Per-key encoding formats for ML-KEM and ML-DSA

[vdukhovni]

We support selection of ML-KEM and ML-DSA key formats on input and output at the provider level, these are essentially global defaults, in effect for the lifetime of the process.

Unfortunately, the JAVA interface in openssl-jostle needs to be able to output a specific key in seed-only form. To that end, this PR
introduces a new "output-formats" PKEY encoding parameter, that can be used with OSSL_ENCODER_CTX_set_params(3) when encoding a key to PKCS#8, after using OSSL_ENCODER_CTX_new_for_key(3), rather than i2d_PrivateKey(3), i2d_PKCS8PrivateKey(3) or PEM equivalents.

Problem originally reported in: openssl-projects/openssl-jostle#11 (comment)
Once this is merged, corresponding code changes will be needed in Jostle to ensure that seed-only key construction sets the new parameter when needed.

Checklist

• documentation is added or updated
• tests are added or updated

[paulidale]

Just wondering if getting this via the key manager is more prudent than adding a custom encode format?

[vdukhovni]

Just wondering if getting this via the key manager is more prudent than adding a custom encode format?

Thanks for taking a look, I don't know what you mean by "getting this via the key manager".
If you mean having a new key type that is structurally the same but encodes differently, I think that a parameter is a more lightweight and natural way to do that. In any case, when loading a PKCS#8 object the OID will still map to the current ML-DSA key type that serialises as both the seed and the expanded key, so a new key type would not help. It could be an option for keygen or import, but it is unclear why that's better (the key is an ML-DSA key, and introducing a variant name breaks "isa" tests, ...). But perhaps you have something else in mind...

By way of background, the JAVA mechanism in Bouncy Castle for getting a seed-only form of a key is to create a second key from just the seed of the first, and then (in the native non-jostle implementation) the key remembers that it was imported from a seed and is output in that format automatically.

This PR makes it possible for openssl-jostle to arrange for the same behaviour when importing into OpenSSL.
And in any case, per-key control of the output format seems useful anyway. It could make sense to add a corresponding feature to the encoders (OSSL_ENCODER_CTX_new_for_pkey()), which is not what is needed in openssl-jostle, but perhaps some users might want to choose the format "just in time", at the cost needing to use a lower-layer API than i2d_PrivateKey(3) or i2d_PKCS8PrivateKey(3).

[paulidale]

My thought won't work because the required function is not public. The idea was to get the key manager from the PKEY and then call evp_keymgmt_export to get the seed.

Making enough public would be an alternative to this. The import/export provider side APIs are part of the public API contract.

[vdukhovni]

My thought won't work because the required function is not public. The idea was to get the key manager from the PKEY and then call evp_keymgmt_export to get the seed.

Making enough public would be an alternative to this. The import/export provider side APIs are part of the public API contract.

The problem (for jostle, and other potential applications) isn't lack of a mechanism to just get the seed, that's available via EVP_PKEY_todata(3), rather it is that making an encoded PKCS#8 with just the seed currently is only possible via global configuration (provider layer parameters). Applications that want at some point in time to configure a selected set of keys for seed-only export need to be able to propagate that choice to the encoder layer.

This PR providers two ways to do that, and I'm about to add a commit that completes the story by adding a third.

1. Early configuration as part of decoding, provided OSSL_DECODER_CTX_new_for_pkey(3) is something the application delveoper is willing to use instead of d2i_PrivateKey(3) or equivalent.
   • This is tested to work for both "PEM" and "DER" input forms.
2. Eariy configuration as part of key generation or import, provided the OSSL_PKEY_PARAM_SEED_ONLY parameter is set on the EVP_PKEY_CTX used for that purpose.
3. Just-in-time configuration as part of encoding, provided OSSL_ENCODER_CTX_new_for_pkey(3) is something the application develop is willing to use instead of i2d_PrivateKey(3) or equivalent.
   • This is tested to work for both the DER and PEM output forms.

[t-j-h]

Thinking on the whole concept here, what if someone wants expanded-only - will we add that here too as a separate flag?

Should this be expanded to cover the general concepts more than just one specific choice here - although I think that choice is the pressing one and others could be delayed until some expresses a need for it.

