minimum signature hash requirements for PQC sigs and Ed25519/Ed448;

TJ-91 · TJ-91 · commit 2b2381d85c25 · 2025-07-09T16:06:05.000+02:00
also code formatting
diff --git a/src/lib/crypto/signatures.cpp b/src/lib/crypto/signatures.cpp
@@ -171,6 +171,13 @@ signature_validate(const pgp::pkt::Signature & sig,
         res.add_error(RNP_ERROR_SIG_WEAK_HASH);
     }
 
+    /* check that hash matches minimum requirements */
+    if (!key.sig_hash_allowed(hash.alg())) {
+        RNP_LOG("The signature's digest size is below the minimum digest size required for "
+                "that key.");
+        return RNP_ERROR_SIGNATURE_INVALID;
+    }
+
     /* Finalize hash */
     auto hval = signature_hash_finish(sig, hash, hdr);
     /* compare lbits */
diff --git a/src/lib/generate-key.cpp b/src/lib/generate-key.cpp
@@ -176,7 +176,6 @@ adjust_hash_alg(rnp_keygen_crypto_params_t &crypto)
     }
 }
 
-#if defined(ENABLE_PQC)
 static void
 keygen_merge_crypto_defaults(rnp_keygen_crypto_params_t &crypto)
 {
diff --git a/src/lib/key_material.cpp b/src/lib/key_material.cpp
@@ -162,7 +162,7 @@ KeyParams::create(pgp_pubkey_alg_t alg)
     case PGP_PKA_KYBER768_X25519:
         FALLTHROUGH_STATEMENT;
     case PGP_PKA_KYBER1024_X448:
-         FALLTHROUGH_STATEMENT;
+        FALLTHROUGH_STATEMENT;
     case PGP_PKA_KYBER768_P256:
         FALLTHROUGH_STATEMENT;
     case PGP_PKA_KYBER1024_P384:
@@ -357,6 +357,12 @@ KeyMaterial::adjust_hash(pgp_hash_alg_t hash) const
     return hash;
 }
 
+bool
+KeyMaterial::sig_hash_allowed(pgp_hash_alg_t hash) const
+{
+    return true;
+}
+
 pgp_curve_t
 KeyMaterial::curve() const noexcept
 {
@@ -1510,6 +1516,21 @@ Ed25519KeyMaterial::sign(rnp::SecurityContext &   ctx,
       &ctx.rng, ed25519->sig.sig, key_.priv, hash.data(), hash.size());
 }
 
+pgp_hash_alg_t
+Ed25519KeyMaterial::adjust_hash(pgp_hash_alg_t hash) const
+{
+    if (!sig_hash_allowed(hash)) {
+        return PGP_HASH_SHA256;
+    }
+    return hash;
+}
+
+bool
+Ed25519KeyMaterial::sig_hash_allowed(pgp_hash_alg_t hash) const
+{
+    return rnp::Hash::size(hash) >= 32;
+}
+
 size_t
 Ed25519KeyMaterial::bits() const noexcept
 {
@@ -1741,9 +1762,9 @@ Ed448KeyMaterial::generate(rnp::SecurityContext &ctx, const KeyParams &params)
 }
 
 rnp_result_t
-Ed448KeyMaterial::verify(const rnp::SecurityContext &       ctx,
-                         const SigMaterial &   sig,
-                         const rnp::secure_bytes &hash) const
+Ed448KeyMaterial::verify(const rnp::SecurityContext &ctx,
+                         const SigMaterial &         sig,
+                         const rnp::secure_bytes &   hash) const
 {
     auto ed448 = dynamic_cast<const Ed448SigMaterial *>(&sig);
     if (!ed448) {
@@ -1753,8 +1774,8 @@ Ed448KeyMaterial::verify(const rnp::SecurityContext &       ctx,
 }
 
