ML-DSA Pure Cert Support#251
Open
stenslae wants to merge 2 commits into
Open
Conversation
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #251
Scan targets checked: wolfclu-bugs, wolfclu-src
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
stenslae
commented
Jun 16, 2026
stenslae
force-pushed
the
ml-dsa-cert
branch
2 times, most recently
from
7b1ecb7 to
915636c
Compare
stenslae
commented
Jun 16, 2026
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #251
Scan targets checked: wolfclu-bugs, wolfclu-src
Findings: 3
3 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
stenslae
commented
Jun 16, 2026
stenslae
commented
Jun 16, 2026
stenslae
commented
Jun 16, 2026
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #251
Scan targets checked: wolfclu-bugs, wolfclu-src
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
stenslae
commented
Jun 16, 2026
stenslae
commented
Jun 16, 2026
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #251
Scan targets checked: wolfclu-bugs, wolfclu-src
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
stenslae
commented
Jun 16, 2026
stenslae
commented
Jun 17, 2026
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #251
Scan targets checked: wolfclu-bugs, wolfclu-src
No new issues found in the changed files. ✅
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR adds “pure” ML-DSA (Dilithium) workflows to wolfCLU for certificate generation/signing/verification where wolfSSL’s EVP/X509 APIs don’t yet fully cover ML-DSA, along with documentation and tests for those flows.
Changes:
- Introduces an ML-DSA shim layer (
clu_mldsa.*) and integrates it intoreq,ca, andverifypaths. - Expands CLI behavior to support ML-DSA CA signing, direct ML-DSA verification against
-CAfile, and OpenSSL-compatible inlinesubjectAltNameconfig parsing. - Adds/updates tests and manpages to cover ML-DSA certificate workflows and related regressions.
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfclu/x509/clu_x509_sign.h | Updates signing API to support ML-DSA CA key paths and output form selection. |
| wolfclu/x509/clu_mldsa.h | Declares ML-DSA helper APIs for key loading, signing, CSR/cert generation, and verification. |
| wolfclu/sign-verify/clu_sign.h | Adds Dilithium/ML-DSA PEM size cap and internal pubkey-set macro for compatibility. |
| wolfclu/genkey/clu_genkey.h | Adjusts ML-DSA keygen API to accept const char* filenames. |
| wolfCLU.vcxproj.filters | Adds clu_mldsa.c / clu_mldsa.h to Visual Studio project filters. |
| wolfCLU.vcxproj | Adds clu_mldsa.c / clu_mldsa.h to Visual Studio build inputs. |
| tests/x509/x509-verify-test.py | Adds ML-DSA verification tests (self-signed verify, DER path, tamper, CAfile failure cases). |
| tests/x509/x509-req-test.py | Adds inline-SAN config tests and extensive ML-DSA req/CSR/self-signed regression coverage. |
| tests/x509/x509-ca-test.py | Adds DER -outform coverage and ML-DSA CA signing + verification tests, including error cases. |
| src/x509/clu_x509_sign.c | Adds ML-DSA signing via wolfcrypt, DER/PEM output control, and safer config/key handling. |
| src/x509/clu_request_setup.c | Adds ML-DSA req path (raw wolfcrypt CSR/self-signed) including temp key handling and guards. |
| src/x509/clu_mldsa.c | Implements ML-DSA shim: key load, companion pub handling, sign/CSR/cert build, and direct verification helper. |
| src/x509/clu_config.c | Adds OpenSSL-inline subjectAltName parsing and improves extension handling behavior when not compiled in. |
| src/x509/clu_ca_setup.c | Adds ML-DSA CA signing support and passes -outform into the signing pipeline. |
| src/tools/clu_rand.c | Zero-initializes RNG struct before wc_InitRng. |
| src/tools/clu_funcs.c | Updates help text for ca and expands req -newkey help for ML-DSA. |
| src/sign-verify/clu_x509_verify.c | Adds ML-DSA “fast path” verification against -CAfile, plus -inform option compatibility. |
| src/sign-verify/clu_sign.c | Hardens PEM→DER conversion (size cap, arg validation) and improves safer buffer handling/casts. |
| src/sign-verify/clu_dgst_setup.c | Uses a non-overlapping temp buffer for DER-encoding digests and updates digest buffer sizing. |
| src/include.am | Adds src/x509/clu_mldsa.c to build sources. |
| src/genkey/clu_genkey.c | Updates ML-DSA keygen signature to const char*. |
| manpages/wolfssl-x509.1 | Documents ML-DSA -text output limitations for SubjectPublicKey printing. |
| manpages/wolfssl-sign_verify.1 | Documents -ml-dsa command prefix and -dilithium alias; adds examples. |
| manpages/wolfssl-req.1 | Expands ML-DSA -newkey documentation and adds ML-DSA notes + examples. |
| manpages/wolfssl-ml-dsa.1 | New manpage documenting ML-DSA keygen/sign/verify/cert workflows. |
| manpages/wolfssl-genkey.1 | Adds ML-DSA keygen example. |
| manpages/wolfssl-ca.1 | Documents ML-DSA CA signing behavior, companion pub resolution, and verification. |
| README.md | Adds an ML-DSA self-signed certificate example. |
| Makefile.am | Installs the new wolfssl-ml-dsa(1) manpage. |
Comments suppressed due to low confidence (1)
src/x509/clu_request_setup.c:1
wolfCLU_IsMLDSAKeyFile(in)probes before attemptingwolfSSL_PEM_read_bio_PrivateKey(). The probe path callswolfCLU_LoadMLDSAKey(), which logs hard errors on decode failures; that means normal RSA/ECDSA keys can produce confusing ML-DSA decode error output even though the key will later load successfully via EVP. Prefer the same pattern used inclu_ca_setup.c: trywolfSSL_PEM_read_bio_PrivateKey()first, and only fall back to ML-DSA key probing when EVP key load fails (or add a “silent probe” mode towolfCLU_LoadMLDSAKeyso non-ML-DSA keys don’t emit errors during detection).
/* clu_request_setup.c
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Notes: