\n\t[86.31.185.195])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id C44448D4\n\tfor <parsemail@patchwork.libcamera.org>;\n\tMon, 27 Apr 2026 11:49:14 +0200 (CEST)", "from perceval.ideasonboard.com\n\tby perceval.ideasonboard.com with LMTP id CEDkGaBS6GkIFQEA4E0KoQ\n\t(envelope-from <libcamera-devel-bounces@lists.libcamera.org>)\n\tfor <kbingham@ideasonboard.com>; Wed, 22 Apr 2026 06:46:24 +0200", "from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\tby perceval.ideasonboard.com (Postfix) with ESMTPS\n\tid 49AB49CE;\tWed, 22 Apr 2026 06:46:24 +0200 (CEST)", "from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 85A5862EB2;\n\tWed, 22 Apr 2026 06:48:01 +0200 (CEST)", "from us-smtp-delivery-124.mimecast.com\n\t(us-smtp-delivery-124.mimecast.com [170.10.133.124])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 1755162EB2\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tWed, 22 Apr 2026 06:47:59 +0200 (CEST)", "from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com\n\t(ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97])\n\tby relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n\tcipher=TLS_AES_256_GCM_SHA384) id us-mta-62-WoMSjvEkPJW7RHwtuS0Ajg-1;\n\tWed, 22 Apr 2026 00:47:57 -0400", "from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com\n\t(mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com\n\t[10.30.177.12]) (using\n\tTLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\tkey-exchange X25519\n\tserver-signature RSA-PSS (2048 bits) server-digest SHA256) (No client\n\tcertificate requested) by\n\tmx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n\tESMTPS id 49BF818003FC; Wed, 22 Apr 2026 04:47:56 +0000 (UTC)", "from fedora.redhat.com (unknown [10.67.32.92])\n\tby mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix)\n\twith ESMTP id 1868C19560AB; Wed, 22 Apr 2026 04:47:53 +0000 (UTC)" ], "Authentication-Results": [ "perceval.ideasonboard.com; dkim=pass (1024-bit key;\n\tunprotected) header.d=redhat.com header.i=@redhat.com\n\theader.a=rsa-sha256 header.s=mimecast20190719\n\theader.b=dRxgVniI; dkim-atps=neutral", "lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=redhat.com\n\theader.i=@redhat.com header.b=\"dRxgVniI\"; \n\tdkim-atps=neutral" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n\ts=mimecast20190719; t=1776833279;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\tto:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\tcontent-transfer-encoding:content-transfer-encoding:\n\tin-reply-to:in-reply-to:references:references;\n\tbh=OS67i9dDSYcvAJQ5U0dAc49SYK/NQYySUcxyceWs8Pg=;\n\tb=dRxgVniITJbsxSl2R4ZMxqa2oTtozLL1MlFKrSAuXyIb26lqJMnbZ2DrVH4euVQnR1LfTq\n\tin9ZJ/Ct18O7CARMtWSeYIxxZlMDT/o97EdQwD8sBgr3kUx7IYhj1G3PDt8kHd7HZx7GYU\n\t0575smQ7FgAZlnEfEfKEowpL1wA3pYI=", "X-MC-Unique": "WoMSjvEkPJW7RHwtuS0Ajg-1", "X-Mimecast-MFC-AGG-ID": "WoMSjvEkPJW7RHwtuS0Ajg_1776833276", "From": "Kate Hsuan <hpa@redhat.com>", "To": "libcamera-devel@lists.libcamera.org, =?utf-8?b?QmFybmFiw6FzIFDFkWN6?=\n\t=?utf-8?q?e?= <barnabas.pocze@ideasonboard.com>", "Cc": "Kate Hsuan <hpa@redhat.com>", "Subject": "[PATCH v2 1/4] libcamera: pub_key: Add ML-DSA-65 signature algorithm\n\tfor PQC compliance", "Date": "Wed, 22 Apr 2026 12:47:33 +0800", "Message-ID": "<20260422044736.24717-2-hpa@redhat.com>", "In-Reply-To": "<20260422044736.24717-1-hpa@redhat.com>", "References": "<20260422044736.24717-1-hpa@redhat.com>", "MIME-Version": "1.0", "X-Scanned-By": "MIMEDefang 3.0 on 10.30.177.12", "X-Mimecast-Spam-Score": "0", "X-Mimecast-MFC-PROC-ID": "30IZy_tM846__uphU0BRJ6xxgiFrbR3jzbqfTTgqQxk_1776833276", "X-Mimecast-Originator": "redhat.com", "Content-Transfer-Encoding": "8bit", "content-type": "text/plain; charset=\"US-ASCII\"; x-default=true", "X-BeenThere": "libcamera-devel@lists.libcamera.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "<libcamera-devel.lists.libcamera.org>", "List-Unsubscribe": "<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>", "List-Archive": "<https://lists.libcamera.org/pipermail/libcamera-devel/>", "List-Post": "<mailto:libcamera-devel@lists.libcamera.org>", "List-Help": "<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>", "List-Subscribe": "<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>", "Errors-To": "libcamera-devel-bounces@lists.libcamera.org", "Sender": "\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>", "X-TUID": "0Y+jAAVoIGxR", "Resent-From": "Kieran Bingham <kieran.bingham@ideasonboard.com>", "Resent-To": "parsemail@patchwork.libcamera.org" }, "content": "As quantum computing advances, traditional signature algorithms are\nbecoming vulnerable. To ensure long-term data security, this change\nimplements ML-DSA-65, the primary Post-Quantum Cryptography (PQC)\nstandard finalized by NIST. This addition prepares for the transition\naway from RSA, which is slated for deprecation by 2035.\n\nLink: https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria)\nLink: https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf\nSigned-off-by: Kate Hsuan <hpa@redhat.com>\n---\n src/libcamera/pub_key.cpp | 53 ++++++++++++++++++++++++++++++++++++---\n 1 file changed, 50 insertions(+), 3 deletions(-)", "diff": "diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\nindex f1d73a5c..71c1900b 100644\n--- a/src/libcamera/pub_key.cpp\n+++ b/src/libcamera/pub_key.cpp\n@@ -14,8 +14,13 @@\n #include <openssl/x509.h>\n #elif HAVE_GNUTLS\n #include <gnutls/abstract.h>\n+#include <gnutls/gnutls.h>\n #endif\n \n+#include \"libcamera/internal/pub_key.h\"\n+#include <libcamera/base/log.h>\n+#include <libcamera/base/utils.h>\n+\n /**\n * \\file pub_key.h\n * \\brief Public key signature verification\n@@ -23,17 +28,24 @@\n \n namespace libcamera {\n \n+LOG_DEFINE_CATEGORY(PubKey);\n /**\n * \\class PubKey\n * \\brief Public key wrapper for signature verification\n *\n * The PubKey class wraps a public key and implements signature verification. It\n- * only supports RSA keys and the RSA-SHA256 signature algorithm.\n+ * supports RSA keys with the RSA-SHA256 signature algorithm, or ML-DSA-65 keys\n+ * as specified in NIST FIPS 204. The signature algorithm is determined in\n+ * compile time.\n */\n \n /**\n * \\brief Construct a PubKey from key data\n * \\param[in] key Key data encoded in DER format\n+ *\n+ * The signature algorithm is determined in the compile\n+ * Supported key types are RSA (verified with RSA-SHA256) and ML-DSA-65\n+ * (verified as ML-DSA-65 according to FIPS 204).\n */\n PubKey::PubKey([[maybe_unused]] Span<const uint8_t> key)\n \t: valid_(false)\n@@ -83,7 +95,8 @@ PubKey::~PubKey()\n * \\param[in] sig The signature\n *\n * Verify that the signature \\a sig matches the signed \\a data for the public\n- * key. The signture algorithm is hardcoded to RSA-SHA256.\n+ * key. The signature algorithm is determined in compile time. RSA keys use\n+ * RSA-SHA256, while ML-DSA keys use ML-DSA-65 mentioned in FIPS 204.\n *\n * \\return True if the signature is valid, false otherwise\n */\n@@ -94,6 +107,29 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data,\n \t\treturn false;\n \n #if HAVE_CRYPTO\n+\n+#if WITH_PQC\n+\t/* ML-DSA */\n+\tEVP_MD_CTX *ctx_dsa = EVP_MD_CTX_new();\n+\tif (!ctx_dsa) {\n+\t\tLOG(PubKey, Error) << \"Initialize context for ML-DSA failed\";\n+\t\treturn false;\n+\t}\n+\n+\tif (EVP_DigestVerifyInit(ctx_dsa, nullptr, nullptr, nullptr,\n+\t\t\t\t pubkey_) <= 0) {\n+\t\tEVP_MD_CTX_free(ctx_dsa);\n+\t\tLOG(PubKey, Error) << \"Initialize ML-DSA verification failed\";\n+\t\treturn false;\n+\t}\n+\n+\tint ret = EVP_DigestVerify(ctx_dsa, sig.data(), sig.size(),\n+\t\t\t\t data.data(), data.size());\n+\tEVP_MD_CTX_free(ctx_dsa);\n+\treturn ret == 1;\n+#else\n+\t/* RSA with SHA-256 */\n+\n \t/*\n \t * Create and initialize a public key algorithm context for signature\n \t * verification.\n@@ -117,7 +153,10 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data,\n \tint ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest,\n \t\t\t\t SHA256_DIGEST_LENGTH);\n \tEVP_PKEY_CTX_free(ctx);\n+\n \treturn ret == 1;\n+#endif\n+\n #elif HAVE_GNUTLS\n \tconst gnutls_datum_t gnuTlsData{\n \t\tconst_cast<unsigned char *>(data.data()),\n@@ -129,9 +168,17 @@ bool PubKey::verify([[maybe_unused]] Span<const uint8_t> data,\n \t\tstatic_cast<unsigned int>(sig.size())\n \t};\n \n-\tint ret = gnutls_pubkey_verify_data2(pubkey_, GNUTLS_SIGN_RSA_SHA256, 0,\n+#if WITH_PQC\n+\tint ret = gnutls_pubkey_verify_data2(pubkey_, GNUTLS_SIGN_MLDSA65, 0,\n \t\t\t\t\t &gnuTlsData, &gnuTlsSig);\n+\n \treturn ret >= 0;\n+#else\n+\tint ret = gnutls_pubkey_verify_data2(pubkey_, GNUTLS_SIGN_RSA_SHA256,\n+\t\t\t\t\t 0, &gnuTlsData, &gnuTlsSig);\n+\n+\treturn ret >= 0;\n+#endif\n #else\n \treturn false;\n #endif\n", "prefixes": [ "v2", "1/4" ] }