 rnp_result_t
-Ed448KeyMaterial::sign(rnp::SecurityContext &             ctx,
-                       SigMaterial &         sig,
+Ed448KeyMaterial::sign(rnp::SecurityContext &   ctx,
+                       SigMaterial &            sig,
                        const rnp::secure_bytes &hash) const
 {
     auto ed448 = dynamic_cast<Ed448SigMaterial *>(&sig);
@@ -1764,6 +1785,21 @@ Ed448KeyMaterial::sign(rnp::SecurityContext &             ctx,
     return ed448_sign_native(&ctx.rng, ed448->sig.sig, key_.priv, hash.data(), hash.size());
 }
 
+pgp_hash_alg_t
+Ed448KeyMaterial::adjust_hash(pgp_hash_alg_t hash) const
+{
+    if (!sig_hash_allowed(hash)) {
+        return PGP_HASH_SHA256;
+    }
+    return hash;
+}
+
+bool
+Ed448KeyMaterial::sig_hash_allowed(pgp_hash_alg_t hash) const
+{
+    return rnp::Hash::size(hash) >= 64;
+}
+
 size_t
 Ed448KeyMaterial::bits() const noexcept
 {
@@ -1865,8 +1901,8 @@ X448KeyMaterial::generate(rnp::SecurityContext &ctx, const KeyParams &params)
 }
 
 rnp_result_t
-X448KeyMaterial::encrypt(rnp::SecurityContext &    ctx,
-                         EncMaterial &out,
+X448KeyMaterial::encrypt(rnp::SecurityContext &   ctx,
+                         EncMaterial &            out,
                          const rnp::secure_bytes &data) const
 {
     auto x448 = dynamic_cast<X448EncMaterial *>(&out);
@@ -1877,9 +1913,9 @@ X448KeyMaterial::encrypt(rnp::SecurityContext &    ctx,
 }
 
 rnp_result_t
-X448KeyMaterial::decrypt(rnp::SecurityContext &          ctx,
+X448KeyMaterial::decrypt(rnp::SecurityContext &ctx,
                          rnp::secure_bytes &   out,
-                         const EncMaterial &in) const
+                         const EncMaterial &   in) const
 {
     auto x448 = dynamic_cast<const X448EncMaterial *>(&in);
     if (!x448) {
@@ -2139,6 +2175,21 @@ DilithiumEccKeyMaterial::sign(rnp::SecurityContext &   ctx,
       &ctx.rng, &dilithium->sig, dilithium->halg, hash.data(), hash.size());
 }
 
+pgp_hash_alg_t
+DilithiumEccKeyMaterial::adjust_hash(pgp_hash_alg_t hash) const
+{
+    if (!sig_hash_allowed(hash)) {
+        return PGP_HASH_SHA256;
+    }
+    return hash;
+}
+
+bool
+DilithiumEccKeyMaterial::sig_hash_allowed(pgp_hash_alg_t hash) const
+{
+    return rnp::Hash::size(hash) >= 32;
+}
+
 size_t
 DilithiumEccKeyMaterial::bits() const noexcept
 {
@@ -2259,6 +2310,21 @@ SlhdsaKeyMaterial::sign(rnp::SecurityContext &   ctx,
     return key_.priv.sign(&ctx.rng, &slhdsa->sig, hash.data(), hash.size());
 }
 
+pgp_hash_alg_t
+SlhdsaKeyMaterial::adjust_hash(pgp_hash_alg_t hash) const
+{
+    if (!sig_hash_allowed(hash)) {
+        return PGP_HASH_SHA256;
+    }
+    return hash;
+}
+
+bool
+SlhdsaKeyMaterial::sig_hash_allowed(pgp_hash_alg_t hash) const
+{
+    return rnp::Hash::size(hash) >= 32;
+}
+
 size_t
 SlhdsaKeyMaterial::bits() const noexcept
 {
diff --git a/src/lib/key_material.hpp b/src/lib/key_material.hpp
@@ -209,6 +209,7 @@ class KeyMaterial {
 
     /* Pick up hash algorithm, used for signing, to be compatible with key material. */
     virtual pgp_hash_alg_t adjust_hash(pgp_hash_alg_t hash) const;
+    virtual bool           sig_hash_allowed(pgp_hash_alg_t hash) const;
     virtual size_t         bits() const noexcept = 0;
     virtual pgp_curve_t    curve() const noexcept;
     KeyGrip                grip() const;
@@ -465,20 +466,22 @@ class Ed25519KeyMaterial : public KeyMaterial {
     Ed25519KeyMaterial() : KeyMaterial(PGP_PKA_ED25519), key_{} {};
     std::unique_ptr<KeyMaterial> clone() override;
 
-    void         clear_secret() noexcept override;
-    bool         parse(pgp_packet_body_t &pkt) noexcept override;
-    bool         parse_secret(pgp_packet_body_t &pkt) noexcept override;
-    void         write(pgp_packet_body_t &pkt) const override;
-    void         write_secret(pgp_packet_body_t &pkt) const override;
-    bool         generate(rnp::SecurityContext &ctx, const KeyParams &params) override;
-    rnp_result_t verify(const rnp::SecurityContext &ctx,
-                        const SigMaterial &         sig,
-                        const rnp::secure_bytes &   hash) const override;
-    rnp_result_t sign(rnp::SecurityContext &   ctx,
-                      SigMaterial &            sig,
-                      const rnp::secure_bytes &hash) const override;
-    size_t       bits() const noexcept override;
-    pgp_curve_t  curve() const noexcept override;
+    void           clear_secret() noexcept override;
+    bool           parse(pgp_packet_body_t &pkt) noexcept override;
+    bool           parse_secret(pgp_packet_body_t &pkt) noexcept override;
+    void           write(pgp_packet_body_t &pkt) const override;
+    void           write_secret(pgp_packet_body_t &pkt) const override;
+    bool           generate(rnp::SecurityContext &ctx, const KeyParams &params) override;
+    rnp_result_t   verify(const rnp::SecurityContext &       ctx,
+                          const pgp_signature_material_t &   sig,
+                          const rnp::secure_vector<uint8_t> &hash) const override;
+    rnp_result_t   sign(rnp::SecurityContext &             ctx,
+                        pgp_signature_material_t &         sig,
+                        const rnp::secure_vector<uint8_t> &hash) const override;
+    pgp_hash_alg_t adjust_hash(pgp_hash_alg_t hash) const override;
+    bool           sig_hash_allowed(pgp_hash_alg_t hash) const override;
+    size_t         bits() const noexcept override;
+    pgp_curve_t    curve() const noexcept override;
 
     const std::vector<uint8_t> &pub() const noexcept;
     const std::vector<uint8_t> &priv() const noexcept;
@@ -525,20 +528,23 @@ class Ed448KeyMaterial : public KeyMaterial {
     Ed448KeyMaterial() : KeyMaterial(PGP_PKA_ED448), key_{} {};
     std::unique_ptr<KeyMaterial> clone() override;
 