I'm happy with the code and the names - I would just tweak the accept undefined values behaviour and make things fail if we cannot actually produce seed-only output.

[t-j-h]

As a general style approach, I would not have an ignored value here. I would require the user to provide a fixed value (e.g. 1) simply to be consistent and allow for any future possible choices where we may want to expand the values for this parameter.

If users are free to put whatever they like then we can never use the value.
Fixing it to 1 allows for possible future changes - which we may never make.

[t8m]

Yes, I would treat it as boolean though. Ignored value is ugly and we do not use this concept elsewhere (AFAIK).

[vdukhovni]

A boolean setting makes little sense though, because just not setting the parameter is the correct/simplest way to not force seed-only. Setting it to zero meaning "do nothing" makes no sense.

If we want to support more values, they should have some non-default effect. For example:

0. Do not output the seed, giving an expanded key-only output.
1. As in this PR, output only the seed.
2. Output both seed and expanded key

All three cases override the provparam output-format, if different.

Basically, any setting here needs to mean something concrete, rather than just be a NOP.

[slontis]

I don't see a problem with allowing the default value to be an input.
It comes down to a preference about how user code is written and we in general do not enforce this restriction anywhere else.

There is not much difference between

*p++ = OSSL_PARAM_construct_int("foo", &val);

AND

if (val)
    *p++ = OSSL_PARAM_construct_int("foo", &val);

[t-j-h]

Seeing this as "seed-only" is fine - but if we have just an expanded-only input then I would expect things to fail of someone sets this parameter - given the name.

The code is "seed-only-if-you-have-it" isn't it?

I would make things fail if there is a request for seed-only and it cannot be provided.

[vdukhovni]

Or, we can change the name, to "preserve-seed-only" or "seed-only-preferred", ...
The code is more "preserve what got on input" if the input is seed only. Of course that's the only possible outcome with expanded-key-only input, and with "both" we get both by default (unless provparams are set to prefer another output form).

So there are some possible design choices here.

• Implement more faithful "seed-only" semantics keeping the name, but ignore presence or absence of expanded key and fail if the seed is missing. Java would have to use the setting with care.
• Implement more faithful "as-is" semantics, changing the name, and preserving also the "both" input form on import and decode, but then likely keygen ends up always producing "both", and one needs to export and reimport in seed-only form to get seed-only output from a freshly generated key.
• Implement a new option to store an ordered list of output formats along with the key (mirroring the global provparams)
• And of course anyone willing to store the preferred output form along with the key can always use the OSSL_ENCODER_CTX_new_from_pkey(3) API to get seed-only even when both the seed and expanded key came in.

Likely some variations on the theme. Anyway, for now I'll adopt the forced value, but if anyone has a clear vision for what users would find most useful/least surprising here, please share. All the relevant code is in place, and only small tweaks are needed to adjust naming and/or semantics.

[levitte]

I wouldn't argue if you'd want to support both semantics, i.e. both "seed-only" (implying a hard fail if seed isn't available) and "prefer-seed-only" (which falls back to whatever is available if the seed isn't).

[slontis]

I would not be opposed to levitte's suggestion.
It could be an single param with multiple settings of 0 = default, 1 = seed_only, 2 = prefer_seed_only.

[Sashan]

all my comments are nits. I could not spot nothing wrong with your PR..
I'm just pointing them out so you can decide if it is worth to address them or not.

thanks

[t-j-h]

Still approved

[Sashan]

looks good to me. thanks.

[vdukhovni]

Tests and doc nit updated, based on review from @bob-beck (thanks), code remains the same.

[bob-beck]

Hooray now with test coverage.

LGTM.

[esyr]

Would be nice if the commit message stated that it partially reverts commit f480a73.

[esyr]

Backport note: this macro definition has been added in commit openssl-3.5.0-alpha1~523 and the change shouldn't be backported to 3.x branches (provided such backport will be happening).

[t8m]

This won't be backported unless given an exception which is pretty unlikely.

[openssl-machine]

This pull request is ready to merge

[paulidale]

Merged, thanks for the contribution.