-    void         clear_secret() noexcept override;
-    bool         parse(pgp_packet_body_t &pkt) noexcept override;
-    bool         parse_secret(pgp_packet_body_t &pkt) noexcept override;
-    void         write(pgp_packet_body_t &pkt) const override;
-    void         write_secret(pgp_packet_body_t &pkt) const override;
-    bool         generate(rnp::SecurityContext &ctx, const KeyParams &params) override;
-    rnp_result_t verify(const rnp::SecurityContext &       ctx,
-                        const SigMaterial &   sig,
+    void           clear_secret() noexcept override;
+    bool           parse(pgp_packet_body_t &pkt) noexcept override;
+    bool           parse_secret(pgp_packet_body_t &pkt) noexcept override;
+    void           write(pgp_packet_body_t &pkt) const override;
+    void           write_secret(pgp_packet_body_t &pkt) const override;
+    bool           generate(rnp::SecurityContext &ctx, const KeyParams &params) override;
+    rnp_result_t   verify(const rnp::SecurityContext &       ctx,
+                          const pgp_signature_material_t &   sig,
+                          const rnp::secure_vector<uint8_t> &hash) const override;
+    rnp_result_t   sign(rnp::SecurityContext &             ctx,
+                        pgp_signature_material_t &         sig,
                         const rnp::secure_vector<uint8_t> &hash) const override;
-    rnp_result_t sign(rnp::SecurityContext &             ctx,
-                      SigMaterial &         sig,
-                      const rnp::secure_vector<uint8_t> &hash) const override;
-    size_t       bits() const noexcept override;
-    pgp_curve_t  curve() const noexcept override;
+    pgp_hash_alg_t adjust_hash(pgp_hash_alg_t hash) const override;
+    bool           sig_hash_allowed(pgp_hash_alg_t hash) const override;
+
+    size_t      bits() const noexcept override;
+    pgp_curve_t curve() const noexcept override;
 
     const std::vector<uint8_t> &pub() const noexcept;
     const std::vector<uint8_t> &priv() const noexcept;
@@ -624,12 +630,14 @@ class DilithiumEccKeyMaterial : public KeyMaterial {
     void           write(pgp_packet_body_t &pkt) const override;
     void           write_secret(pgp_packet_body_t &pkt) const override;
     bool           generate(rnp::SecurityContext &ctx, const KeyParams &params) override;
-    rnp_result_t   verify(const rnp::SecurityContext &ctx,
-                          const SigMaterial &         sig,
-                          const rnp::secure_bytes &   hash) const override;
-    rnp_result_t   sign(rnp::SecurityContext &   ctx,
-                        SigMaterial &            sig,
-                        const rnp::secure_bytes &hash) const override;
+    rnp_result_t   verify(const rnp::SecurityContext &       ctx,
+                          const pgp_signature_material_t &   sig,
+                          const rnp::secure_vector<uint8_t> &hash) const override;
+    rnp_result_t   sign(rnp::SecurityContext &             ctx,
+                        pgp_signature_material_t &         sig,
+                        const rnp::secure_vector<uint8_t> &hash) const override;
+    pgp_hash_alg_t adjust_hash(pgp_hash_alg_t hash) const override;
+    bool           sig_hash_allowed(pgp_hash_alg_t hash) const override;
     size_t         bits() const noexcept override;
 
     const pgp_dilithium_exdsa_composite_public_key_t & pub() const noexcept;
@@ -653,12 +661,14 @@ class SlhdsaKeyMaterial : public KeyMaterial {
     void           write(pgp_packet_body_t &pkt) const override;
     void           write_secret(pgp_packet_body_t &pkt) const override;
     bool           generate(rnp::SecurityContext &ctx, const KeyParams &params) override;
-    rnp_result_t   verify(const rnp::SecurityContext &ctx,
-                          const SigMaterial &         sig,
-                          const rnp::secure_bytes &   hash) const override;
-    rnp_result_t   sign(rnp::SecurityContext &   ctx,
-                        SigMaterial &            sig,
-                        const rnp::secure_bytes &hash) const override;
+    rnp_result_t   verify(const rnp::SecurityContext &       ctx,
+                          const pgp_signature_material_t &   sig,
+                          const rnp::secure_vector<uint8_t> &hash) const override;
+    rnp_result_t   sign(rnp::SecurityContext &             ctx,
+                        pgp_signature_material_t &         sig,
+                        const rnp::secure_vector<uint8_t> &hash) const override;
+    pgp_hash_alg_t adjust_hash(pgp_hash_alg_t hash) const override;
+    bool           sig_hash_allowed(pgp_hash_alg_t hash) const override;
     size_t         bits() const noexcept override;
 
     const pgp_sphincsplus_public_key_t & pub() const noexcept;
diff --git a/src/tests/ffi-key-sig.cpp b/src/tests/ffi-key-sig.cpp
@@ -2627,7 +2627,7 @@ TEST_F(rnp_tests, test_ffi_key_self_certification_features)
 #if defined(ENABLE_PQC)
 TEST_F(rnp_tests, test_ffi_verify_detached_pqc_test_vector)
 {
-    std::string msg = "Testing\n";
+    std::string                                      msg = "Testing\n";
     std::vector<std::pair<std::string, std::string>> key_sig_pairs = {
       {"data/draft-ietf-openpgp-pqc/v6-mldsa-65-sample-pk.asc",
        "data/draft-ietf-openpgp-pqc/v6-mldsa-65-sample-signature.asc"},
@@ -2641,24 +2641,25 @@ TEST_F(rnp_tests, test_ffi_verify_detached_pqc_test_vector)
        "data/draft-ietf-openpgp-pqc/v6-slhdsa-256s-sample-signature.asc"}};
 
     for (auto key_sig_pair : key_sig_pairs) {
-      rnp_ffi_t       ffi = NULL;
-      rnp_input_t     input = NULL;
-      rnp_input_t     signature = NULL;
-      rnp_op_verify_t verify = NULL;
-  
-      assert_rnp_success(rnp_ffi_create(&ffi, "GPG", "GPG"));
-      assert_true(import_all_keys(ffi, key_sig_pair.first));
-      assert_rnp_success(rnp_input_from_memory(&input, (uint8_t*)msg.c_str(), msg.length(), false));
-      assert_non_null(input);
-      assert_rnp_success(rnp_input_from_path(&signature, key_sig_pair.second.c_str()));
-      assert_non_null(signature);
-
-      assert_rnp_success(rnp_op_verify_detached_create(&verify, ffi, input, signature));
-      assert_rnp_success(rnp_op_verify_execute(verify));
-      assert_rnp_success(rnp_op_verify_destroy(verify));
-      assert_rnp_success(rnp_input_destroy(input));
-      assert_rnp_success(rnp_input_destroy(signature));
-      assert_rnp_success(rnp_ffi_destroy(ffi));
+        rnp_ffi_t       ffi = NULL;
+        rnp_input_t     input = NULL;
+        rnp_input_t     signature = NULL;
+        rnp_op_verify_t verify = NULL;
+
+        assert_rnp_success(rnp_ffi_create(&ffi, "GPG", "GPG"));
+        assert_true(import_all_keys(ffi, key_sig_pair.first));
+        assert_rnp_success(
+          rnp_input_from_memory(&input, (uint8_t *) msg.c_str(), msg.length(), false));
+        assert_non_null(input);
+        assert_rnp_success(rnp_input_from_path(&signature, key_sig_pair.second.c_str()));
+        assert_non_null(signature);
+
+        assert_rnp_success(rnp_op_verify_detached_create(&verify, ffi, input, signature));
+        assert_rnp_success(rnp_op_verify_execute(verify));
+        assert_rnp_success(rnp_op_verify_destroy(verify));
+        assert_rnp_success(rnp_input_destroy(input));
+        assert_rnp_success(rnp_input_destroy(signature));
+        assert_rnp_success(rnp_ffi_destroy(ffi));
     }
 }
 #endif

Original file line number	Diff line number	Diff line change
`@@ -176,7 +176,6 @@ adjust_hash_alg(rnp_keygen_crypto_params_t &crypto)`
`176`	`176`	`}`
`177`	`177`	`}`
`178`	`178`
`179`		`-#if defined(ENABLE_PQC)`
`180`	`179`	`static void`
`181`	`180`	`keygen_merge_crypto_defaults(rnp_keygen_crypto_params_t &crypto)`
`182`	`181`	`{`